Most common myths about the network security

Myths about network security

1>     I am anonymous on internet:
2>     Having a security appliance will require dedicated manpower
3>     The threats are only from outside
4>     I am secure if I am accessing HTTPS
5>     Installing firewall : I am secure

1>     I am anonymous on internet:

This is a common myth most the administrators are under. They do not understand that to bring down a big target, hackers target small organisations. The reason for this behaviour is obvious; they want to cover their tracks. Hackers create zombies in smaller networks and try to bring down bigger network. When doing a forensic analysis it will always be your network under the RADAR.

2>     Having a security appliance will require a dedicated manpower

The Cyberoam UTM appliance is all in one solution and does not require any dedicated manpower. Companies can use their existing manpower to control their internet traffic. The products is very simple to configure and its plug and play device.

3>     Threats are only from outside

Most of the administrators feel that threats are only from outside. This is great myth of all, as the threats from inside is equally distributed to threats from outside. More than 50% of the threats are from inside. Free surfing on the internet will invite virus, Trojan and worms inside the network and thus will reduce the speed of the whole network. You will buy new switches which should be working at great speeds and at the end of the day you will still find them working the same as before. The worms eat up your bandwidth due to broadcasts and Trojans can launch attacks from inside the network. If your email server gets compromised you will see your public IP getting black listed.

4>     I am secure, if I am accessing HTTPS

This is where you get a false sense of security. When you see secure protocol you should never feel full secure. Security is never full and complete, it’s a constant evolution. So you should always update yourself with new technologies and then remember to use your brain before implementing it as a solution.

5>     Installing firewall : I am fully secure

The firewall just a primary security but what about the ports which you have bypassed like when you are using a web server, FTP server or email server. You have opened these ports directly from your firewall. Now there is no protection on these ports except checking the state of the connection and DOS check. Many other attacks like URL redirection, XSS attacks, Buffer overflow attacks which could seriously damage your reputation are ignored. 

Most important things your firewall should do

We have recently organised a customer meeting, where we have invited most of our customers and requested them to the poll for the most important things a firewall should do. This is a regular operation we do.

How this helps us?

1> increased satisfaction of the customer because we care
2> customers tends to learn new threats
3> New customers who appreciate the need of security
4> awareness of new technologies released and how its going to help them
5> a common platform to discuss existing network problems and their solutions

After many suggestions and many reviews we have decided to list them down. The list which will help most of the customers to take a better decisions while buying a new security product or when they are ready for renewal or when they want to replace existing solution

The attacks have grown mature, the users went mature, the applications are more mature but most of the appliances are not ready for this challenge.The attacks can be blocked from WAN but what about the new threats. These new threats are also known as Zero day attacks. The products are not aware of these threats.

So to provide a check list we came up with Top 10 list and below are the important list of these features:

1> Intelligent and advanced Application filter with bandwidth control

The advanced application filter should identify applications which are running on standard ports. Like HTTP i.e. port 80. Port 80 has simple web traffic, IM traffic, CRM traffic, streaming media traffic. Most of our customers wanted a solution which will allow steaming media on port 80 but with a limited bandwidth. If a solution can not identify the streaming media on port 80 its very difficult to manage your limited bandwidth. Along with that many online movies sites and live TV can also be differentiated and should be limited on usage.

Another set of bandwidth hungry applications are the p2p applications which eat up your most important resource i.e. bandwidth. Recently one of our customer complained slow browsing, we installed a solution just to find most of the users were bringing their laptops with P2P applications still active when they come from home. They were not only choking up the bandwidth but also risking the network with new Virus, worms and Trojans.

2> A True identity based solution

Some users are very aggressive. They launch an attack deliberately or accidentally and the organization looses important data. Most of the organizations trust their employees and we seldom hear these but the truth is these things never come to light unless they occur to important organisations. So administrators right choice is to identify the users who take advantage of this trust.

Also, most of the attacks are not from outside but inside like spam. we want to identify the users and then block them. The identity based solution should also have the ability to allow admin to create granular policies over the users.

Now that we are aware the user is the weakest link in the security his activities should be monitored regularly.

3> Live view of the network

Once the user has been identified, the solution should be capable to show how much of bandwidth is being consumed by each user or application. The data is very important for the optimizing the network performance. When you keep these advanced solutions in your network, you will be amazed to see so many applications being used which are chocking your bandwidth. Based on the live reports, you can take immediate actions on the users.

4>  Anti-Spam

Spam is very ugly truth. With no solution your email server and your users can be easily compromised and soon your IP will be blacklisted. Once a IP gets blacklisted, we all are aware of the hardships we have to go through to get it unlisted. A true spam solution should be able to catch spam in any language or format. Also, it should be capable to block spam at the gateway level itself.

5> WAF

In my earlier thread I have explained the use of WAF and its requirement. To refer it kindly browse through below link
http://cyberoamexpert.blogspot.in/2012/05/cyberoams-waf.html

6> Web Category based Bandwidth control:

One best example is the Facebook or social networking sites. These social networking sites are very good and I am big fan of them. Recent study also showed that the allowing the users to do facebook increased the productivity of the employees. But that does not mean that users should be given full bandwidth to these networking sites. So a true solution should be capable to implement the bandwidth policies on these sites. So users can enjoy the site but at a limited bandwidth.

7> Logging and Reporting

A true solution should include inbuilt logging and reporting solution. The reporting should be very elaborate and should not require any external device or software. Howerver, it should also provide a facility to generate logs and reports to a syslog server.

8> SSL VPN

I like working from home as many of us do. But it gets difficult to work if I am not able to access resources securely. The solution should allow users to login from home and work safe and secure. SSL VPN is best as its secure and provides mobility.  While client to site is also better way but a SSL VPN is truly a best solution.


All our customers were very satisfied with the list as it really helped them to choose the right product!

Cyberoam's WAF

Web Application Firewall.


In the continuation to my previous article where I mentioned about the new features released by Cyberoam, one of the key and important feature is that of Web Application Firewall. It is not a new term or technology in fact there are already UTMs and open source projects offering the Web application security. So you might be wondering what new Cyberoam is offering with this feature or some smart heads might be thinking that Cyberoam is catching up with its competitors. Yes, it could be true to an extent; however, the true mettle of the feature depends on what is on the offer and this where Cyberoam has more impact over its competitors.
WAF or Web application firewall is a plug-in, or a filter that scans any http connection with certain set of rules. In general, these set of rules are enough to overcome certain type of common attacks like SQL injection or Cross site scripting (XSS). Now, you can customize these set of rules in accordance to your knowledge and requirement which in turn can help you in indentifying and blocking various attacks. This is the point where Cyberoam scores over all other web application security solutions available in the market.


Why do we need a WAF?
Web or the World Wide Web is frequently referred to as the next battle ground. The countries around the globe nowadays fear that the next world war will be fought on the internet and attacking the web application servers will be one of the most important types of attack.
Despite the incident of dotcom bubble burst the dependency of the world on Web has not decreased. Web sites and web applications are growing rapidly. Businesses worldwide have moved on to use more and more complex applications on http. The phenomenal dependency of businesses on the web has made them prone to various attacks. Over the past decade or so we have seen a lot of increase in the hacking activity. Various attacks like, work attack, SQL injection have taken the toll of business to a much larger extent now.
Most of you might wonder that these attacks can also be stopped by a firewall then why do we need a WAF? However, the point is that a firewall cannot stop these attacks. Here is the list of attacks that a firewall cannot detect or stop: 


1.     URL interpretation attack
2.     Input validation attacks
3.     SQL injection attack
4.     Impersonation attacks
5.     Buffer over flow attacks
6.     Cross site scripting 


Above is just a partial list of attacks that cannot be stopped by your perimeter firewall. There are many other attacks that you firewall can never even detect off and your web services can easily fell prey to deadly hackers.
So, you cannot deny the fact that despite deploying a firewall in your network you need a WAF to protect the web server and web applications.


Cyberoam as a WAF:
Yes, now Cyberoam has an inbuilt feature of Web application Firewall. Cyberoam’s WAF helps in you in achieving the following major organizational concerns/questions with respect to the web services on offer:
1.     How can you secure your web applications?
2.     How can you insure that only authenticated users get access to the web services?
3.     How can you insure the acceleration and speed of the applications?
4.     How to insure the scalability of the web servers with the growing number of users?
5.     Validating the input of the users on the web forms?
However, before we talk more about Cyberoam as a WAF, Let us have a look at the challenges faced by current WAF products which are in the market.
The major challenge is in the form of too much of security, I mean to say, some products like Barracuda WAF provide too much of security that there have been instances that even legitimate users have been deprived of work. This actually may sound funny but it is true for many other products as well.
Other challenges can be listed as below:


1.     Penetration of database monitoring
2.     Prevention of hacking, data theft
3.     Provision to work as IDS(Intrusion Detection System)
4.     Notifying as well as rectifying the security loopholes.
5.     Prevention of cookie poisoning and session hijacking
6.     Less scanning time for the data
7.     Efficient and effective filtering of http/https requests
8.     Moulding itself to detect and prevent new attacks
9.     Customization of http/https scanning rules


While testing the Cyberoam WAF I found all the challenges being overcome. I tested it against my word press website linked to a JDBC. While products like Barracuda, Semantic, Citrix, Imperva etc failed in overcoming one or the other challenges listed above. However, Cyberoam has no reporting feature which actually is a point that goes against it when we compare it with dedicated WAF products.
I am more interested in testing Cyberoam’s WAF against Astaro’s WAF (Since Astaro is only UTM offering inbuilt WAF), where in as later uses signatures to detect and prevent attacks. I have never been a great fan of technologies using signatures and this is no deferent. The huge issue I see with signatures is that they need to be updated regularly which is a big overhead. Since Cyberoam uses intuitive active and passive modes to detect and prevent attacks it is far more effective and efficient then Astaro.
Cyberoam’s WAF is so intelligent that in real time environment it is quickly able to notice the behaviour if web applications that you have in your network and then it moulds itself to protect them automatically. How does it do so? It is still a mystery. May be I can get a hint from Cyberoam support.

New Features released by Cyberoam.

Cyberoam has released a new version for all the existing models this week. I had a chance to go through the release notes and found things quite interesting.
I have always viewed Cyberoam as a competitive product and with the coming of new features it is creating a niche of its own.

The newly released version is 10.02.0 Build 206 and with this Cyberoam has bought a a new set of features. Here are the features that I have been talking all through:

1. Mix Mode
2. FQDN Host and Host Groups
3. Guest Users
4. Differentiated Services Code Point (DSCP)
5. Captive Portal URL Redirection
6. Hit Count in Mail Summary Reports
7. Country Based Traffic Control
8. WAF – Web Application Firewall
9. NT LAN Manager (NTLM) Authentication Support

The features here have a lot to offer and I will not do any justification by going through all of them in this article. So, In the upcoming weeks I will post more information about these features after doing some testing and playing with them.

Besides these features, there are some enhancements that have also been announced with this new version. These enhancements were long awaited and at last Cyberoam have them.
Here are is the list of the enhancements done:

1. GUI Enhancements
2. DNS Optimization
3. Virtual Host Enhancement
4. IBM server terminal support in SSLVPN
5. Dynamic Interface Support
6. Search using IP Address
7. Customized Wireless LAN

We will again talk about these enhancements in a separate article later.

Every new version has also some bug fixes, so this version is no deferent.  I will test and display the list of the bugs fixed in the new version in the upcoming articles.