TCPDUMP with Cyberoam : in depth Analysis

As promised, here is how you can interpret TCPdump on Cyberoam. In this article I am going to change the source IP as SRC and destination IP ad DST.

1> A TCP packet on port 80 : A simple TCP handshake

console> tcpdump "host DST and port 80

tcpdump: Starting Packet Dump

07:11:33.546865 PortB, OUT: IP SRC.48500 > DST.80: Flags [S], seq 1143423923, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0

07:11:33.800460 PortB, IN: IP DST.80 > SRC.48500: Flags [S.], seq 2495986521, ack 1143423924, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

07:11:33.800545 PortB, OUT: IP SRC.48500 > DST.80: Flags [.], ack 1, win 183, length 0

I will explain the first packet and there after it will be easy for understanding the other packets:

07:11:33.546865 PortB, OUT: IP SRC.48500 > DST.80: Flags [S], seq 1143423923, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0

Will try to add my 2 cents on windows scaling in next blog

Cyberoam Demo

One of the coolest features I like about the Cyberoam is Reporting part. I was able to impress many customers with its reports. Cyberoam claims to have more than 1400 reports. Most of these reports are Identity based, which means which user, what site, what amount of data, what time.....cool.

So in simple words, you really do not have to worry about the IP address any more. What’s more?

Well, it’s free of cost.

Seriously, we do not have to buy any hardware or software to generate logs. To check the authenticity of the logs, we requested few of our customers to keep an eye of the logs and surprisingly most of the events have been logged.

So if a user browses any unhealthy site, it will be logged. If he tries to access any application not allowed he will be logged. Everything is logged.

Recently we were at our customer to impress him about the Cyberoam functionality. But unfortunately, their current network does not allow SSL VPN ports (8443 default). So we tried to access the Cyberoam Demo site. We logged in, we explained him every feature. Then we were to show the reporting part to customer.

We came back to office and wrote requesting Cyberoam to include graphs on the Cyberoam Demo. There is no point in having a demo without any reports online. Though we had some screenshot to show them, but a live demo should be capable to show some reports.


Let's see when we will be able to see the Cyberoam with logs on demo.cyberoam.com

A fight for best application filter

Today networks and the amount of data transfer done, are large and  growing larger in size. As the companies grow larger, the number of users in the network also increase. The users are the primary cause of growth in the traffic. Let’s understand their behaviour and why there is an exponential growth in the data transfer on the WAN. Let’s understand why 80/20 rule is no more valid:

1.  Users will access resources on the LAN and WAN. These days, everyone is moving the applications on the cloud. It makes sense why traffic is growing on the WAN.
2.     These users are not only accessing the applications on the cloud but also applications which they should avoid, like proxy applications, P2P applications (torrents). Primarily, this is the reason how a virus/malware comes inside the network.

Now, if we include above all we understand that we need to identify the application traffic being used by User and drop it if objectionable.

Applications have grown too mature and difficult to catch with traditional firewalls. The traditional firewalls are capable of only identifying the ports, or the only rule matching criteria is "The port numbers".A real next generation firewall should be application intelligent and must identify the user who is initiating the traffic.

“The applications have grown too mature” What does that mean exactly??

Let’s take an example here of an application called ultrasurf. It’s really best example because of its random behaviour. It’s like chameleon which gets connected to the servers anyhow. Another good example is skype. To simplify things, consider port 80 traffic. It not only includes simple web traffic but now it also includes video streaming, proxy application traffic, instant messengers, downloads, CRM……many many more.

I think the solution is obvious -- go for a combined security solution!!! But which one very mind twisting question.

Recently, there is hype in the security market about PaloAlto networks. The APP ID technology is currently marketed as unique as they have this feature right inside the firewall module.  I searched on the youtube for any related videos on how to configure this videos. It seriously concerned the first few steps of the getting up the appliance. The new generation appliances should be easily configured and should be plug_and_play but instead it seems to be very lengthy process

http://www.youtube.com/watch?v=13nEDpEsRUA&feature=related

Creating a firewall rule..oh! god it was very very lengthy process.  Not a simple thing to configure. It again needs a professional for just configuring the firewall rules. Again not a simple plug and play device.

Now I got more interested in capabilities. As a security professional, I wanted to test this appliance out and about its capabilities. I took 4 appliances in the test bed to compare capabilities. These appliances have capabilities to identify different applications and block them.

I also wanted to choose command applications which are being used in the current network. The applications have been choose to understand the maturity level of the application Vs. maturity /capability level of the product to identify and block it. These applications are specially choose from networks with students, HR team, construction companies, complex networks, and low bandwidth networks. So we have prepared a list of common and deadly 35. These applications are used for data leakage and risk for the organisations has increased.

Below are the deadly 35:

Application	Facebook likes	source
Ultrasurf - Proxy	4016 likes	http://ultrasurf.us/
Freegate - Proxy	N.A.	http://download.cnet.com/Freegate/3000-2085_4-10415391.html
Hotspotshield - Proxy	N.A.	http://hotspotshield.com/
MSN - IM	1,731,299 likes	msn.com
Yahoo - IM	40,00,000 users	http://www.yahoo.com
Gtalk - IM	6541 likes	http://www.google.com
TOR - Proxy	N.A.	https://www.torproject.org/
Skype - VoIP	1,09,00,000	http://www.skype.com
Facebook Chat - IM	10,450 likes	http://facebook.com
AIM Messenger - IM	1,20,000	http://aim.com
QQ Messenger - IM	6275 Likes	http://imqq.com
BitComet P2P Traffic - P2P	181 like	http://bitcomet.com
Bittorrent_uTorrent_Thunder - P2P	7239 likes	http://bittorrent.com
Securitykiss - Proxy	N.A.	http://www.securitykiss.com/
FTP Upload/Download	N.A.
Team Viewer	610	http://www.teamviewer.com
iTunes	Too Many	http://www.apple.com/itunes/
Facebook Application	Too Many	https://facebook.com
Webmail-gmail-chat	Too Many	http://www.gmail.com
google+	Too Many	https://plus.google.com/up/start/?continue=https://plus.google.com/&type=st&gpcaz=93f2c371
webmail- yahoo-chat	Too Many	http://www.yahoo.com
teamviewer file transfer	N.A.	http://www.teamviewer.com
cyber ghost	N.A.	http://cyberghostvpn.com/
asproxy (on web)	N.A.	http://asproxy.sourceforge.net/
qq file transfer	6277 likes
shareaza	N.A.	http://www.shareaza.com/
emule	1,41,256	http://www.emule.com/
dc++	N.A.	http://dcplusplus.sourceforge.net/
qq live (WEB)	Too Many
ustream	290,000/month	http://www.ustream.tv/
jumblo	N.A.	http://jumblo.software.informer.com/
psiphone	622	http://psiphon.ca/
simurgh proxy	N.A.	Free File sharing
Wi-Free	Few	http://www.wi-free.com/
Digsby	80000/month	http://www.digsby.com/

Two of these applications caught my eye because of their extra ordinary behaviour:

1. Psiphon
2.  Wi-free

These will be the next generation applications used for surfing. Very difficult to stop them. They use protocols like SSH, DNS to send the traffic through the network. And its very difficult to detect and drop such traffic. If you DROP dns traffic your internet traffic will not work. The Public WI-FI can be easily penetrated using these applications.

Very good applications developed by beautiful minds to share the data to the outside world but now they are being used in a very different environments like schools and colleges. So the customer requirement was very obvious.

Test BED:

The test bed was very simple.

•  A computer with all these applications will be connected to the LAN and the WAN will be connected to the Internet.
•  These applications were to be run one by one  so that capability and maturity of the product in blocking the application can be evaluated
•  No extra firewall rules should be required.

But the results are totally different and I think Cyberoam has fared very well or best to say it has it has proved to be best.  The results may vary but we have tried to use the latest Version. It seems that the products took too much time in blocking the applications when a new version of the applications is released. These products were not proactive.  These applications have topped our list and some products are not even aware of these deadly applications.

Below are the results:

Application Name	Application Version	Fortigate (FW-v4.0,build0521,120313 (MR3 Patch 6))	Sonicwall (FW- SonicOS Enhanced 5.8.0.2-37o)	Palo-Alto (FW-4.0.8)	Cyberoam (FW-124)
		Latest Release: 3.00168		Latest Release: 298-1339	Latest Release: 3.0.53
Ultrasurf - Proxy	11.04	Working	Not Working	Not Working	Working
Freegate - Proxy	7.27	Working	Not Working	Not Working	Working (ultrasurf & Freegate Both should apply)
Hotspotshield - Proxy	2.52	Working	Not Working	Not Working	Working
MSN - IM	0.98.4	Working	Working	Working	Working
Yahoo - IM	11.05	Working	Working	Working	Working
Gtalk - IM	1.0.0.104	Not Working	Working	Working	Working
TOR - Proxy	0.2.2.35-8.0	Working	Working	Working	Working
Skype - VoIP	5.8	Not Working	Working	Working	Working
Facebook Chat - IM		Not Working (taking time to bypass)	Not available	Not Working	Working
AIM Messenger - IM	1.0.1.2	Working	Working	Not Working	Working
QQ Messenger - IM	1.2	Working	Working	Working	Working
BitComet P2P Traffic - P2P	1.31	Working	Not Working	Working	Working
Bittorrent_uTorrent_Thunder - P2P	B(7.6-26764) & U(3.1.2-26773)	Working	Not Working	Working	Working
Securitykiss - Proxy	2.2	Not available	Not available	Working	Working
FTP Upload/Download		Working	Working	Working	Working
Team Viewer	7.0.12799	Working	Working	Working	Working
iTunes	10_05_2005	Working	Not available	Working	Working
Facebook Application		Working	Not available	Working	Working
Webmail-gmail-chat		Working	Not available	Not Working	Working
google+		Working	Working	Working	Working
webmail- yahoo-chat		Not Working	Not available	Working	Working
teamviewer file transfer		Not available	Not available	Not available	Working
cyber ghost	4.7.18.1187	working	Not available	Working	Working
asproixy (on web)		Not Working	Not Working	Working	Working
qq file transfer	1.2	Working	Not Working	Not Working	Working
shareaza	V8	Not Working	Working	Not available	Working
emule	0.50a	Not Working	Working	Working	Working
dc++	0.791	Not Working (connected but unable to download)	Not Working	Not Working (connected but unable to download)	Working
qq live (WEB)		Working	Not Working	Working	Working (whole category should block)
ustream		Working	Working	Working	Working (whole category should block)
jumblo	4.09 Build 660	Not available	Not available	Not available	Working
psiphone		Not available	Not available	Not Working (SSH +)	Working
simurgh proxy	1.20 beta	Working	Not available	Not available	Working
Wi-Free		Not available	Not available	Not available	Working
Digsby	91	Working	Working	Not available	Working

Just to quantify them in beautiful graphs

Further more, the Cyberoam was quite easy in configuring. It seems to be true application intelligent firewall which blocks most dangerous applications. This product is quite promising and its track in the Magic Quadrant has shown considerable growth.