Posted on Wed, May 09, 2012
Web Application Firewall, or, simply put, WAF.
True, the name does not explain very well what it is and what it’s supposed to do, although you’d probably guess it has something to do with protecting a web application. And you’d be right. It’s the “firewall” bit, that is, to say the least, obsolete.
To understand what a WAF is or should be and why, let’s analyze the issue first.
In the recent years, Internet threats have shifted. Slowly in the beginning but increasingly rapidly in the last two years, from email to web based threats. In the past, hackers would use emails to distribute new threats, embedded into an email. Personally, I have not seen this for at least two years now, and the likely reason is because we all have anti viruses in place to protect us from email embedded threats. There is actually also another reason – distributing threats this way is very inefficient. It might have been useful ten years ago, but today, at the rate new threats are being created (40,000 new variations per day in some cases), this is no longer sufficient. It is far more efficient to compromise one website and then infect all the thousands of computers that will connect to said website via their web browsers.
Of course, I can create a website riddled with Trojans from the get go, and send out emails hoping people will click on a link, which points to that web site. But it is certainly more effective if I can compromise a trusted website (without the need to send out any emails at all) because, to be candid, people will just “come” – the website is legitimate and regularly visited by users for business or personal reasons.
You’ve probably heard about things like XSS (cross site scripting), SQL-injection, drive-by downloads and some other similarly scary expressions. These and many more, are methods often used by hackers to compromise websites. Some Trojans can even upload themselves from the client to the web server via the browser. I won’t dwell on the details of these attacks; let’s just assume malware was placed onto web servers, and when users connected via their browsers, attacks happened.So, how does a web site become compromised?
Enter the Web Application Firewall (WAF) as a way of protecting the web server from becoming compromised in the first place. The protection now moves from your workstation to the web server. The first generation of WAFs was firewalls and IPS systems running a set of signatures meant to protect web servers from known vulnerabilities. These early WAFs have not been very successful though, and the reason has been lack of specificity – traditional WAFs protect the web server (Apache, ISS) but they know nothing about the actual web application running on that server; hence an attack aimed at exploiting programming errors or other vulnerabilities of the application itself are not protected.
In principle, it would be impossible to assume that an IPS company would have signatures for a web application I’ve written. Of course, they’ll have signatures against exploits to vulnerabilities of the web server I may be using; but they know nothing about my own application. And that is why, even with a WAF in place, my web application may still be subject to attack, which in turn may compromise the computers of those who connect to my web based application.
Clearly, an entirely new approach is needed.
In our forthcoming article, I shall illustrate how Network Box resolves these issues - how the next generation WAF which Network Box has just introduced will protect web servers much more effectively.
Until the next post, here’s to a safe and productive work week for us all.
Notes: Wikipedia states “Cross-site scripting (XSS) is a type of computer vulnerability typically found in Web applications (such as web browsers through breaches of browser security) that enables attackers to inject client-side script into Web pages viewed by other users … Cross-site scripting carried out on websites accounted for roughly 80.5% of all security vulnerabilities documented by Symantec as of 2007.”
Posted on Thu, Apr 19, 2012
With its channel marketing program expanding and its roster of resellers on the increase, Network Box USA (www.networkboxusa.com), the American arm of worldwide managed security service provider Network Box Corp., has appointed industry veteran Chad F. Walter as its Director of Channel Sales.
“Walter will be responsible for nurturing and growing the Channel Sales and Marketing arm of the business as well as working very closely with our existing resellers, to further reinforce Network Box as the partner of choice within the domestic Unified Threat Management security sector,” said Pierluigi Stella, CTO of Network Box USA.
Most recently, Walter was Vice President of Operations, North America, for Chile-IT, an organization dedicated to helping Chilean information technology companies promote their services. Prior to that, he was President and COO of D&D Consulting, which specialized in information security, managed services, and other IT areas, and has also worked at Cervalis, a leading provider of IT infrastructure solutions.
“Network Box USA has a sterling reputation for supporting their reseller partners at every step of the process, and I’m very excited to join the team at a time when the channel program is witnessing a growth surge across various industries and regions,” said Walter. “I’m committed to continuing this current upward trajectory and to taking it many steps forward. These are especially exciting times for Network Box’s unparalleled combination of award-winning Internet security device with top-notch managed services.”
The Network Box Internet security device is a remotely managed unified threat management (UTM) appliance that combines numerous applications – firewall, intrusion prevention and detection, virtual private network, content filtering, anti-virus, anti-spam, anti-phishing, and anti-spyware – in a single, sophisticated mix of hardware and software. It enables businesses to combat hackers, worms, backdoors and other online menaces, easily and cost-effectively.
Network Box USA’s channel marketing program empowers resellers with everything they need to ensure success in the sales and support of the Network Box UTM appliance, as well as managed services that provide a significant, ongoing revenue stream. Channel partners gain in-depth product knowledge via training and documentation, and Network Box USA is available to assist in all phases of the sales process – from prequalifying leads to closing sales.
Value-added resellers and independent agents interested in becoming a Network Box USA reseller are invited to click over to Network Box USA’s Channel Partner page http://blog.networkboxusa.com/channelpartner for more information.
About Network Box USA
Houston-based Network Box USA (www.networkboxusa.com), the American arm of Network Box Corp., is a leading managed security service provider with its own multi-award-winning UTM appliance which is sold by value-added resellers and independent agents. Guided by the belief that that the same high level of computer protection that large enterprises enjoy should be available to every company, Network Box USA offers business of all sizes cutting-edge security solutions that are exceptional and affordable. Network Box USA is headquartered at 2825 Wilcrest, Suite 259, Houston, Texas 77042; telephone 832-242-5758 or (toll free) 888-315-8886; fax: 713-933-0290; or email info@networkboxusa.com.
Posted on Sun, Mar 25, 2012
Here’s something you may or may not have realized about IPv4 and IPv6.
An IPv4 IP address is comprised of four octets (8 bits), with each of those four octets capable of going from 0 to 255. And, by the way, it’s sheer coincidence that IPv4 has 4 octets; the two 4s are completely unrelated.
Now, multiply 255 four times and you get a massive number – 4,228,250,625.
This, dear reader, is the total number of available IPv4 addresses. Yet, we’ve already completely exhausted all 4.3 billion addresses.
Enter IPv6 which effectively takes us from the four octets of IPv4 to a staggeringly vast pool of 128 bits.
If you want to know how many addresses that is, I caution you - don’t try using your calculator; it might, well, go up in smoke! Why, you ask? Well, that number is 2 to the power of 128 OR 3.4 x 10 to the power of 38 OR, get this, 340 undecillions (or sextillions). To understand its magnitude, let’s just say there aren’t even enough stars in the universe to total that number!
Imagine that.
Posted on Fri, Mar 16, 2012
To date, I’ve written twice about IPv6 and, at the end of my second piece, I promised that our next post would cover IPv6 compatibility and translation issues, so here it is.
The TCP/IP protocol works by exchanging packets/frames, usually no larger than 1500 bytes. Within a frame, there’s a header and a payload. The payload contains the information we’re actually transmitting; the header contains all the information related to the protocol, including the source and destination IP address. Since IPv4 uses 32 bit addressing, the IPv4 TCP/IP protocol only reserves 32 bits for it. This means, there is no space for the 128 bits of IPv6. In other words, if a computer tried to “talk” IPv6 within the same protocol where the receiving computer expects IPv4, all the information would be displaced by 96 bits and there’d be no way they’d understand each other.
In reality, things are actually far more complicated than what I’ve verbalized because the protocol itself, the content of those headers, has been redesigned. That said, this small example allows one to grasp fairly quickly how imperative it is that the two computers must speak the same protocol or they simply will not be able to understand each other; unless something in between functions as a translator.
Now, assume your computers are only able to understand IPv4 but here you are, browsing a website that has an IPv6 IP address; how will your browser communicate with that web server? Or, imagine you have a web proxy within your network, filtering all user web requests; and this proxy only understands IPv4; how will that proxy talk to the web server?
Going deeper into this case in point, every device and every application in your network would have to be able to communicate using both protocols since they’re not interchangeable. I can already assure the reader that a very large part of your devices, and most likely, all your applications don’t understand IPv6. If you’ve purchased a switch or a router recently, it’s very possible that the device can understand both protocols but the likelihood of you needing to upgrade most of your hardware (and soon) is very high. Also, since most of these devices are unable to translate between the two protocols, conversation happens either in IPv4 OR in IPv6, never a hybrid.
Enter Network Box’s NBRS 5.0, the OS which will run the new generation of Network Boxes.
This revolutionary platform allows for seamless simultaneous translation between the two protocols. Our next post will detail just how Network Box NBRS 5.0 solves the issues discussed above. Until then, have a productive week ahead.
Posted on Sun, Mar 11, 2012
In my previous post, we detailed why it was the beginning of the end for IPv4. Today, we’ll discuss the solution to this problem.
The standardization group IANA (or the Internet Assigned Numbers Authority), which collaborates with IETF (also known as the Internet Engineering Task Force), had long ago already prepared the new standard, IPv6 which goes from the 32 bits of IPv4 to 128 bits. If you want to know how many addresses that is, don’t try using your calculator; it may go up in smoke! Why, you ask? Well, that number is 2 to the power of 128 OR 3.4 x 10 to the power of 38 OR, get this, 340 undecillions (or sextillions). To understand its magnitude, let’s just say there aren’t enough stars in the universe to total that number!
Consequently, we hope, there’ll be enough IP addresses to go around for the next few decades; every device will have its own IP address, and we won’t run the risk of depleting the IP address bank any time soon – certainly not within my lifetime. We’ll also no longer have need of private IP addresses; a point which certain pundits believe is a positive thing. I could write a whole new blog post on this subject but for now, suffice to say I disagree. I don’t think you should have a different mailing address for every room in your house – that, in my view, is information regurgitation, which, in a world like the Internet, can be potentially so incredibly dangerous for your computers.
This year, the IPv4 address space has been officially declared exhausted – there aren’t any more IPv4 IP addresses to be assigned from IANA to the 5 regional internet registries (RIR). As a customer, you may be able to get an IPv4 for some time, for as long as your ISPs still have them, that is. Think of them like phone numbers in that you may get a recycled one; an IP previously belonging to another company that no longer needs/wants it. So hold off on pressing the panic button for now because IPv4 IPs will still be around for a little longer but be prepared to face reality, because soon enough, they’ll be gone for good and IPv6 will be the order of the day.
Those of us who already have IPv4 IPs will be able to keep and continue using them. In the
interim, though, ISPs will begin to assign also IPv6 IP addresses and slowly but surely start migrating everyone to this new address space. This will happen simply because they can’t afford to maintain the double standard for too long – it’s expensive; requires double equipments; and creates too many complications (for which we’ll eventually end up paying and in real dollars). Truth be told, I don’t know how long this process will take; for all we know, it might spread across a decade. We just know, with utter certainty that it will happen. We also know for a fact that your equipment must be able to deal with both protocols concurrently but here’s the kicker – they are completely incompatible. If your equipment is not designed to handle IPv6, it simply won’t understand it, period!
In the next post, we’ll discuss IPv6 compatibility and translation issues and what costs will be associated with any migration path.
Posted on Fri, Mar 02, 2012
HOUSTON, March 2, 2012 – Leading managed security service provider Network Box USA (www.networkboxusa.com) announced today that Info Security Products Guide has declared the cutting-edge Network Box Z-Scan anti-malware system winner of the 2012 Global Excellence Awards in the Security Products and Solutions for Finance and Banking category. A large number of Network Box USA clients are in the financial industry.
More than 50 judges spanning a broad spectrum of industry voices from around the world participated, and their average scores determined the 8th annual Global Excellence Awards finalists and winners, who were announced during the awards dinner and presentation on February 29 in San Francisco.
Network Box's multi-award-winning Z-Scan reacts to zero-day malware up to 4,200 times faster than traditional anti-malware systems. It operates by continually analyzing all threat information obtained in real time (gleaned from a very large number of traps distributed globally in the cloud) against an impressive platform of more than eight million signatures. The Z-Scan network includes spam traps, virus traps, in-house as well as customer submissions, email and http statistics, and suspect samples.
Rather than creating a signature – which can take anywhere from three hours to an entire day to produce – Network Box adopts a revolutionary approach by fingerprinting malware in real time. This is then instantly distributed to its 12 security operation centers globally in under three seconds. In that brief moment, all Network Box unified threat management (UTM) devices are able to identify the code as a threat. Key to the process is the fact that Network Box manages all client UTM devices and receives immediate feedback from them.
“Z-Scan is a truly important weapon in our arsenal in the fight against malware,” said Pierluigi Stella, Network Box USA’s CTO. “We are proud to have been honored with this prestigious award that further validates Z-Scan as a leading-edge security solution.”
Posted on Fri, Feb 24, 2012
192.168.1.241.
If you open a command prompt and type “ipconfig”, you’ll probably find a long list of digits such as the ones above, which would look gibberish to anyone but techies. Those numbers are, in fact, an IP address, the address of a computer on a network. This is IPv4 – it’s the fourth version created by an international standardization committee known as the Internet Engineering Task Force (IETF), and is the only one which has been adopted.
When IPv4 was created in the early 70s, few thought we would ever need more IP addresses. It was the world of mainframes and terminals; not many devices had IP addresses. But the scene quickly evolved with the 80s bringing forth personal computers, and the landscape became completely different.
Every time you connect to the internet, your ISP will assign one IP address to your company; this is a public IP address. If you want to be on the internet, you must have at least one public IP address. Think of it as your mailing address, if you will – it’s the way the rest of the internet locates you, and the way through which you find the rest of the internet.
To avoid rapidly using the entire IPv4 address space, IETF came up with the idea of private IP addresses – meaning that within your office network, IP addresses can be assigned and used in 3 ranges (192.168.x.x, 10.x.x.x and 172.16.xx through 172.31.x.x) and still kept internal; these became known as private IP addresses and they’re not found on the internet.
Since these are “private IPs”, every company can use them internally, and it doesn’t matter that they’re also being used by other companies; being internal to the company, there’s no risk of confusion. When each of these companies connects to the internet, they still use their own public IP address. Only now, they’re utilizing one public IP for the entire company rather than one per computer. This brought a great deal of public IP savings which allowed us to stretch the IPv4 lifespan for close to another 30 years. That said, each time a new internet connection is made, a new public IP is, likewise, used. DSL and cable have brought broadband into our homes so now every connected home has an IP address as well. Those factors accelerated the use of IPv4 once again. Meanwhile, cellular phones became “smart”, and wanted to be connected to the internet so they too required IP addresses. And, these days, so do cameras, DVD players, and any other “smart” device that is internet capable. So we went from a few mainframes in the early 70s, to billions and billions of devices today, all wanting to be on the internet.
At this juncture, it’s evident that IPv4 is no longer sufficient and the reasons why that is the case.
In our next post, I shall elaborate upon the various measures taken by IETF and IANA (the Internet Assigned Numbers Authority) to resolve this issue, with the introduction of IPv6.
Posted on Fri, Feb 17, 2012
In Part 1, we discussed the definition of malware; provided an example of how easy it is to get malware onto your computer; and detailed several caveats on proactive steps to take and also what to look for to avoid being victimized.
This post focuses on email issues that could cause damage. Every day we see links into spam emails; the email per se may be clean; it may just be spam and not necessarily malware infected but it contains a link (with the name of the link masked). Here’s a recent sampling – an email contained a link presumably to a downloadable PDF file, when in reality, the actual (embedded) link would send us to a web server hosted in India. Naturally, we didn't click through to see what awaited on the other side but this is yet another example of how hackers can mislead users into clicking on something thus causing harmful code to be downloaded and installed.
At first look, these emails generally look official and realistic – they may appear to be coming from the U.S. Internal Revenue Service; another may state that your wire transfer was ‘blocked by the Federal Reserve‘; and the list goes on. Furthermore, they're often seasonal: case in point being the IRS look-alikes which tend to be distributed after April 15th for obvious reasons.
You may also have seen emails allegedly coming from your ‘bank’ requesting that you verify a transaction and/or personal information. By clicking on the email, you'll either cause something to be installed on your machine; or you’ll be redirected to a web site that looks remarkably similar to your bank BUT it is actually a reproduction hosted on a rogue server and the sensitive data you’ll be asked to enter can (and will) be used to quickly steal a lot of personal financial information.
Last year, we all heard about the RSA breach (http://www.nytimes.com/2011/06/08/business/08security.html?pagewanted=all). This entire series of events was started by an employee clicking on a link in an email that appeared legitimate. This case was different because the hackers launched a very focused attack – the email seemed incredibly genuine; the user clicked; and a Trojan was downloaded. Said Trojan went to work, and stealthily downloaded a larger piece of code, which scoured the LAN for the specific information the hackers were after. But again, the whole thing started simply because someone clicked on a link they should have avoided!
For the most part, all of these email scams have one common agenda – to steal something be it personal data; corporate information; or customer particulars.
Part 3 will cover the various methods that malware can infect a network.
As always, if you have any questions, please contact me at pierluigi.stella@networkboxusa.com.
Posted on Thu, Jan 26, 2012
If even a small minority of all the hackers out there focused their intelligence, inventiveness and imagination away from malware and into constructive web-based endeavors, we’d all be better off.
That said, don’t hold your breath. Malware is an ongoing problem and scourge to both public and private entities and you need to understand what it is and how to deal with it. It’s a huge topic so I’ll break up the text into multiple posts.
First of all, you need to know what malware is – executable code that runs on your computer and is designed to cause some sort of damage – either by harming your data or stealing it. But the operative word is ‘executable’ – it’s a program, therefore it has to be activated, and in most cases requires someone unknowingly installing the malware and running it.
Hackers are constantly looking for new ways to trick users into ‘clicking’ on something – and that simple one stroke click can activate the software and quickly start wreaking havoc.
Last month, for instance, we decided to test a computer sans any AV/malware protection, went online and started browsing. We checked out Google for Indian flags and clicked on one – suddenly messages popped up that allegedly were from the operating system stating that the disk was broken, partitions couldn’t be found, and other formidable looking warnings. All looked legit.
Then an alleged Microsoft tool popped up offering to ‘scan’ the warnings. I know what the real program looks like – this one was an almost identical clone but there were obvious clues that it was a fake. But since we were running an experiment, we followed along, clicked, and the program claimed to have scanned our entire system in less than two minutes. Of course, it found several issues that required an immediate fix, and up popped another screen requesting gobs of personal information, including a credit card number – to purchase the software and fix the computer.
We downloaded a Kaspersky emergency cleanup tool and cleared the virus, but even when the computer was clean we still couldn’t access our data - the scanning tool had set the hidden attribute to all files on the disk, OS, data, programs – everything was hidden and it appeared that the disk was empty. Once the hidden attribute (attrib-h) was removed, the system was restored.
But you can also get dinged from stealth programs that read what you type – known as keyloggers. Fortunately this is becoming less commonplace as good AV software will become aware of keyloggers by their behavior. There’s also software that functions as a browser add-on that can protect your secure websites – if you try to do online banking, for instance, and you’re not connected to the right IP address, the software will stop you.
Lastly, beware of malware being distributed now via HTTP – rather than hand delivering a nice little virus to you via email, the hacker will place the code on a web server and entice you to go a particular website. In most cases, these are legitimate websites that have been compromised – unbeknown to the site’s owners. A script attached at the bottom of the home page index.html file can add hidden links to this page which the user won’t see. So while browsing, the mouse causes a piece of malware code to start running, it’s installed on the computer, and the hacker’s off to the races and starts pilfering your data.
Getting a bit nervous? Stay tuned for Part 2 where I’ll wax eloquent on malware and email issues.
Posted on Mon, Dec 12, 2011
Previous posts about cloud security have covered a wide range of topics and issues; some of these have included tips on connecting both private and public clouds; cloud computing security risks; pointers on the pros/cons of the hybrid cloud model, and more.
This post will focus on a growing concern that is facing both public and private sector organizations, not only in the US, but globally –identifying a few security holes affecting cloud implementations, and what steps you can take to mitigate these from becoming a major digital thorn for you.
And amazingly, I still see examples of servers with default user IDs that are untouched, default passwords that are never changed – and in extreme cases – no password set up at all! So there’s your data in the cloud with a login prompt totally exposed – no protection, no password/user/access authorization rules. It’s enough to turn an IT manager’s hair white overnight – and result in many a sleepless night to boot!Organizations from all walks of life are migrating to the cloud, principally to reduce costs. But many don’t factor in an important consideration – they lack the internal resources/skills to initially determine how to best protect their data, and once the data’s in the cloud, how to then protect it on an ongoing basis.
Before you jump to the cloud, you also need to figure out who’s going to provide security. Should your IaaS provider offer a certain level of security? Have your MSP using that IaaS do it for you? Do it yourself?
All of the above. The IaaS, for instance, owns the address space- if your network/server is compromised, it will appear from an outsider’s perspective that the IaaS’ address space has been compromised. And not only can the telco snatch those IP addresses from the IaaS, but the federal government can close down the servers and lines, which means the IaaS could be hurt financially and even forced to close its doors.
So how can you patch these potential holes so your organization’s data isn’t put at risk? Here are a few simple tips:
✓ With any kind of remote connection, lock it up and use a VPN, e.g., such as a certificate based SSL with AES256 encryption.
✓ Conduct due diligence with your MSP and IaaS.
✓ Check out the hardware side of your virtual environment and make sure your virtual neighbors can’t accidentally access your data.
✓ Trust no one and make sure that your LAN is yours and yours alone!
Any questions? Email me at pierlugi.stella@networkboxusa.com.