"Set it and forget it attitude"- Web Application firewall

Web Application Firewalls (WAFs) are an excellent last line of defense. They’re great at blocking both automated scans and granular exploits like Cross-Site Scripting and SQL injection. I recommend WAFs to partners all the time. But is there more to the story?

Unfortunately, more security vendors deploy WAF to cover up instead of looking to fortify their coding practices which led to vulnerabilities in their web applications. WAF has also replaced good old security practices of conducting regular audit and security scan. It's "set it and forget it". This is especially common with the compliance as a checkbox mode of operation that’s present in many businesses. Reminds me of what Firewalls with Stateful Inspection Technology were 10 years ago.

WAF would not protect you against application logic flaws. What about weak passwords in your web application? Another flaw that may go unguarded.

Good security practices like security monitoring, patch management, change management, incident response processes/procedures and most importantly security awareness sessions still hold good.

Whether you work for a large enterprise or a small business, just know that Web Application Firewalls are not the end-all be-all solution for your web security problems. They’re good at what they do. But like airbags in our automobiles, they can’t be relied on completely. To set up WAF and rely on it completely to protect your Web application is being short sighted and a recipe for getting bitten when you least expect.

The solution is to layer your web controls and look to fortify your coding practices. Web Application flaws are better fixed as the source by performing periodic scans, manual tests and review your code.

After you follow best practices for setting up Web Application, let WAF be the icing on the cake.

False Sense of Security - NGFW (Next Generation Firewall)

I am often questioned by my partners about how is Cyberoam different from the new buzz NGFW.  In reality, Cyberoam and new NGFW share many common features. 

UTM and NGFW are 2 different terms coined by two different analyst firms.  IDC coined UTM and Gartner coined NGFW.  One key difference is the technology used to deliver the functions.  It is believed that UTMs just provides multiple features on a single platform without integrating the features together.  Whereas NGFW delivers features like IPS, AV and application control while integrating these into Firewall.

NGFW Major features vs Cyberoam

* NGFW integrates security functions in to a single engine and define security controls through firewall.  NGFW also enables user based access control.

Cyberoam is a ID based firewall that implements Layer 8 technology.  It not only ties all the security policies and access controls to firewall, but also to the user.  You can apply Web Filter, Application Filter, Antivirus, Anti spam, QoS, IPS, VPN to Firewall as well as to a User/Group

* NGFW are believed to deliver wire-speed network security and suitable for large networks.

Cyberoam delivers high performance network security ranging from small to large networks.  It has firewall throughput up to 10Gbps with UTM throughput of up to 1.2 Gbps.

* NGFW optimizes application control

Cyberoam offers comprehensive Layer 7 Application Control, that is capable of identifying and controlling applications using standard and non standard ports and protocols, even encrypted SSL tunneled traffic.  Cyberoam identifies and controls more than 2000 layer 7 applications.  Cyberoam also does application based QoS, IM control as well as Data Leak Prevention.

* NGFW provides greater visibility with advanced monitoring and reporting

Cyberoam integrates custom built SIEM solution called iView for more than 1000 user based reports.  iView provides reports for Applications, web filter, threats, web trends, internet usage, as well as compliance reports.  It also provides module wise live reporting.  All logs and reports are stored on appliance hard drive. 

Conclusion

At the end of the day, NGFWs are just a subset of Cyberoam UTM

Scare the Scareware

I remember that when I was in school, my Dad bought me a computer which was a Pentium 2 powered desktop. I invited most of my friends out of curiosity to have a look at my desktop. In those days there was a software that was given to me by one of my cousins from Canada. I must say it as a program, that once was run use to display some messages saying YOUR ALL DATA IS BEING DELETED AND THE SYSTEM HAS CRASHED. My friends use to run the program somehow and I use to scare the hell out of them. It was a prank and indeed included lots of fun. What I want to convey here is that such software or malicious programs are known as scare wares and are used by many hackers to cause anxiety and threat to the people.
Scare wares or better to call them as fake softwares are indeed the bitter reality for the consumers around the globe nowadays. A good example is of fake antivirus softwares, the cyber criminals use social engineering to install a malicious code on the computers of the consumers. Once this code is installed, it starts displaying fraudulent alerts with fake messages. Below are such screenshots displaying fake messages.

The people usually fell into the trap due to the fact they get scared enough after reading such messages. These alerts prompt users to visit such websites to buy and download fake softwares to clean threats which never exist.

For cyber criminals, it is a lucrative business to threat people and steal their money by prompting them to buy fake softwares. This class of malwares scans the computers and comes up with a collection of junk files and data.  To prove their legitimacy, these softwares will have names such as:

1. Internet defender
2. Security shield
3. Smart internet protection
4. Malware protection 2012

These malwares can also cause further distress among the users. They can interfere with the normal functioning of the system. They will terminate the processes, for example it will never allow you to run task manager. They can also force web re-directions where in as each and every time you try to access a web page you will be re directed to some or the other link. These softwares are also infamous for downloading further malwares like banking trojans or rootkits etc.

So, we can conclude here that scare ware malwares will be an ongoing problem which will continue due the fact that it involves monetary gains for the cyber criminals.

I was curious to find out weather my Cyberoam can take care of these scare wares. But, first of all I wanted to know what all features I have at my disposal to protect my users against such malwares.
Here is my verdict after some long testing:

1. Cyberoam's anti-virus engine is fabulous, I really mean it. I was not able to download any of the malicious software.  I think nothing can be said more about it.

2. Secondly, I went ahead and enabled the Anti-Pharming feature of the Cyberoam, after which Cyberoam re resolves the DNS for the URLs with the DNS server configured in the appliance itself. This is by far the best way of protection against the redirectional links, directing the users to malicious websites instead of the original website.

3. On further research, I hit a couple of very interesting web categories, "SpywareandP2P" and "PhishingandFraud". I am not sure how the guys at Cyberoam do the categorization, but believe me it is really effective. I found several websites being denied by the Cyberoam when I applied them.


By the way I refered to http://www.spywarewarrior.com/rogue_anti-spyware.htm#products for testing purpose. You can try the same to test Cyberoam's capabilities in protecting your network.

Cyberoam Demo

One of the coolest features I like about the Cyberoam is Reporting part. I was able to impress many customers with its reports. Cyberoam claims to have more than 1400 reports. Most of these reports are Identity based, which means which user, what site, what amount of data, what time.....cool.

So in simple words, you really do not have to worry about the IP address any more. What’s more?

Well, it’s free of cost.

Seriously, we do not have to buy any hardware or software to generate logs. To check the authenticity of the logs, we requested few of our customers to keep an eye of the logs and surprisingly most of the events have been logged.

So if a user browses any unhealthy site, it will be logged. If he tries to access any application not allowed he will be logged. Everything is logged.

Recently we were at our customer to impress him about the Cyberoam functionality. But unfortunately, their current network does not allow SSL VPN ports (8443 default). So we tried to access the Cyberoam Demo site. We logged in, we explained him every feature. Then we were to show the reporting part to customer.

We came back to office and wrote requesting Cyberoam to include graphs on the Cyberoam Demo. There is no point in having a demo without any reports online. Though we had some screenshot to show them, but a live demo should be capable to show some reports.


Let's see when we will be able to see the Cyberoam with logs on demo.cyberoam.com