Disclaimer

The content of this material are challenges faced onsite and how I personally resolved them. Please be noted that solutions posted here

1> should not be considered as ultimate. The material may be considered for reference only.

2> should not be considered as guarantee that solutions may work. Contact Cyberoam support before making any changes.

3> blog does NOT belong to the Cyberoam. It's a blog...a personal blog.

Changes done after referring this site may seriously damage the network. So...

........DO CHANGES AT YOUR OWN RISK

(please contact cyberoamsupport before implementing any changes)

Monday, 23 April 2012

A fight for best application filter


Today networks and the amount of data transfer done, are large and  growing larger in size. As the companies grow larger, the number of users in the network also increase. The users are the primary cause of growth in the traffic. Let’s understand their behaviour and why there is an exponential growth in the data transfer on the WAN. Let’s understand why 80/20 rule is no more valid:



  1.  Users will access resources on the LAN and WAN. These days, everyone is moving the applications on the cloud. It makes sense why traffic is growing on the WAN.
  2.     These users are not only accessing the applications on the cloud but also applications which they should avoid, like proxy applications, P2P applications (torrents). Primarily, this is the reason how a virus/malware comes inside the network.
Now, if we include above all we understand that we need to identify the application traffic being used by User and drop it if objectionable.

Applications have grown too mature and difficult to catch with traditional firewalls. The traditional firewalls are capable of only identifying the ports, or the only rule matching criteria is "The port numbers".A real next generation firewall should be application intelligent and must identify the user who is initiating the traffic.

“The applications have grown too mature” What does that mean exactly??

Let’s take an example here of an application called ultrasurf. It’s really best example because of its random behaviour. It’s like chameleon which gets connected to the servers anyhow. Another good example is skype. To simplify things, consider port 80 traffic. It not only includes simple web traffic but now it also includes video streaming, proxy application traffic, instant messengers, downloads, CRM……many many more.

I think the solution is obvious -- go for a combined security solution!!! But which one very mind twisting question.

Recently, there is hype in the security market about PaloAlto networks. The APP ID technology is currently marketed as unique as they have this feature right inside the firewall module.  I searched on the youtube for any related videos on how to configure this videos. It seriously concerned the first few steps of the getting up the appliance. The new generation appliances should be easily configured and should be plug_and_play but instead it seems to be very lengthy process


Creating a firewall rule..oh! god it was very very lengthy process.  Not a simple thing to configure. It again needs a professional for just configuring the firewall rules. Again not a simple plug and play device.

Now I got more interested in capabilities. As a security professional, I wanted to test this appliance out and about its capabilities. I took 4 appliances in the test bed to compare capabilities. These appliances have capabilities to identify different applications and block them.

I also wanted to choose command applications which are being used in the current network. The applications have been choose to understand the maturity level of the application Vs. maturity /capability level of the product to identify and block it. These applications are specially choose from networks with students, HR team, construction companies, complex networks, and low bandwidth networks. So we have prepared a list of common and deadly 35. These applications are used for data leakage and risk for the organisations has increased.

Below are the deadly 35:

Application
Facebook likes
source



Ultrasurf - Proxy
4016 likes
Freegate - Proxy
N.A.
Hotspotshield - Proxy
N.A.
MSN - IM
1,731,299 likes
msn.com
Yahoo - IM
40,00,000 users
Gtalk - IM
6541 likes
TOR - Proxy
N.A.
Skype - VoIP
1,09,00,000
Facebook Chat - IM
10,450 likes
AIM Messenger - IM
1,20,000
QQ Messenger - IM
6275 Likes
BitComet P2P Traffic - P2P
181 like
Bittorrent_uTorrent_Thunder - P2P
7239 likes
Securitykiss - Proxy
N.A.
FTP Upload/Download
N.A.

Team Viewer
610
iTunes
Too Many
Facebook Application
Too Many
Webmail-gmail-chat
Too Many
google+
Too Many
webmail- yahoo-chat
Too Many
teamviewer file transfer
N.A.
cyber ghost
N.A.
asproxy (on web)
N.A.
qq file transfer
6277 likes

shareaza
N.A.
emule
1,41,256
dc++
N.A.
qq live (WEB)
Too Many

ustream
290,000/month
jumblo
N.A.
psiphone
622
simurgh proxy
N.A.
Free File sharing
Wi-Free
Few
Digsby
80000/month
Two of these applications caught my eye because of their extra ordinary behaviour:

  1. Psiphon
  2.  Wi-free

These will be the next generation applications used for surfing. Very difficult to stop them. They use protocols like SSH, DNS to send the traffic through the network. And its very difficult to detect and drop such traffic. If you DROP dns traffic your internet traffic will not work. The Public WI-FI can be easily penetrated using these applications.

Very good applications developed by beautiful minds to share the data to the outside world but now they are being used in a very different environments like schools and colleges. So the customer requirement was very obvious.

Test BED:

The test bed was very simple.

  •  A computer with all these applications will be connected to the LAN and the WAN will be connected to the Internet.
  •  These applications were to be run one by one  so that capability and maturity of the product in blocking the application can be evaluated
  •  No extra firewall rules should be required.

But the results are totally different and I think Cyberoam has fared very well or best to say it has it has proved to be best.  The results may vary but we have tried to use the latest Version. It seems that the products took too much time in blocking the applications when a new version of the applications is released. These products were not proactive.  These applications have topped our list and some products are not even aware of these deadly applications.

Below are the results:


Application Name
Application Version
Fortigate (FW-v4.0,build0521,120313 (MR3 Patch 6))
Sonicwall (FW- SonicOS Enhanced 5.8.0.2-37o)
Palo-Alto (FW-4.0.8)
Cyberoam (FW-124)


Latest Release: 3.00168

Latest Release: 298-1339
Latest Release: 3.0.53
Ultrasurf - Proxy
11.04
Working
Not Working
Not Working
Working
Freegate - Proxy
7.27
Working
Not Working
Not Working
Working (ultrasurf & Freegate Both should apply)
Hotspotshield - Proxy
2.52
Working
Not Working
Not Working
Working
MSN - IM
0.98.4
Working
Working
Working
Working
Yahoo - IM
11.05
Working
Working
Working
Working
Gtalk - IM
1.0.0.104
Not Working
Working
Working
Working
TOR - Proxy
0.2.2.35-8.0
Working
Working
Working
Working
Skype - VoIP
5.8
Not Working
Working
Working
Working
Facebook Chat - IM

Not Working (taking time to bypass)
Not available
Not Working
Working
AIM Messenger - IM
1.0.1.2
Working
Working
Not Working
Working
QQ Messenger - IM
1.2
Working
Working
Working
Working
BitComet P2P Traffic - P2P
1.31
Working
Not Working
Working
Working
Bittorrent_uTorrent_Thunder - P2P
B(7.6-26764) & U(3.1.2-26773)
Working
Not Working
Working
Working
Securitykiss - Proxy
2.2
Not available
Not available
Working
Working
FTP Upload/Download

Working
Working
Working
Working
Team Viewer
7.0.12799
Working
Working
Working
Working
iTunes
10_05_2005
Working
Not available
Working
Working
Facebook Application

Working
Not available
Working
Working
Webmail-gmail-chat

Working
Not available
Not Working
Working
google+

Working
Working
Working
Working
webmail- yahoo-chat

Not Working
Not available
Working
Working
teamviewer file transfer

Not available
Not available
Not available
Working
cyber ghost
4.7.18.1187
working
Not available
Working
Working
asproixy (on web)

Not Working
Not Working
Working
Working
qq file transfer
1.2
Working
Not Working
Not Working
Working
shareaza
V8
Not Working
Working
Not available
Working
emule
0.50a
Not Working
Working
Working
Working
dc++
0.791
Not Working (connected but unable to download)
Not Working
Not Working (connected but unable to download)
Working
qq live (WEB)

Working
Not Working
Working
Working (whole category should block)
ustream

Working
Working
Working
Working (whole category should block)
jumblo
4.09 Build 660
Not available
Not available
Not available
Working
psiphone

Not available
Not available
Not Working (SSH +)
Working
simurgh proxy
1.20 beta
Working
Not available
Not available
Working
Wi-Free

Not available
Not available
Not available
Working
Digsby
91
Working
Working
Not available
Working

Just to quantify them in beautiful graphs




Further more, the Cyberoam was quite easy in configuring. It seems to be true application intelligent firewall which blocks most dangerous applications. This product is quite promising and its track in the Magic Quadrant has shown considerable growth





3 comments:

  1. You can also add PD-Proxy to the list of applications. I am using it on our schools and our admin cannot block it.

    ReplyDelete
  2. Hmmm.. Let me go and request this to CR team and let us see how much time they take to resolve it.

    ReplyDelete
  3. From this blog we get more information about Cyberoam firewall configuration service. To buy Remote Configuration services for your Cyberoam firewall visit https://www.sancuro.com/services/cyberoam-firewall-application-filter-policy-configuration

    ReplyDelete