Which comes first : Compliance or Security?

Recently I was browsing through my linkedin profile and I see lot number of security professionals drawn towards this question:

What comes first Compliance or Security?

I have given a long thought on this question and I asked myself few more questions pertaining to the above question:

1> Can an organisation be secure without a compliance? Answer is reasonably simple yes.
2> does man secures himself or searches for compliance when in wild? obviously Security

on contrary I also asked myself questions to contradict above answers

1> How can an organisation find itself secure without a framework? a compliance is necessary
2> How can a large society function without a framework? yes its necessary.

But again I thought, let's bring it down to basics

1> what would I require to keep my data safe? security
2> how could I say that my data is safe in the current security? a compliance

Aha...so, I believe security must be build before we go for compliance or compliance auditing.
However, from above we can also conclude that security and compliance should complement each other to build a strong security and to strategize spending of limited budget.

QoS in Cyberoam

A couple of days ago, I was deploying a Cyberoam unit at a customer's site.We were replacing a Cisco Router with a Cyberoam unit. Customer was overall happy with the Cyberoam, however, He was unsure about QoS feature. The primary reason to replace a Cisco router with Cyberoam was to get a better performance in terms of security, since Cisco router was already being used as a Zone based firewall, the overall performance was not up to the mark.
Besides, configuring a Cisco router is a tedious task as compared with the Cyberoam.

However, as said customer was little suspicious about QoS, since he had 50 VoIP phones in the network. Let me tell you about Cisco QoS, It uses a very granular and efficient QoS feature/module. Cisco calls its QoS as MQC (modular QoS CLI) where in as the whole configuration of configuring class maps, policy maps and applying them to the services or interfaces is done through some specific CLI commands. The disadvantage here is that you really have to be a cisco CLI master in order to do the configuration, otherwise you are in the dock. On the other hand, Cyberoam is very easy to configure and play with and you dont have to be Cyberoam or security master to configure the things.

Cyberoam gives you complete control over the kind of traffic policing and control one would like to have over the applications and most importantly the users, which is missing in Cisco routers. In Cyberoam you have the control or power to prioritize or police the bandwidth for a web category or for a desired group of websites or URLs which is again not available with the Cisco router. 

Improved application control

I am a great fan of UTM devices that give complete and granular control over different layer 7 application. Cyberoam is one of the best Application control UTM. In one of my previous articles named A Fight for the best application filter, I mentioned about the fact that how applications have changed over the years but we have not seen any significant change in firewall.

Coming on to the Cyberoam, it is feature rich product and I can feel the kind of effort being put in cyberoam into making it a world-class product. Now, they have come up with improved application control features. Now, we have a new way by which Cyberoam has categorized different applications. I really liked this improvement. Cyberoam represents applications in accordance to:

1. Name
2. Category
3. Risk
4. Characteristics
5. Technology

Here is the screenshot:

This will provide more granular control for the users over the applications. I believe, this was a long pending feature, and at last we have it. Cyberoam can identify over 1000 applications which is better than some other UTMs,
With the improvement in the categorization, the reporting feature has also seen lot  changes.

 Reporting has always been one of the best features of Cyberoam. You really have to work on a Cyberoam UTM device in order to really feel what power it holds. The on appliance iview is one of the best Reporting system. It has an hawk eye and provide you drill down reports upto 3rd level for forensic analysis. The new reporting system is more faster and eye catchier with its instant horizonal, vertical and pie chart representation of the logs.

"Set it and forget it attitude"- Web Application firewall

Web Application Firewalls (WAFs) are an excellent last line of defense. They’re great at blocking both automated scans and granular exploits like Cross-Site Scripting and SQL injection. I recommend WAFs to partners all the time. But is there more to the story?

Unfortunately, more security vendors deploy WAF to cover up instead of looking to fortify their coding practices which led to vulnerabilities in their web applications. WAF has also replaced good old security practices of conducting regular audit and security scan. It's "set it and forget it". This is especially common with the compliance as a checkbox mode of operation that’s present in many businesses. Reminds me of what Firewalls with Stateful Inspection Technology were 10 years ago.

WAF would not protect you against application logic flaws. What about weak passwords in your web application? Another flaw that may go unguarded.

Good security practices like security monitoring, patch management, change management, incident response processes/procedures and most importantly security awareness sessions still hold good.

Whether you work for a large enterprise or a small business, just know that Web Application Firewalls are not the end-all be-all solution for your web security problems. They’re good at what they do. But like airbags in our automobiles, they can’t be relied on completely. To set up WAF and rely on it completely to protect your Web application is being short sighted and a recipe for getting bitten when you least expect.

The solution is to layer your web controls and look to fortify your coding practices. Web Application flaws are better fixed as the source by performing periodic scans, manual tests and review your code.

After you follow best practices for setting up Web Application, let WAF be the icing on the cake.

False Sense of Security - NGFW (Next Generation Firewall)

I am often questioned by my partners about how is Cyberoam different from the new buzz NGFW.  In reality, Cyberoam and new NGFW share many common features. 

UTM and NGFW are 2 different terms coined by two different analyst firms.  IDC coined UTM and Gartner coined NGFW.  One key difference is the technology used to deliver the functions.  It is believed that UTMs just provides multiple features on a single platform without integrating the features together.  Whereas NGFW delivers features like IPS, AV and application control while integrating these into Firewall.

NGFW Major features vs Cyberoam

* NGFW integrates security functions in to a single engine and define security controls through firewall.  NGFW also enables user based access control.

Cyberoam is a ID based firewall that implements Layer 8 technology.  It not only ties all the security policies and access controls to firewall, but also to the user.  You can apply Web Filter, Application Filter, Antivirus, Anti spam, QoS, IPS, VPN to Firewall as well as to a User/Group

* NGFW are believed to deliver wire-speed network security and suitable for large networks.

Cyberoam delivers high performance network security ranging from small to large networks.  It has firewall throughput up to 10Gbps with UTM throughput of up to 1.2 Gbps.

* NGFW optimizes application control

Cyberoam offers comprehensive Layer 7 Application Control, that is capable of identifying and controlling applications using standard and non standard ports and protocols, even encrypted SSL tunneled traffic.  Cyberoam identifies and controls more than 2000 layer 7 applications.  Cyberoam also does application based QoS, IM control as well as Data Leak Prevention.

* NGFW provides greater visibility with advanced monitoring and reporting

Cyberoam integrates custom built SIEM solution called iView for more than 1000 user based reports.  iView provides reports for Applications, web filter, threats, web trends, internet usage, as well as compliance reports.  It also provides module wise live reporting.  All logs and reports are stored on appliance hard drive. 

Conclusion

At the end of the day, NGFWs are just a subset of Cyberoam UTM

Scare the Scareware

I remember that when I was in school, my Dad bought me a computer which was a Pentium 2 powered desktop. I invited most of my friends out of curiosity to have a look at my desktop. In those days there was a software that was given to me by one of my cousins from Canada. I must say it as a program, that once was run use to display some messages saying YOUR ALL DATA IS BEING DELETED AND THE SYSTEM HAS CRASHED. My friends use to run the program somehow and I use to scare the hell out of them. It was a prank and indeed included lots of fun. What I want to convey here is that such software or malicious programs are known as scare wares and are used by many hackers to cause anxiety and threat to the people.
Scare wares or better to call them as fake softwares are indeed the bitter reality for the consumers around the globe nowadays. A good example is of fake antivirus softwares, the cyber criminals use social engineering to install a malicious code on the computers of the consumers. Once this code is installed, it starts displaying fraudulent alerts with fake messages. Below are such screenshots displaying fake messages.

The people usually fell into the trap due to the fact they get scared enough after reading such messages. These alerts prompt users to visit such websites to buy and download fake softwares to clean threats which never exist.

For cyber criminals, it is a lucrative business to threat people and steal their money by prompting them to buy fake softwares. This class of malwares scans the computers and comes up with a collection of junk files and data.  To prove their legitimacy, these softwares will have names such as:

1. Internet defender
2. Security shield
3. Smart internet protection
4. Malware protection 2012

These malwares can also cause further distress among the users. They can interfere with the normal functioning of the system. They will terminate the processes, for example it will never allow you to run task manager. They can also force web re-directions where in as each and every time you try to access a web page you will be re directed to some or the other link. These softwares are also infamous for downloading further malwares like banking trojans or rootkits etc.

So, we can conclude here that scare ware malwares will be an ongoing problem which will continue due the fact that it involves monetary gains for the cyber criminals.

I was curious to find out weather my Cyberoam can take care of these scare wares. But, first of all I wanted to know what all features I have at my disposal to protect my users against such malwares.
Here is my verdict after some long testing:

1. Cyberoam's anti-virus engine is fabulous, I really mean it. I was not able to download any of the malicious software.  I think nothing can be said more about it.

2. Secondly, I went ahead and enabled the Anti-Pharming feature of the Cyberoam, after which Cyberoam re resolves the DNS for the URLs with the DNS server configured in the appliance itself. This is by far the best way of protection against the redirectional links, directing the users to malicious websites instead of the original website.

3. On further research, I hit a couple of very interesting web categories, "SpywareandP2P" and "PhishingandFraud". I am not sure how the guys at Cyberoam do the categorization, but believe me it is really effective. I found several websites being denied by the Cyberoam when I applied them.


By the way I refered to http://www.spywarewarrior.com/rogue_anti-spyware.htm#products for testing purpose. You can try the same to test Cyberoam's capabilities in protecting your network.

Most common myths about the network security

Myths about network security

1>     I am anonymous on internet:
2>     Having a security appliance will require dedicated manpower
3>     The threats are only from outside
4>     I am secure if I am accessing HTTPS
5>     Installing firewall : I am secure

1>     I am anonymous on internet:

This is a common myth most the administrators are under. They do not understand that to bring down a big target, hackers target small organisations. The reason for this behaviour is obvious; they want to cover their tracks. Hackers create zombies in smaller networks and try to bring down bigger network. When doing a forensic analysis it will always be your network under the RADAR.

2>     Having a security appliance will require a dedicated manpower

The Cyberoam UTM appliance is all in one solution and does not require any dedicated manpower. Companies can use their existing manpower to control their internet traffic. The products is very simple to configure and its plug and play device.

3>     Threats are only from outside

Most of the administrators feel that threats are only from outside. This is great myth of all, as the threats from inside is equally distributed to threats from outside. More than 50% of the threats are from inside. Free surfing on the internet will invite virus, Trojan and worms inside the network and thus will reduce the speed of the whole network. You will buy new switches which should be working at great speeds and at the end of the day you will still find them working the same as before. The worms eat up your bandwidth due to broadcasts and Trojans can launch attacks from inside the network. If your email server gets compromised you will see your public IP getting black listed.

4>     I am secure, if I am accessing HTTPS

This is where you get a false sense of security. When you see secure protocol you should never feel full secure. Security is never full and complete, it’s a constant evolution. So you should always update yourself with new technologies and then remember to use your brain before implementing it as a solution.

5>     Installing firewall : I am fully secure

The firewall just a primary security but what about the ports which you have bypassed like when you are using a web server, FTP server or email server. You have opened these ports directly from your firewall. Now there is no protection on these ports except checking the state of the connection and DOS check. Many other attacks like URL redirection, XSS attacks, Buffer overflow attacks which could seriously damage your reputation are ignored. 

Most important things your firewall should do

We have recently organised a customer meeting, where we have invited most of our customers and requested them to the poll for the most important things a firewall should do. This is a regular operation we do.

How this helps us?

1> increased satisfaction of the customer because we care
2> customers tends to learn new threats
3> New customers who appreciate the need of security
4> awareness of new technologies released and how its going to help them
5> a common platform to discuss existing network problems and their solutions

After many suggestions and many reviews we have decided to list them down. The list which will help most of the customers to take a better decisions while buying a new security product or when they are ready for renewal or when they want to replace existing solution

The attacks have grown mature, the users went mature, the applications are more mature but most of the appliances are not ready for this challenge.The attacks can be blocked from WAN but what about the new threats. These new threats are also known as Zero day attacks. The products are not aware of these threats.

So to provide a check list we came up with Top 10 list and below are the important list of these features:

1> Intelligent and advanced Application filter with bandwidth control

The advanced application filter should identify applications which are running on standard ports. Like HTTP i.e. port 80. Port 80 has simple web traffic, IM traffic, CRM traffic, streaming media traffic. Most of our customers wanted a solution which will allow steaming media on port 80 but with a limited bandwidth. If a solution can not identify the streaming media on port 80 its very difficult to manage your limited bandwidth. Along with that many online movies sites and live TV can also be differentiated and should be limited on usage.

Another set of bandwidth hungry applications are the p2p applications which eat up your most important resource i.e. bandwidth. Recently one of our customer complained slow browsing, we installed a solution just to find most of the users were bringing their laptops with P2P applications still active when they come from home. They were not only choking up the bandwidth but also risking the network with new Virus, worms and Trojans.

2> A True identity based solution

Some users are very aggressive. They launch an attack deliberately or accidentally and the organization looses important data. Most of the organizations trust their employees and we seldom hear these but the truth is these things never come to light unless they occur to important organisations. So administrators right choice is to identify the users who take advantage of this trust.

Also, most of the attacks are not from outside but inside like spam. we want to identify the users and then block them. The identity based solution should also have the ability to allow admin to create granular policies over the users.

Now that we are aware the user is the weakest link in the security his activities should be monitored regularly.

3> Live view of the network

Once the user has been identified, the solution should be capable to show how much of bandwidth is being consumed by each user or application. The data is very important for the optimizing the network performance. When you keep these advanced solutions in your network, you will be amazed to see so many applications being used which are chocking your bandwidth. Based on the live reports, you can take immediate actions on the users.

4>  Anti-Spam

Spam is very ugly truth. With no solution your email server and your users can be easily compromised and soon your IP will be blacklisted. Once a IP gets blacklisted, we all are aware of the hardships we have to go through to get it unlisted. A true spam solution should be able to catch spam in any language or format. Also, it should be capable to block spam at the gateway level itself.

5> WAF

In my earlier thread I have explained the use of WAF and its requirement. To refer it kindly browse through below link
http://cyberoamexpert.blogspot.in/2012/05/cyberoams-waf.html

6> Web Category based Bandwidth control:

One best example is the Facebook or social networking sites. These social networking sites are very good and I am big fan of them. Recent study also showed that the allowing the users to do facebook increased the productivity of the employees. But that does not mean that users should be given full bandwidth to these networking sites. So a true solution should be capable to implement the bandwidth policies on these sites. So users can enjoy the site but at a limited bandwidth.

7> Logging and Reporting

A true solution should include inbuilt logging and reporting solution. The reporting should be very elaborate and should not require any external device or software. Howerver, it should also provide a facility to generate logs and reports to a syslog server.

8> SSL VPN

I like working from home as many of us do. But it gets difficult to work if I am not able to access resources securely. The solution should allow users to login from home and work safe and secure. SSL VPN is best as its secure and provides mobility.  While client to site is also better way but a SSL VPN is truly a best solution.


All our customers were very satisfied with the list as it really helped them to choose the right product!

A fight for best application filter

Today networks and the amount of data transfer done, are large and  growing larger in size. As the companies grow larger, the number of users in the network also increase. The users are the primary cause of growth in the traffic. Let’s understand their behaviour and why there is an exponential growth in the data transfer on the WAN. Let’s understand why 80/20 rule is no more valid:

1.  Users will access resources on the LAN and WAN. These days, everyone is moving the applications on the cloud. It makes sense why traffic is growing on the WAN.
2.     These users are not only accessing the applications on the cloud but also applications which they should avoid, like proxy applications, P2P applications (torrents). Primarily, this is the reason how a virus/malware comes inside the network.

Now, if we include above all we understand that we need to identify the application traffic being used by User and drop it if objectionable.

Applications have grown too mature and difficult to catch with traditional firewalls. The traditional firewalls are capable of only identifying the ports, or the only rule matching criteria is "The port numbers".A real next generation firewall should be application intelligent and must identify the user who is initiating the traffic.

“The applications have grown too mature” What does that mean exactly??

Let’s take an example here of an application called ultrasurf. It’s really best example because of its random behaviour. It’s like chameleon which gets connected to the servers anyhow. Another good example is skype. To simplify things, consider port 80 traffic. It not only includes simple web traffic but now it also includes video streaming, proxy application traffic, instant messengers, downloads, CRM……many many more.

I think the solution is obvious -- go for a combined security solution!!! But which one very mind twisting question.

Recently, there is hype in the security market about PaloAlto networks. The APP ID technology is currently marketed as unique as they have this feature right inside the firewall module.  I searched on the youtube for any related videos on how to configure this videos. It seriously concerned the first few steps of the getting up the appliance. The new generation appliances should be easily configured and should be plug_and_play but instead it seems to be very lengthy process

http://www.youtube.com/watch?v=13nEDpEsRUA&feature=related

Creating a firewall rule..oh! god it was very very lengthy process.  Not a simple thing to configure. It again needs a professional for just configuring the firewall rules. Again not a simple plug and play device.

Now I got more interested in capabilities. As a security professional, I wanted to test this appliance out and about its capabilities. I took 4 appliances in the test bed to compare capabilities. These appliances have capabilities to identify different applications and block them.

I also wanted to choose command applications which are being used in the current network. The applications have been choose to understand the maturity level of the application Vs. maturity /capability level of the product to identify and block it. These applications are specially choose from networks with students, HR team, construction companies, complex networks, and low bandwidth networks. So we have prepared a list of common and deadly 35. These applications are used for data leakage and risk for the organisations has increased.

Below are the deadly 35:

Application	Facebook likes	source
Ultrasurf - Proxy	4016 likes	http://ultrasurf.us/
Freegate - Proxy	N.A.	http://download.cnet.com/Freegate/3000-2085_4-10415391.html
Hotspotshield - Proxy	N.A.	http://hotspotshield.com/
MSN - IM	1,731,299 likes	msn.com
Yahoo - IM	40,00,000 users	http://www.yahoo.com
Gtalk - IM	6541 likes	http://www.google.com
TOR - Proxy	N.A.	https://www.torproject.org/
Skype - VoIP	1,09,00,000	http://www.skype.com
Facebook Chat - IM	10,450 likes	http://facebook.com
AIM Messenger - IM	1,20,000	http://aim.com
QQ Messenger - IM	6275 Likes	http://imqq.com
BitComet P2P Traffic - P2P	181 like	http://bitcomet.com
Bittorrent_uTorrent_Thunder - P2P	7239 likes	http://bittorrent.com
Securitykiss - Proxy	N.A.	http://www.securitykiss.com/
FTP Upload/Download	N.A.
Team Viewer	610	http://www.teamviewer.com
iTunes	Too Many	http://www.apple.com/itunes/
Facebook Application	Too Many	https://facebook.com
Webmail-gmail-chat	Too Many	http://www.gmail.com
google+	Too Many	https://plus.google.com/up/start/?continue=https://plus.google.com/&type=st&gpcaz=93f2c371
webmail- yahoo-chat	Too Many	http://www.yahoo.com
teamviewer file transfer	N.A.	http://www.teamviewer.com
cyber ghost	N.A.	http://cyberghostvpn.com/
asproxy (on web)	N.A.	http://asproxy.sourceforge.net/
qq file transfer	6277 likes
shareaza	N.A.	http://www.shareaza.com/
emule	1,41,256	http://www.emule.com/
dc++	N.A.	http://dcplusplus.sourceforge.net/
qq live (WEB)	Too Many
ustream	290,000/month	http://www.ustream.tv/
jumblo	N.A.	http://jumblo.software.informer.com/
psiphone	622	http://psiphon.ca/
simurgh proxy	N.A.	Free File sharing
Wi-Free	Few	http://www.wi-free.com/
Digsby	80000/month	http://www.digsby.com/

Two of these applications caught my eye because of their extra ordinary behaviour:

1. Psiphon
2.  Wi-free

These will be the next generation applications used for surfing. Very difficult to stop them. They use protocols like SSH, DNS to send the traffic through the network. And its very difficult to detect and drop such traffic. If you DROP dns traffic your internet traffic will not work. The Public WI-FI can be easily penetrated using these applications.

Very good applications developed by beautiful minds to share the data to the outside world but now they are being used in a very different environments like schools and colleges. So the customer requirement was very obvious.

Test BED:

The test bed was very simple.

•  A computer with all these applications will be connected to the LAN and the WAN will be connected to the Internet.
•  These applications were to be run one by one  so that capability and maturity of the product in blocking the application can be evaluated
•  No extra firewall rules should be required.

But the results are totally different and I think Cyberoam has fared very well or best to say it has it has proved to be best.  The results may vary but we have tried to use the latest Version. It seems that the products took too much time in blocking the applications when a new version of the applications is released. These products were not proactive.  These applications have topped our list and some products are not even aware of these deadly applications.

Below are the results:

Application Name	Application Version	Fortigate (FW-v4.0,build0521,120313 (MR3 Patch 6))	Sonicwall (FW- SonicOS Enhanced 5.8.0.2-37o)	Palo-Alto (FW-4.0.8)	Cyberoam (FW-124)
		Latest Release: 3.00168		Latest Release: 298-1339	Latest Release: 3.0.53
Ultrasurf - Proxy	11.04	Working	Not Working	Not Working	Working
Freegate - Proxy	7.27	Working	Not Working	Not Working	Working (ultrasurf & Freegate Both should apply)
Hotspotshield - Proxy	2.52	Working	Not Working	Not Working	Working
MSN - IM	0.98.4	Working	Working	Working	Working
Yahoo - IM	11.05	Working	Working	Working	Working
Gtalk - IM	1.0.0.104	Not Working	Working	Working	Working
TOR - Proxy	0.2.2.35-8.0	Working	Working	Working	Working
Skype - VoIP	5.8	Not Working	Working	Working	Working
Facebook Chat - IM		Not Working (taking time to bypass)	Not available	Not Working	Working
AIM Messenger - IM	1.0.1.2	Working	Working	Not Working	Working
QQ Messenger - IM	1.2	Working	Working	Working	Working
BitComet P2P Traffic - P2P	1.31	Working	Not Working	Working	Working
Bittorrent_uTorrent_Thunder - P2P	B(7.6-26764) & U(3.1.2-26773)	Working	Not Working	Working	Working
Securitykiss - Proxy	2.2	Not available	Not available	Working	Working
FTP Upload/Download		Working	Working	Working	Working
Team Viewer	7.0.12799	Working	Working	Working	Working
iTunes	10_05_2005	Working	Not available	Working	Working
Facebook Application		Working	Not available	Working	Working
Webmail-gmail-chat		Working	Not available	Not Working	Working
google+		Working	Working	Working	Working
webmail- yahoo-chat		Not Working	Not available	Working	Working
teamviewer file transfer		Not available	Not available	Not available	Working
cyber ghost	4.7.18.1187	working	Not available	Working	Working
asproixy (on web)		Not Working	Not Working	Working	Working
qq file transfer	1.2	Working	Not Working	Not Working	Working
shareaza	V8	Not Working	Working	Not available	Working
emule	0.50a	Not Working	Working	Working	Working
dc++	0.791	Not Working (connected but unable to download)	Not Working	Not Working (connected but unable to download)	Working
qq live (WEB)		Working	Not Working	Working	Working (whole category should block)
ustream		Working	Working	Working	Working (whole category should block)
jumblo	4.09 Build 660	Not available	Not available	Not available	Working
psiphone		Not available	Not available	Not Working (SSH +)	Working
simurgh proxy	1.20 beta	Working	Not available	Not available	Working
Wi-Free		Not available	Not available	Not available	Working
Digsby	91	Working	Working	Not available	Working

Just to quantify them in beautiful graphs

Further more, the Cyberoam was quite easy in configuring. It seems to be true application intelligent firewall which blocks most dangerous applications. This product is quite promising and its track in the Magic Quadrant has shown considerable growth.