Sunday, April 14, 2013

The Emperor Would Like His Clothes Back Please!

There has been some discussion over on LinkedIn about the difference between NGFW and UTM and whether or not those terms are interchangeable. It seems the opinions vary depending on whether you are a) a confused customer, b) a vendor, or c) an analyst firm with a vested interest in perpetuating a distinction that no longer exists – if indeed it ever did. 
Well you know what they say about opinions… so here is mine: NGFW was always nothing more than UTM for the enterprise.
There, I said it! Yet even that distinction is being muddied as vendors geared up to sell and support SMB customers try to reposition themselves upmarket. The distinguishing factor here is not the technology, but the sales and support channels behind it.
Some vendors that have, historically, been focused on the SMB market, have now produced UTM technology that performs well enough enough to sit in front of a data center. And some of them have actually built effective enterprise sales and support channels to service their new customers. However, just because these things are now powerful enough to protect a data center doesn't mean they should.
Thing is, UTM/NGFW is really only for protecting users, not servers, and that is the main technological distinction. 

Our enterprise clients are firm in their belief that the NGFW/UTM can be deployed at the network perimeter to protect desktops, but in front of their servers in the data center they are still deploying separate boxes for firewall, IPS, SWG, etc.

You can, of course, disable one or more security features in a UTM/NGFW to make it into an IPS, SWG, and so on, and that is how many of these devices are being used.
One thing you cannot do with most of these devices, however, is turn off everything but the firewall and expect to have the equivalent of your legacy firewall - too many of them rely on other security modules to beef up the firewall functionality, and generally they don't have the performance capabilities of a dedicated "legacy" device. We see that time and again in our tests at NSS, and the dependency of the firewall on other security modules is the scariest feature of these devices, and the main reason why they will not (and should not) replace dedicated firewalls in the data center for the foreseeable future. 

Because of these limitations, the “next generation” part of NGFW is not being bought into as much as vendors would have us believe, since many purchasers are actually disabling most of the features. In the networks belonging to most of the clients to whom we speak, even the much-vaunted application awareness capability is typically being used in passive mode to gain visibility, rather than in block mode to prevent attacks. 

Despite the limitations, these devices do have their place in the network, but please can we give the Emperor his clothes back now and call it like it is? NGFW = UTM. Period.
Then maybe we can get on with selecting the most appropriate technology/device to provide the protection we need at different points in our network and stop arguing over marketing terminology.
If you would like to read more about this, NSS subscribers can download the latest research by Andrew Braunberg and myself entitled “Next Generation Firewall: The Enterprise Story”. Follow me on Twitter (@bwalder) to keep informed as new research is released.

Tuesday, March 12, 2013

Artistic Interpretation Discouraged

It seems my recent blog post caused quite a stir. This came as something of a surprise to me, given that our Marketing Police spend a lot of time slapping vendors on the wrist over their various marketing exuberances, and our budget for cease and desist letters from our legal counsel is approaching the size of our testing budget!
Artistic Interpretation
So I was somewhat amused to observe the extent to which it was picked up by the press and the Twittersphere, including the ludicrous comments made by a certain vendor to try and explain away its poor performance in the test. It is always disturbing when a vendor chooses a PR offensive over protecting its customers by fixing security failings discovered in our tests.
After all, there is nothing remotely subjective about the SVM – it is based entirely on the test results. If you fail any of the tests it affects your position on the final graphic – simple as that. The only way to improve your position is to a) improve performance of the device, b) reduce the cost of the device (including management, updates, maintenance, etc.) thus improving the TCO, or c) FIX THE SECURITY PROBLEMS IN YOUR DEVICE!
Anyhow, I digress. Back to the original subject of the blog which, as you undoubtedly all know by now, was Check Point's alteration of the SVM graphic to remove some of its competitors. Was this a dumb thing to do? Undoubtedly. Was it against all of the terms and conditions under which we grant marketing rights? Absolutely. Did it affect the integrity of the underlying research? Categorically not.
Just to clarify. Check Point erased a couple of data points on the final graphic, and states this was due to an error made by an outside contractor in the rush to get things ready for RSA. However, it did not alter the data. It did notalter the position of its device, nor of any of the other devices alongside it. It did not (indeed, it cannot) alter theProduct Analysis Report (PAR) nor any of the Comparative Analysis Reports (CARs) that serve up the data that is used to generate the final SVM.
While creativity and artistic interpretation are often very useful in the creation of a masterpiece of fiction, never forget that the original subject always remains unchanged by the ministrations of the artist :o)
Follow me on Twitter (@bwalder) to keep informed as new research is released or to gain insight into any new important works of fiction I may come across!

Thursday, February 28, 2013

Bending The Rules And The Truth

It is very important to us at NSS to ensure that we are scrupulously fair and impartial when it comes to running our public group tests and presenting the results. We take great pains to ensure that the test data is accurate and is reflected correctly in the finished reports on our Web site - reports that go through countless levels of peer review before they are published.
There are also some very strict guidelines all vendors must follows when reusing our reports and results in their own marketing efforts. For example, they are not allowed to alter our words, put words in our mouth, or change our graphics or the way we present results. And they are not allowed to say things like “NSS Labs says the AwesomeSauce 2000 is way better than the Craptastic 8 when it comes to blocking bad stuff in your network,” or “NSS Labs Ranks The Balloonicorn 8180X3cV1.23 Build 33 Number 1 In The Entire Universe.
Because, when all is said and done, we didn’t! Did we?
Which is why it pains us greatly when vendors take liberties with our stuff. Like, say, reproducing the latest SVM graphic from our NGFW report and…. wait for it… removing the data points of its competitors. Surely no one would do that, would they?
Well, just in case they did, here is what the graphic should look like in all its unadulterated, unmodified glory. Just in case, you know, you should happen to come across another (unauthorized and unapproved!) version out there on the Interwebs.
So here you go….
Follow me on Twitter (@bwalder) to keep informed as new research is released or to see pictures of errant marketing folks getting caught red-handed altering stuff they shouldn’t!

Wednesday, December 05, 2012

Is the Skyfalling? James Bond, Miss Moneypenny and the Kill Chain

When NSS analysts Stefan Frei (@stefan_frei) and Frank Artes (@franklyfranc) started talking to me about the kill chain, my mind immediately drifted into the world of sharp tuxedos, Aston Martin DB5’s and Walther PPK’s.
Once they dragged me back to reality, however, they demonstrated something almost as cool; it didn’t even require two Ethernet cables plugged into my laptop (OK, so if you haven’t seen the movie that means absolutely nothing to you!)
Basically, the kill chain refers to the route from an external attacker to a target, which leads to the compromise of a victim’s server or desktop machine, and looks something like this:
Cybercrime Kill Chain
The defender will try and break the kill chain at various points – at the network perimeter, in the core, or on the endpoint - to prevent the attack, or detect the breach should prevention fail.
To prevent such attacks an enterprise can use firewalls, intrusion prevention systems (IPS), next generation firewalls (NGFW), endpoint protection systems (EPP), the Web browser’s built-in protection mechanisms, or any combination thereof.
So far, so good. But as we have witnessed from test after test and report after report coming out of NSS’ testing facility in Austin, TX, vendor expansive claims regarding security effectiveness rarely hold up in real-world deployments. So enterprises resort to a strategy of “defense in depth”, installing multiple layers of security (e.g. firewall plus IPS plus EPP, or even multiple versions of one or more of those products for those with healthy security budgets.) The expectation behind this is that one device may block exploits missed by another, leading to the oft-used formula for protection failure rate, PA x PB = PA\circ \!\,B.
Not so fast. It turns out that by feeding data from our most recent tests of different types of security products into Maltego[1] and applying some proprietary transforms created by NSS analysts, we can identify how, even with multiple security products in the “security stack”, certain groups of exploits or evasion techniques can bypass the entire defense system as if it wasn’t there.
Maltego is a program that can be used to determine the relationships and real world links between many things, and has been adapted by NSS researchers to show the relationship and correlation of unblocked exploits through a layered security stack of hardware and software tools.  Utilizing the empirical data collected during NSS’ tests on NGFW, IPS, breach detection systems (BDS), endpoint security, browser security, and antivirus engines, paired with data on exploit availability of popular crimeware kits or penetration testing tools (e.g. Metasploit) we are able to model layered defense stacks and illustrate exploits that are able to evade detection by the entire stack.  We can also simulate popular or customer-specific software portfolios, allowing mapping simulations specific to their infrastructure environment.
In the image below (which was produced by our proprietary Maltego transforms) we can see three different types of security device (green dots) and the exploits that went undetected by each (blue dots.) The group in the middle identifies those exploits that successfully evade detection by all three technologies in this security stack.
Modeled Defense Layers
It is evident that our protection rate formula no longer holds true due to the correlation of exploits between the disparate layers of the security stack. 
We can also approach this from an offensive standpoint, drilling down into the data from another direction to identify the smallest group of exploits and/or evasion techniques that would be required to evade a specific security stack. During the test illustrated below, three exploits were discovered that are unindentified by seven of the ten tested vendors.  These seven vendors represent over 90% of the market share of deployed IPS.
Exploits that bypass IPS
The implications are staggering, and this is the subject of a presentation given by Stefan and Frank at BlackHat Abu Dhabi this week. This is groundbreaking stuff, and right up there amongst the most important research ever to come out of our team of analysts.
It is already changing the way some NSS clients are viewing their approach to threat mitigation. Some clients are already providing us with custom data from their own environments to enable us to model the security stack and relevant kill chain for them and identify those areas that require immediate attention.
Let’s see James Bond do that!
This research is available in two analyst briefs: Cybercrime Kill Chain vs. Defense Effectiveness, and Modeling Exploit Evasions in Layered Security. These briefs are available outside the NSS pay wall and can be downloaded by both subscribers and non-subscribers free of charge. NSS clients should arrange inquiry calls with analysts to discuss the research and investigate how it might be applied to their environment to help with risk mitigation. Follow me on Twitter(@bwalder) to keep informed as new research is released.

Thursday, June 21, 2012

Newer Is Not Always Better

One of the great insights we have at NSS Labs, given the work that we do, is into the trends demonstrated by vendors in terms of performance and security effectiveness across multiple versions of a product.
Newer is not always better
For some reason, the area we see that is broken most often during a product refresh is anti-evasion measures. Protections that have been in place over several versions can suddenly disappear as a particular section of the code base is updated to include shiny new features. The other major hurdle for many vendors is the move from one hardware platform to another. This often requires major code revisions, if not a complete rewrite, and in this fast-moving industry it is rare that the folks who wrote the original code are still around. The result can be problems in performance and/or security effectiveness that did not exist in previous incarnations of the product.
These deltas and trends across multiple versions allow our analysts to provide actionable advice to NSS subscribers on whether or not to upgrade to a new version of a product, or stay with an older version until problems are fixed (or until it is time to refresh completely and you can investigate other options.)
The response we get from a vendor when we find these issues tells us a lot about how they value their customers over their shareholders, or vice versa. Some are all over the problem and want to work closely with our engineers to discover the root cause of the issues so they can be fixed. Others respond with veiled threats copied to legal counsel, and some serious marketing spin. I would much prefer to see a vendor employ a couple of new developers and fix their problems rather than launch a PR offensive and budget for some legal fees. Either way, we never shy away from publishing the results.
This is why it is important not to simply look at our test reports at purchase time, but also review new reports throughout the life of each security product you have deployed. This can help ensure that no costly mistakes are made in deploying product updates that could have potentially disastrous consequences to your business.
Dogs and children may be for life, but you are not committed to a security vendor in the same way. There is nothing to stop you from doing a forklift upgrade of a product from a vendor that has lost the plot in terms of quality control, and the cost of doing so could be far less than the cost of upgrading to a faulty product just because the vendor wants to EOL the one you have.
Follow me on Twitter (@bwalder) to keep informed as new research is released.

Tuesday, March 20, 2012

SonicWALL And Dell: What Are The Risks For Enterprise Customers?

As you can’t have failed to notice by now, a hardware vendor bought a UTM vendor last week. Of what earthly interest could that be to enterprise security folk? As it happens, the Dell acquisition of SonicWALL is interesting for a couple of reasons. The first is the concern many SuperMassive customers might have regarding its future under a company not renowned for its enterprise security products; the second is the way Dell is setting its stall out to take on HP and Cisco in the enterprise.

The SonicWALL acquisition strengthens Dell’s security offerings considerably for both enterprise and small to medium-sized business (SMB) customers. Although there are hurdles to be overcome, NSS Labs considers this a positive move for current and potential SonicWALL customers, particularly those considering deployment of the SuperMassive NGFW platform.

This acquisition is actually more positive for SonicWALL, its partners and customers than a scenario where the company was purchased by a larger security vendor seeking a rapid entry into the unified threat management (UTM) or next generation firewall (NGFW) market. Dell is clearly seeking to build an enterprise class portfolio of servers, data storage, core networking, and security products that will allow it to compete with established enterprise vendors such as HP and Cisco.

During the recent NSS Labs NGFW Group Test, one of the concerns of our analysts was in SonicWALL’s ability to execute in terms of SuperMassive support in the enterprise space. It is vital that the Dell acquisition accelerates the growth of the enterprise support group to ensure the success of SuperMassive going forward.

One other area of potential concern is the lack of any mention of the Aventail SSL VPN product line. Customers and potential customers of the Aventail products should seek assurances from SonicWALL and Dell that their needs will be met to their satisfaction going forward. This deal also underscores the importance of having security products in a complete enterprise-computing portfolio. For larger security or networking companies looking to acquire this kind of technology to flesh out a portfolio in this manner, the shopping list is getting shorter by the day, with the likes of Fortinet, Stonesoft and SourceFire standing out as potential acquisition targets.

I have just completed an Analysis Brief that addresses this transaction in more depth and covers the potential risks and concerns to enterprise customers. This brief is available outside the NSS Labs pay wall and is available to both subscribers and non-subscribers free of charge. Follow me on Twitter (@bwalder) to keep informed as new research is released.

Tuesday, December 06, 2011


It is a slow day in a little Greek Village. The rain is beating down and the streets are deserted. Times are tough, everybody is in debt, and everybody lives on credit.

On this particular day a rich German tourist is driving through the village, stops at the local hotel and lays a $100 note on the desk, telling the hotel owner he wants to inspect the rooms upstairs in order to pick one to spend the night.

The owner gives him some keys and, as soon as the visitor has walked upstairs, the hotelier grabs the $100 note and runs next door to pay his debt to the butcher.

The butcher takes the $100 note and runs down the street to repay his debt to the pig farmer.

The pig farmer takes the $100 note and heads off to pay his bill at the supplier of feed and fuel.

The guy at the Farmers' Co-op takes the $100 note and runs to pay his drinks bill at the taverna.

The publican slips the money along to the local prostitute drinking at the bar, who has also been facing hard times and has had to offer him "services" on credit.

The hooker then rushes to the hotel and pays off her room bill to the hotel owner with the $100 .

The hotel proprietor then places the $100 note back on the counter so the rich traveller will not suspect anything. At that moment the traveller comes down the stairs, picks up the $100 note, states that the rooms are not satisfactory, pockets the money, and leaves town.

No one produced anything.

No one earned anything.

However, the whole village is now out of debt and looking to the future with a lot more optimism.

And that, Ladies and Gentlemen, is how the bailout package works ;o)

(PS: Of course, the real problem facing Europe is that the rich German DOES indeed realize what is happening and doesn't want the Greeks to get off scot free and so is demanding his cut in the way of interest on the $100!)