Category Archives: Fortinet

A Wrap Up Of HITB Amsterdam 2016 Conference

23 May 2016 marked the first day of the annual security conference organized by Hack In the Box. As usual, the event took place in Amsterdam, Netherlands. This year I had the privilege to attend. HITB is one of the top-notch technical conferences, where elite security researchers from around the world gather to share their research. Not to mention that it is also a great place to hang out with these people to exchange ideas offstage. There were so many great talks in this conference. I am pleased to share a couple of talks here that I feel were particularly interesting.

One of my favorite, and most anticipated talks, was Go Speed Tracer: Guided Fuzzing presented by Richard Johnson. Richard is an expert in fuzzing technology, particularly emphasizing on how to optimize the performance of traditional fuzzers to make them scale extensively. Of course, traditional fuzzing methodologies, such as dump fuzzing, which use simple sample-based mutation still work in most cases. However, they are often limited to discovering minor security issues, and eventually lead to bottlenecking, an issue many security researchers come across when writing their own fuzzer. Feedback driven fuzzing is an evolutionary fuzzing methodology, made possible by the introduction of American Fuzzy Lop (AFL), an approach that is able to enhance the coverage of a fuzzer, thereby increasing the chances that the user can discover more security issues, or even uncover severe security vulnerabilities. After thoroughly studying various open source fuzzers like AFL, Richard shed some light in his presentation on how to customize your own, optimal performance guided fuzzer using existing binary instrumentation technologies like Pin, DynamoRIO, and DynInst. He also performed a couple of demos that showed the performance overhead between Pin and DynamoRIO, which showed that DynamoRIO seems to outperform Pin in term of binary code instrumentation. Unfortunately, he wasn’t able to show the demo of AFL with full support for Windows binary, along with hardware tracing using Intel Processor Tracer via Windows driver, as the prototype has not been completed yet. Nevertheless, it was an inspirational talk for researchers who are interested in developing their own fuzzer.

Click Here To Continue Reading

Fortinet UTM Features

Fortinet UTM Overview

Fortinet offers a very robust UTM (Unified Threat Management) feature set that makes Fortinet based hardware extremely powerful. One of the main things a lot of firewall and router based hardware is missing in this day and age is the ability to see the applications that are traversing the networking and making decisions based on this information. Most firewalls are simple source / destination / port based firewalls. They don’t see that dropbox is being used or that skype is running over the pipe. They just see the computers initiating the traffic, the destinations they are going, and the ports and services being used.

Fortinet UTM Features give users the ability to see the applications that are crossing the network. This enables the administrator to make decisions on whether to allow or deny the traffic based on this new information. FortiGate’s enable administrators to block skype, or allow it only for specific machines. This is an incredible power that gives true granularity to what is about to cross your network. Not only does this enable application based decisions to be made but UTM also opens up the webfiltering, intrusion protection, data loss prevention, and ssl intercept cans of worms. If you really want to know what is going on with your network and where the threats truly are, Fortinet UTM is for you. The following sections will break the UTM down into the various security profiles that the UTM provides and utilizes.

Fortinet UTM Features

Fortinet UTM Features

Security Profiles overview

Ranging from the FortiGate®-30 series for small businesses to the FortiGate-5000 series for large enterprises, service providers and carriers, the FortiGate line combines a number of security features to protect your network from threats. As a whole, these features, when included in a single Fortinet security appliance, are referred to as Security Profiles. The Security Profiles features your FortiGate model includes are:

  • AntiVirus
  • Intrusion Prevention System (IPS)
  • Web filtering
  • E-mail filtering, including protection against spam and grayware
  • Data Leak Prevention (DLP)
  • Application Control
  • ICAP

Firewall policies limit access, and while this and similar features are a vital part of securing your network, they are not covered in this document.

The following topics are included in this section:

  • Traffic inspection
  • Content inspection and filtering
  • Security Profiles components
  • Security Profiles/lists/sensors

Traffic inspection

When the FortiGate unit examines network traffic one packet at a time for IPS signatures, it is performing traffic analysis. This is unlike content analysis where the traffic is buffered until files, email messages, web pages, and other files are assembled and examined as a whole.

DoS policies use traffic analysis by keeping track of the type and quantity of packets, as well as their source and destination addresses.

Application control uses traffic analysis to determine which application generated the packet.

Although traffic inspection doesn’t involve taking packets and assembling files they are carrying, the packets themselves can be split into fragments as they pass from network to network. These fragments are reassembled by the FortiGate unit before examination.

No two networks are the same and few recommendations apply to all networks. This topic offers suggestions on how you can use the FortiGate unit to help secure your network against content threats.

IPS signatures

IPS signatures can detect malicious network traffic. For example, the Code Red worm attacked a vulnerability in the Microsoft IIS web server. Your FortiGate’s IPS system can detect traffic attempting to exploit this vulnerability. IPS may also detect when infected systems communicate with servers to receive instructions.

Page 12

 

IPS recommendations

  • Enable IPS scanning at the network edge for all services.
  • Use FortiClient endpoint IPS scanning for protection against threats that get into your network.
  • Subscribe to FortiGuard IPS Updates and configure your FortiGate unit to receive push updates. This will ensure you receive new IPS signatures as soon as they are available.
  • Your FortiGate unit includes IPS signatures written to protect specific software titles from DoS attacks. Enable the signatures for the software you have installed and set the signature action to Block.
  • You can view these signatures by going to Security Profiles > Intrusion Protection > Predefined and sorting by, or applying a filter to, the Group
  • Because it is critical to guard against attacks on services that you make available to the public, configure IPS signatures to block matching signatures. For example, if you have a web server, configure the action of web server signatures to Block.

Suspicious traffic attributes

Network traffic itself can be used as an attack vector or a means to probe a network before an attack. For example, SYN and FIN flags should never appear together in the same TCP packet. The SYN flag is used to initiate a TCP session while the FIN flag indicates the end of data transmission at the end of a TCP session.

The FortiGate unit has IPS signatures that recognize abnormal and suspicious traffic attributes. The SYN/FIN combination is one of the suspicious flag combinations detected in TCP traffic by the TCP.BAD.FLAGS signature.

The signatures that are created specifically to examine traffic options and settings, begin with the name of the traffic type they are associated with. For example, signatures created to examine TCP traffic have signature names starting with TCP.

Application control

While applications can often be blocked by the ports they use, application control allows convenient management of all supported applications, including those that do not use set ports.

Application control recommendations

  • Some applications behave in an unusual manner in regards to application control. For more information, see “Application considerations” on page 144.
  • By default, application control allows the applications not specified in the application control list. For high security networks, you may want to change this behavior so that only the explicitly allowed applications are permitted.

Content inspection and filtering

When the FortiGate unit buffers the packets containing files, email messages, web pages, and other similar files for reassembly before examining them, it is performing content inspection. Traffic inspection, on the other hand, is accomplished by the FortiGate unit examining individual packets of network traffic as they are received.

No two networks are the same and few recommendations apply to all networks. This topic offers suggestions on how you can use the FortiGate unit to help secure your network against content threats. Be sure to understand the effects of the changes before using the suggestions.

AntiVirus

The FortiGate antivirus scanner can detect viruses and other malicious payloads used to infect machines. The FortiGate unit performs deep content inspection. To prevent attempts to disguise viruses, the antivirus scanner will reassemble fragmented files and uncompress content that has been compressed. Patented Compact Pattern Recognition Language (CPRL) allows further inspection for common patterns, increasing detection rates of virus variations in the future.

AntiVirus recommendations

  • Enable antivirus scanning at the network edge for all services.
  • Use FortiClient endpoint antivirus scanning for protection against threats that get into your network.
  • Subscribe to FortiGuard AntiVirus Updates and configure your FortiGate unit to receive push updates. This will ensure you receive new antivirus signatures as soon as they are available.
  • Enable the Extended Virus Database if your FortiGate unit supports it.
  • Examine antivirus logs periodically. Take particular notice of repeated detections. For example, repeated virus detection in SMTP traffic could indicate a system on your network is infected and is attempting to contact other systems to spread the infection using a mass mailer.
  • The builtin-patterns file filter list contains nearly 20 file patterns. Many of the represented files can be executed or opened with a double-click. If any of these file patterns are not received as a part of your normal traffic, blocking them may help protect your network. This also saves resources since files blocked in this way do not need to be scanned for viruses.
  • To conserve system resources, avoid scanning email messages twice. Scan messages as they enter and leave your network or when clients send and retrieve them, rather than both.

FortiGuard Web Filtering

The web is the most popular part of the Internet and, as a consequence, virtually every computer connected to the Internet is able to communicate using port 80, HTTP. Botnet communications take advantage of this open port and use it to communicate with infected computers. FortiGuard Web Filtering can help stop infections from malware sites and help prevent communication if an infection occurs.

FortiGuard Web Filtering recommendations

  • Enable FortiGuard Web Filtering at the network edge.
  • Install the FortiClient application and use FortiGuard Web Filtering on any systems that bypass your FortiGate unit.
  • Block categories such as Pornography, Malware, Spyware, and Phishing. These categories are more likely to be dangerous.
  • In the email filter profile, enable IP Address Check in FortiGuard Email Filtering. Many IP addresses used in spam messages lead to malicious sites; checking them will protect your users and your network.

Email filter

Spam is a common means by which attacks are delivered. Users often open email attachments they should not, and infect their own machine. The FortiGate email filter can detect harmful spam and mark it, alerting the user to the potential danger.

Email filter recommendations

  • Enable email filtering at the network edge for all types of email traffic.
  • Use FortiClient endpoint scanning for protection against threats that get into your network.
  • Subscribe to the FortiGuard AntiSpam Service.

DLP

Most security features on the FortiGate unit are designed to keep unwanted traffic out of your network while DLP can help you keep sensitive information from leaving your network. For example, credit car d numbers and social security numbers can be detected by DLP sensors.

DLP recommendations

  • Rules related to HTTP posts can be created, but if the requirement is to block all HTTP posts, a better solution is to use application control or the HTTP POST Action option in the web filter profile.
  • While DLP can detect sensitive data, it is more efficient to block unnecessary communication channels than to use DLP to examine it. If you don’t use instant messaging or peer-to-peer communication in your organization, for example, use application control to block them entirely.

Security Profiles components

AntiVirus

Your FortiGate unit stores a virus signature database that can identify more than 15,000 individual viruses. FortiGate models that support additional virus databases are able to identify hundreds of thousands of viruses. With a FortiGuard AntiVirus subscription, the signature databases are updated whenever a new threat is discovered.

AntiVirus also includes file filtering. When you specify files by type or by file name, the FortiGate unit will stop the matching files from reaching your users.

FortiGate units with a hard drive or configured to use a FortiAnalyzer unit can store infected and blocked files for that you can examine later.

Intrusion Protection System (IPS)

The FortiGate Intrusion Protection System (IPS) protects your network against hacking and other attempts to exploit vulnerabilities of your systems. More than 3,000 signatures are able to detect exploits against various operating systems, host types, protocols, and applications. These exploits can be stopped before they reach your internal network.

You can also write custom signatures, tailored to your network.

Web filtering

Web filtering includes a number of features you can use to protect or limit your users’ activity on the web.

FortiGuard Web Filtering is a subscription service that allows you to limit access to web sites. More than 60 million web sites and two billion web pages are rated by category. You can choose to allow or block each of the 77 categories.

URL filtering can block your network users from access to URLs that you specify.

Web content filtering can restrict access to web pages based on words and phrases appearing on the web page itself. You can build lists of words and phrases, each with a score. When a web content list is selected in a web filter profile, you can specify a threshold. If a user attempts to load a web page and the score of the words on the page exceeds the threshold, the web page is blocked.

Email filtering

FortiGuard AntiSpam is a subscription service that includes an IP address black list, a URL black list, and an email checksum database. These resources are updated whenever new spam messages are received, so you do not need to maintain any lists or databases to ensure accurate spam detection.

You can use your own IP address lists and email address lists to allow or deny addresses, based on your own needs and circumstances.

Data Leak Prevention (DLP)

Data leak prevention allows you to define the format of sensitive data. The FortiGate unit can then monitor network traffic and stop sensitive information from leaving your network. Rules for U.S. social security numbers, Canadian social insurance numbers, as well as Visa, Mastercard, and American Express card numbers are included.

Application Control

Although you can block the use of some applications by blocking the ports they use for communications, many applications do not use standard ports to communicate. Application control can detect the network traffic of more than 1000 applications, improving your control over application communication.

ICAP

This module allows for the offloading of certain processes to a separate server so that your FortiGate firewall can optimize its resources and maintain the best level of performance possible.

Security Profiles/lists/sensors

A profile is a group of settings that you can apply to one or more firewall policies. Each Security Profile feature is enabled and configured in a profile, list, or sensor. These are then selected in a security policy and the settings apply to all traffic matching the policy. For example, if you create an antivirus profile that enables antivirus scanning of HTTP traffic, and select the antivirus profile in the security policy that allows your users to access the World Wide Web, all of their web browsing traffic will be scanned for viruses.

Because you can use profiles in more than one security policy, you can configure one profile for the traffic types handled by a set of firewall policies requiring identical protection levels and types, rather than repeatedly configuring those same profile settings for each individual security policy.

For example, while traffic between trusted and untrusted networks might need strict protection, traffic between trusted internal addresses might need moderate protection. To provide the different levels of protection, you might configure two separate sets of profiles: one for traffic between trusted networks, and one for traffic between trusted and untrusted networks.

The Security Profiles include:

  • antivirus profile
  • IPS sensor
  • Web filter profile
  • Email filter profile
  • Data Leak Prevention profile
  • Application Control list
  • VoIP profile

Although they’re called profiles, sensors, and lists, they’re functionally equivalent. Each is used to configure how the feature works.

Fortinet FortiGate 6040E

FortiGate 6040E

In case you guys haven’t heard the news yet, Fortinet has released the FortiGate 6040E. This is a pretty handy firewall that helps Enterprise organizations achieve the level of UTM/NGFW functionality they need without having to spend obscene amounts of money on hardware capable.

Fortinet FortiGate 6040E

Fortinet FortiGate 6040E

This device is substantially stronger, has modified management capabilities and can flow 320 Gbps of firewall throughput (80 Gbps UTM/NGFW). The FortiGate 6040E has 6 available options right now that you can see in the image below.

6 options are available for the FortiGate 6040E

6 options are available for the FortiGate 6040E

Fortinet’s blog has a really good break out of the device as well as the benefits and cool features it has. Click here to see!

The Red Coats Are Coming!

Nah…not really. The E models of Fortinet hardware ARE COMING though as they are starting to trickle out if you haven’t noticed already. Pretty cool stuff too as the E models I have seen are substantially stronger in several fronts when it comes to hardware and capabilities. Pretty fun time to be a Fortinet vendor if you ask me!

Bummer, Fortinet CMO Left

Holly Rollo was an awesome marketing executive that recently got hired by Fortinet (back in September) to be the Chief Marketing Executive. She was tasked with getting Fortinet’s shit together when it came to marketing. Marketing, is and has always been, the weak link in Fortinet’s structure which is understandable. The company is ran by engineers. These guys think the device should sell itself. Well, that is one of the main reasons Palo Alto has been able to grow so rapidly and it has forced Fortinet’s hand. Here comes Holly. I was really excited about this because I saw what she did while at FireEye.

Oh well, back to the drawing board for Fortinet when it comes to Marketing I suppose.

Cybersecurity Skills Shortage Is Not Just About Having the Right Products and Technology

Fortinet posted a pretty good blog entry today on the Cyber Security Skills Shortage and relationship between it not just being about having the right technology but also the right people. You can see an excerpt of the article below and read the rest by clinking the link underneath.

It’s evident that demand for trained and experienced cybersecurity professionals far exceeds supply. With 46% of organizations now claiming that they have a problematic shortage of cybersecurity skills, significantly up from last year at just 28%, its apparent that the growing cybersecurity talent shortage is starting to represent a global security risk. [i]

Lacking a comprehensive cybersecurity education and training strategy, large organizations are going to continue to battle highly sophisticated and well-organized cyber-adversaries with their own skeleton crew. Click Here To Continue Reading

NSS Labs

Fortinet Kicking Ass On NSS Labs NGFW Security Value Report

I don’t know if you guys have seen the report of not but Fortinet has whooped some serious ass on the NGFW Security Value Report from NSS Labs. In case you don’t know, NSS Labs is a truly unbiased hardware research firm. You may be thinking to yourself, “But Mike, what about Gartner?” Well, everyone knows that the Gartner reports are all about how much money you throw to line their pockets with. Cough, I mean, Cough how well you “sell” your product to them.

NSS Labs has been providing quality third party reviews and ratings of devices for a while now and according to the NGFW Security Value Report the FortiGate 3200D placed ahead of all NGFW competitors (cough Palo, Cough Check Point) in terms of NGFW (Next Generation Firewall) effectiveness.

It’s cool though. I’m sure a lot of businesses out there will keep falling for the marketing gimmicks and flashy ads for Palo Alto and Cisco. Let them waste their money while you get better value and total cost of ownership by flying under the Fortinet flag. I swear if Fortinet would listen to some of my feature requests (mostly items listed on the “Where Fortinet is Messing Up” page of this site, and get some sexy advertising going to wow the idiots out there they would squash the competition. Oh well…

NSS Labs NGFW Security Value Report

NSS Labs NGFW Security Value Report

AV Throughput Removed From DataSheets

So, I am sure some of you have been running around a little bit like chickens with your heads cut off about that fact that the data sheets no longer list the AV throughput. Don’t worry, this is by design. They are switching to NGFW values for these to compete with Palo Alto and the likes in the NGFW market. Don’t worry, AV throughput is about to be useless anyways as 5.4 comes more mainstream. the 5.4 code is SO MUCH better on speed and reliability that even if they kept the AV numbers they would have to retest the hardware to get new numbers.

Official Fortinet Response:

“The Proxy AV specification will no longer be presented and removed from all existing FortiGate data sheet starting from 15th January 2016. An archive of old data sheets will be available. We’ll be replacing these specifics with more widely used NGFW values. The new data sheet should be out 28th January and Product Matrix updated in February Edition.”