Sunday, April 14, 2013

The Emperor Would Like His Clothes Back Please!


There has been some discussion over on LinkedIn about the difference between NGFW and UTM and whether or not those terms are interchangeable. It seems the opinions vary depending on whether you are a) a confused customer, b) a vendor, or c) an analyst firm with a vested interest in perpetuating a distinction that no longer exists – if indeed it ever did. 
Well you know what they say about opinions… so here is mine: NGFW was always nothing more than UTM for the enterprise.
There, I said it! Yet even that distinction is being muddied as vendors geared up to sell and support SMB customers try to reposition themselves upmarket. The distinguishing factor here is not the technology, but the sales and support channels behind it.
Some vendors that have, historically, been focused on the SMB market, have now produced UTM technology that performs well enough enough to sit in front of a data center. And some of them have actually built effective enterprise sales and support channels to service their new customers. However, just because these things are now powerful enough to protect a data center doesn't mean they should.
Thing is, UTM/NGFW is really only for protecting users, not servers, and that is the main technological distinction. 

Our enterprise clients are firm in their belief that the NGFW/UTM can be deployed at the network perimeter to protect desktops, but in front of their servers in the data center they are still deploying separate boxes for firewall, IPS, SWG, etc.

You can, of course, disable one or more security features in a UTM/NGFW to make it into an IPS, SWG, and so on, and that is how many of these devices are being used.
One thing you cannot do with most of these devices, however, is turn off everything but the firewall and expect to have the equivalent of your legacy firewall - too many of them rely on other security modules to beef up the firewall functionality, and generally they don't have the performance capabilities of a dedicated "legacy" device. We see that time and again in our tests at NSS, and the dependency of the firewall on other security modules is the scariest feature of these devices, and the main reason why they will not (and should not) replace dedicated firewalls in the data center for the foreseeable future. 


Because of these limitations, the “next generation” part of NGFW is not being bought into as much as vendors would have us believe, since many purchasers are actually disabling most of the features. In the networks belonging to most of the clients to whom we speak, even the much-vaunted application awareness capability is typically being used in passive mode to gain visibility, rather than in block mode to prevent attacks. 


Despite the limitations, these devices do have their place in the network, but please can we give the Emperor his clothes back now and call it like it is? NGFW = UTM. Period.
Then maybe we can get on with selecting the most appropriate technology/device to provide the protection we need at different points in our network and stop arguing over marketing terminology.
If you would like to read more about this, NSS subscribers can download the latest research by Andrew Braunberg and myself entitled “Next Generation Firewall: The Enterprise Story”. Follow me on Twitter (@bwalder) to keep informed as new research is released.

Tuesday, March 12, 2013

Artistic Interpretation Discouraged


It seems my recent blog post caused quite a stir. This came as something of a surprise to me, given that our Marketing Police spend a lot of time slapping vendors on the wrist over their various marketing exuberances, and our budget for cease and desist letters from our legal counsel is approaching the size of our testing budget!
Artistic Interpretation
So I was somewhat amused to observe the extent to which it was picked up by the press and the Twittersphere, including the ludicrous comments made by a certain vendor to try and explain away its poor performance in the test. It is always disturbing when a vendor chooses a PR offensive over protecting its customers by fixing security failings discovered in our tests.
After all, there is nothing remotely subjective about the SVM – it is based entirely on the test results. If you fail any of the tests it affects your position on the final graphic – simple as that. The only way to improve your position is to a) improve performance of the device, b) reduce the cost of the device (including management, updates, maintenance, etc.) thus improving the TCO, or c) FIX THE SECURITY PROBLEMS IN YOUR DEVICE!
Anyhow, I digress. Back to the original subject of the blog which, as you undoubtedly all know by now, was Check Point's alteration of the SVM graphic to remove some of its competitors. Was this a dumb thing to do? Undoubtedly. Was it against all of the terms and conditions under which we grant marketing rights? Absolutely. Did it affect the integrity of the underlying research? Categorically not.
Just to clarify. Check Point erased a couple of data points on the final graphic, and states this was due to an error made by an outside contractor in the rush to get things ready for RSA. However, it did not alter the data. It did notalter the position of its device, nor of any of the other devices alongside it. It did not (indeed, it cannot) alter theProduct Analysis Report (PAR) nor any of the Comparative Analysis Reports (CARs) that serve up the data that is used to generate the final SVM.
While creativity and artistic interpretation are often very useful in the creation of a masterpiece of fiction, never forget that the original subject always remains unchanged by the ministrations of the artist :o)
Follow me on Twitter (@bwalder) to keep informed as new research is released or to gain insight into any new important works of fiction I may come across!

Thursday, February 28, 2013

Bending The Rules And The Truth


It is very important to us at NSS to ensure that we are scrupulously fair and impartial when it comes to running our public group tests and presenting the results. We take great pains to ensure that the test data is accurate and is reflected correctly in the finished reports on our Web site - reports that go through countless levels of peer review before they are published.
There are also some very strict guidelines all vendors must follows when reusing our reports and results in their own marketing efforts. For example, they are not allowed to alter our words, put words in our mouth, or change our graphics or the way we present results. And they are not allowed to say things like “NSS Labs says the AwesomeSauce 2000 is way better than the Craptastic 8 when it comes to blocking bad stuff in your network,” or “NSS Labs Ranks The Balloonicorn 8180X3cV1.23 Build 33 Number 1 In The Entire Universe.
Because, when all is said and done, we didn’t! Did we?
Which is why it pains us greatly when vendors take liberties with our stuff. Like, say, reproducing the latest SVM graphic from our NGFW report and…. wait for it… removing the data points of its competitors. Surely no one would do that, would they?
Well, just in case they did, here is what the graphic should look like in all its unadulterated, unmodified glory. Just in case, you know, you should happen to come across another (unauthorized and unapproved!) version out there on the Interwebs.
So here you go….
Follow me on Twitter (@bwalder) to keep informed as new research is released or to see pictures of errant marketing folks getting caught red-handed altering stuff they shouldn’t!

Wednesday, December 05, 2012

Is the Skyfalling? James Bond, Miss Moneypenny and the Kill Chain


When NSS analysts Stefan Frei (@stefan_frei) and Frank Artes (@franklyfranc) started talking to me about the kill chain, my mind immediately drifted into the world of sharp tuxedos, Aston Martin DB5’s and Walther PPK’s.
Once they dragged me back to reality, however, they demonstrated something almost as cool; it didn’t even require two Ethernet cables plugged into my laptop (OK, so if you haven’t seen the movie that means absolutely nothing to you!)
Basically, the kill chain refers to the route from an external attacker to a target, which leads to the compromise of a victim’s server or desktop machine, and looks something like this:
Cybercrime Kill Chain
The defender will try and break the kill chain at various points – at the network perimeter, in the core, or on the endpoint - to prevent the attack, or detect the breach should prevention fail.
To prevent such attacks an enterprise can use firewalls, intrusion prevention systems (IPS), next generation firewalls (NGFW), endpoint protection systems (EPP), the Web browser’s built-in protection mechanisms, or any combination thereof.
So far, so good. But as we have witnessed from test after test and report after report coming out of NSS’ testing facility in Austin, TX, vendor expansive claims regarding security effectiveness rarely hold up in real-world deployments. So enterprises resort to a strategy of “defense in depth”, installing multiple layers of security (e.g. firewall plus IPS plus EPP, or even multiple versions of one or more of those products for those with healthy security budgets.) The expectation behind this is that one device may block exploits missed by another, leading to the oft-used formula for protection failure rate, PA x PB = PA\circ \!\,B.
Not so fast. It turns out that by feeding data from our most recent tests of different types of security products into Maltego[1] and applying some proprietary transforms created by NSS analysts, we can identify how, even with multiple security products in the “security stack”, certain groups of exploits or evasion techniques can bypass the entire defense system as if it wasn’t there.
Maltego is a program that can be used to determine the relationships and real world links between many things, and has been adapted by NSS researchers to show the relationship and correlation of unblocked exploits through a layered security stack of hardware and software tools.  Utilizing the empirical data collected during NSS’ tests on NGFW, IPS, breach detection systems (BDS), endpoint security, browser security, and antivirus engines, paired with data on exploit availability of popular crimeware kits or penetration testing tools (e.g. Metasploit) we are able to model layered defense stacks and illustrate exploits that are able to evade detection by the entire stack.  We can also simulate popular or customer-specific software portfolios, allowing mapping simulations specific to their infrastructure environment.
In the image below (which was produced by our proprietary Maltego transforms) we can see three different types of security device (green dots) and the exploits that went undetected by each (blue dots.) The group in the middle identifies those exploits that successfully evade detection by all three technologies in this security stack.
Modeled Defense Layers
It is evident that our protection rate formula no longer holds true due to the correlation of exploits between the disparate layers of the security stack. 
We can also approach this from an offensive standpoint, drilling down into the data from another direction to identify the smallest group of exploits and/or evasion techniques that would be required to evade a specific security stack. During the test illustrated below, three exploits were discovered that are unindentified by seven of the ten tested vendors.  These seven vendors represent over 90% of the market share of deployed IPS.
Exploits that bypass IPS
The implications are staggering, and this is the subject of a presentation given by Stefan and Frank at BlackHat Abu Dhabi this week. This is groundbreaking stuff, and right up there amongst the most important research ever to come out of our team of analysts.
It is already changing the way some NSS clients are viewing their approach to threat mitigation. Some clients are already providing us with custom data from their own environments to enable us to model the security stack and relevant kill chain for them and identify those areas that require immediate attention.
Let’s see James Bond do that!
This research is available in two analyst briefs: Cybercrime Kill Chain vs. Defense Effectiveness, and Modeling Exploit Evasions in Layered Security. These briefs are available outside the NSS pay wall and can be downloaded by both subscribers and non-subscribers free of charge. NSS clients should arrange inquiry calls with analysts to discuss the research and investigate how it might be applied to their environment to help with risk mitigation. Follow me on Twitter(@bwalder) to keep informed as new research is released.

Thursday, June 21, 2012

Newer Is Not Always Better


One of the great insights we have at NSS Labs, given the work that we do, is into the trends demonstrated by vendors in terms of performance and security effectiveness across multiple versions of a product.
Newer is not always better
For some reason, the area we see that is broken most often during a product refresh is anti-evasion measures. Protections that have been in place over several versions can suddenly disappear as a particular section of the code base is updated to include shiny new features. The other major hurdle for many vendors is the move from one hardware platform to another. This often requires major code revisions, if not a complete rewrite, and in this fast-moving industry it is rare that the folks who wrote the original code are still around. The result can be problems in performance and/or security effectiveness that did not exist in previous incarnations of the product.
These deltas and trends across multiple versions allow our analysts to provide actionable advice to NSS subscribers on whether or not to upgrade to a new version of a product, or stay with an older version until problems are fixed (or until it is time to refresh completely and you can investigate other options.)
The response we get from a vendor when we find these issues tells us a lot about how they value their customers over their shareholders, or vice versa. Some are all over the problem and want to work closely with our engineers to discover the root cause of the issues so they can be fixed. Others respond with veiled threats copied to legal counsel, and some serious marketing spin. I would much prefer to see a vendor employ a couple of new developers and fix their problems rather than launch a PR offensive and budget for some legal fees. Either way, we never shy away from publishing the results.
This is why it is important not to simply look at our test reports at purchase time, but also review new reports throughout the life of each security product you have deployed. This can help ensure that no costly mistakes are made in deploying product updates that could have potentially disastrous consequences to your business.
Dogs and children may be for life, but you are not committed to a security vendor in the same way. There is nothing to stop you from doing a forklift upgrade of a product from a vendor that has lost the plot in terms of quality control, and the cost of doing so could be far less than the cost of upgrading to a faulty product just because the vendor wants to EOL the one you have.
Follow me on Twitter (@bwalder) to keep informed as new research is released.

Tuesday, March 20, 2012

SonicWALL And Dell: What Are The Risks For Enterprise Customers?

As you can’t have failed to notice by now, a hardware vendor bought a UTM vendor last week. Of what earthly interest could that be to enterprise security folk? As it happens, the Dell acquisition of SonicWALL is interesting for a couple of reasons. The first is the concern many SuperMassive customers might have regarding its future under a company not renowned for its enterprise security products; the second is the way Dell is setting its stall out to take on HP and Cisco in the enterprise.

The SonicWALL acquisition strengthens Dell’s security offerings considerably for both enterprise and small to medium-sized business (SMB) customers. Although there are hurdles to be overcome, NSS Labs considers this a positive move for current and potential SonicWALL customers, particularly those considering deployment of the SuperMassive NGFW platform.

This acquisition is actually more positive for SonicWALL, its partners and customers than a scenario where the company was purchased by a larger security vendor seeking a rapid entry into the unified threat management (UTM) or next generation firewall (NGFW) market. Dell is clearly seeking to build an enterprise class portfolio of servers, data storage, core networking, and security products that will allow it to compete with established enterprise vendors such as HP and Cisco.

During the recent NSS Labs NGFW Group Test, one of the concerns of our analysts was in SonicWALL’s ability to execute in terms of SuperMassive support in the enterprise space. It is vital that the Dell acquisition accelerates the growth of the enterprise support group to ensure the success of SuperMassive going forward.

One other area of potential concern is the lack of any mention of the Aventail SSL VPN product line. Customers and potential customers of the Aventail products should seek assurances from SonicWALL and Dell that their needs will be met to their satisfaction going forward. This deal also underscores the importance of having security products in a complete enterprise-computing portfolio. For larger security or networking companies looking to acquire this kind of technology to flesh out a portfolio in this manner, the shopping list is getting shorter by the day, with the likes of Fortinet, Stonesoft and SourceFire standing out as potential acquisition targets.

I have just completed an Analysis Brief that addresses this transaction in more depth and covers the potential risks and concerns to enterprise customers. This brief is available outside the NSS Labs pay wall and is available to both subscribers and non-subscribers free of charge. Follow me on Twitter (@bwalder) to keep informed as new research is released.

Friday, October 21, 2011

Why iOS Data Protection is Adequate for Corporate Use (And Why The Siri “Vulnerability” is a Non-issue)

First things first. The so-called Siri "vulnerability" that was widely reported this week is a dumb non-issue created by journalists seeking sensationalist headlines. A simple setting disables the ability to use Siri without unlocking the phone rendering the whole issue moot. What the sensationalists fail to take into account is that the iPhone is a consumer device. Most consumers don't even use a passcode. The obvious default setting for Siri in this case, as one of the attractive new USPs of the iPhone 4S, is to allow use even when the phone is locked - I don't think you can fault Apple for this.

Now on the other hand, things need to change when these consumer devices are allowed in an enterprise. Exchange Active Sync (EAS) or Mobile Device Management (MDM) software should be used to apply minimum security policies, which should always include a complex passcode of more than 4 characters, auto wipe on multiple failed passcode attempts and, of course, disabling Siri without unlock (this latter capability would required MDM, since it is not available in EAS). There are many other security settings that should be addressed too, but the main one is the passcode.

Once the passcode is enabled, Data Protection is turned on. Now, Data Protection is NOT full disk encryption, although encryption IS turned on globally. However, you should assume that it only encrypts data in applications that support the Data Protection APIs (this is an over simplification, but the details are too complex for a blog post and are the subject of an Analysis Brief that will be available shortly to NSS subscribers).

Out of the box, that is the iOS Mail client, for example. Other commercial apps will support Data Protection too, though these are few and far between right now - GoodReader is one of the best known. Others include USB Disk Pro, mobilEcho and the Box.net iOS client. There are several more, but not enough of them given that these capabilities have been available since the pre-release of iOS4, and we are now on iOS5!!! This continues to be a sore point with me as many developers make a big deal out of pushing their apps as business-class, yet spend more time making nice UIs and not enough securing the data that they are supposed to be protecting. Bear in mind that these apps will typically be used to access corporate documents, in many cases storing locally on the device outside the control of corporate IT. That data needs to be encrypted.

With apps that support Data Protection, you have an additional layer of encryption on the iOS device. If you have a passcode set on the iPhone and you turn on Data Protection in GoodReader, all of the docs stored in the GoodReader sandbox will be encrypted in the same way as data stored by the Mail app. You can even have some data in the clear and restrict encryption to certain files or folders.

So far so good, but what about those “researchers” that have written about the fact that jailbreaking an iOS device or connecting one to Ubuntu will provide access to all data on that device? Yes, unfortunately it is possible to jailbreak an iOS device and completely bypass the passcode. There are other ways to bypass the passcode too (such as that issue with Ubuntu). Because of the way iOS implements the Data Protection capability, once the passcode is entered or bypassed, all of the data on the device that is not protected by Data Protection APIs specifically is unencrypted on the fly.

Therefore, if someone jailbreaks my iPhone they will be able to access all of the documents stored in the ReaddleDocs or PDF Expert sandbox because the iPhone will decrypt on the fly as the data is accessed. However, if they try to access my Mail data or anything stored in the GoodReader sandbox, they will only see encrypted data. Same thing goes for items stored in the keychain. Anything stored in the clear will be accessible when a device is jailbroken. Anything written using Data Protection APIs will remain encrypted.

Only by entering the passcode can that encrypted data become available. This is an important distinction that needs to be understood. Jailbreaking/bypassing the passcode DOES NOT BREAK iOS ENCRYPTION - it merely bypasses the basic protection on the device. Anything stored using Data Protection APIs WILL REMAIN ENCRYPTED EVEN FOLLOWING JAILBREAK.

There is no way to brute force the passcode off-device since it is tied to the hardware. If you have auto-wipe turned on, too many attempts to brute force the key on-device will result in a wipe. One nasty problem is that you CAN do brute force attempts on-device without triggering auto-wipe by bypassing the UI APIs that ask for the passcode, so that is why security-conscious folk need to ensure they use a longer, complex, alphanumeric passcode that will resist brute force attempts.

So there you have it. Could Apple’s encryption scheme be better? Yes, of course it could. There are some caveats, and I would have preferred it to be full-device encryption, or at least to have a central document storage area that is always encrypted by default. However, my opinion is that iOS devices are perfectly acceptable and secure enough for corporate use PROVIDING they have a sensible security policy applied, Data Protection is turned on, a complex passcode is used and any sensitive data is ONLY stored within apps that support Data Protection APIs. Corporate users should always ask iOS developers if their app supports Data Protection and avoid those that do not.

The Sophos post and original Fraunhofer research, and any others spouting similar opinions, can be dismissed with a simple analogy, since they appear to assume Data Protection is not being used - if that is really the case, it is like leaving your keys in the ignition and locking the door, then complaining when someone smashes the window and drives off with your car!

I am taking a significant number of inquiries from NSS client each week on this subject, proving that it remains confusing for many. I hope this helps a little. In addition, as I mentioned earlier, there are a couple of NSS Labs Analysis Briefs in the works covering iOS Data Protection and other security issues facing corporate users of consumer devices. These will be available to subscribers only. Follow me on Twitter (@bwalder) to keep informed as new research is released.