Tag: Barracuda

2024 Best Practices for Cloud Network Firewall Deployment

Posted on by CyberRatings.org

The security industry is working towards a secure by default configuration. However, when setting up products for the 2024 Cloud Network Firewall group test, we found that not all products are secure by default. We, therefore, documented the changes we made and are publishing them in this guide.

Last year, the Cybersecurity & Infrastructure Security Agency (CISA), along with ten U.S. and international partners, published guidelines for their “Secure by Design, Secure by Default” principle. In their April 2023 publication, they stated the following:

“Secure-by-Default” means products are resilient against prevalent exploitation techniques out of the box without additional charge. These products protect against the most prevalent threats and vulnerabilities without end-users having to take additional steps to secure them. Secure-by-Default products are designed to make customers acutely aware that when they deviate from safe defaults, they are increasing the likelihood of compromise unless they implement additional compensating controls.

This guide should be used as a supplement to what the vendors already make available to their customers. Please see the links below to the best practices and guides for each product we tested. We have also provided additional information for three products: Cisco Secure Firewall Threat Defense Virtual, Palo Alto Networks VM-Series, and Amazon Web Services (AWS) Network Firewall.

Cloud Network Firewall Test Topology

The following steps were taken for each firewall:

Deploy the firewall in Amazon Web Services (AWS). For this example, we are using Fortinet:

  1. Review Firewall options and pricing, then Click to Subscribe.

2. Once you have picked your instance type, Continue to Configuration.

3. Review selection and Continue to Launch.

4. Launch the software from the website, or the EC2 dashboard – selected in the drop-down menu.

5. In the EC2 dashboard, define who has access to the firewall, launch Instance.

  • Connect the interfaces required for the topology. This is information that is found in each vendor guide.
  • Register the device to the centralized management system. This is information that is found in each vendor guide.
  • Validation of license/s, which in turn enabled software updates, threat updates, etc. This is information that is found in each vendor guide.
  • Define access policies:
    • Trust to untrust
    • Untrust to trust

  • Define IPS policies:
    • Enable threat signatures, advanced protection, cloud lookup, etc. Each product handles this differently, but this information is in their guides.
  • Upload the required server certs, keys, and CA certs if needed. This is information that is found in each vendor guide.
  • Define TLS decryption policies (1.2 and 1.3). Configure it to decrypt all traffic. We make a few exceptions to test whether the product can bypass decryption based on specific IP addresses or domain name(s). If something cannot be decrypted or is using an older TLS/SSL version and or an insecure cipher then the product is set to block.
  • Link IPS and TLS policies to the overall access policy.
  • Validate configuration:

Make sure you can pass traffic.

Make sure you can block attacks by sending something malicious.

Tune out false positives.

Firewall Configurations

For each firewall listed below, we have included:

  • Link to the AWS page where the firewall can be selected and deployed
  • Link to best practices and additional information

Amazon Web Services (AWS) Network Firewall

Product, best practices, and documentation: https://aws.amazon.com/network-firewall/

Following the best practices resulted in a deployment that was unable to stop any threats in our Cloud Network Firewall testing harness. After consulting AWS, we were instructed to make changes to the policy. The resulting deployment was successful in blocking 5.39%.

The configuration suggested by AWS:

  • No stateless rules

  • No default stateful action

  • Only Alert actions in the unmanaged signatures

This configuration should send all traffic through the inspection engine.

Our configuration that was tested before the conversation with AWS was slightly different. We had a rule for all stateless traffic to be forwarded to the stateful engine. Under the Stateful default actions, we had “Drop established,”“Alert all,” and “Alert established enabled. For rules we had the following:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”allow-ssm”;flow:established,to_server;sid:88889;rev:1;)
pass tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”allow-ssm”;flow:established,to_server;sid:8888;rev:1;)
pass tcp any any -> any any (msg:”allow-ssm”;flow:established,to_server;sid:888888;rev:1;)
pass UDP any any -> any any (msg:”allow-udp”;sid:88881;rev:1;)
pass ICMP any any -> any any (msg:”allowing-ourbuddyping”;sid:88882;rev:1;)

Both configurations resulted in the same security block rate of 5.39%.

Barracuda CloudGen Firewall

Follow their instructions; the product doesn’t require any special configuration.

Product page: https://aws.amazon.com/marketplace/pp/prodview-nf2s254wcmqfw

Documentation: https://campus.barracuda.com/product/cloudgenfirewall/doc/98209931/overview

Check Point CloudGuard

Follow their instructions; the product doesn’t require any special configuration.

Product page: https://aws.amazon.com/marketplace/pp/prodview-3xp7nph2367yc

Documentation: https://support.checkpoint.com

Cisco Secure Firewall Threat Defense Virtual

Follow their instructions; the product requires special configuration. See below.

We followed the best practices for deploying Cisco Secure Firewall Threat Defense Virtual including updating the software from 7.2.0 to 7.2.5-208 and then to 7.3.0-69.

We also registered the Cisco Secure Firewall Threat Defense into the Cisco Secure Firewall Management Center (FMC). We enabled TLS 1.2 and 1.3 following Cisco’s instructions. This included updating from Snort v2 to Snort v3, which is required to enable TLS 1.3—as per Cisco: “You must be using Snort 3 to match TLS 1.3 connections.” See https://www.cisco.com/c/en/us/td/docs/security/firepower/730/fdm/fptd-fdm-config-guide-730/fptd-fdm-ssl-decryption.html for more details.


After deploying the firewall following their best practices, we were able to verify that TLS 1.2 was decrypting properly, as seen in this screenshot:

Even though we followed the instructions provided by Cisco to enable TLS 1.3, the Cisco Firewall failed to decrypt TLS 1.3 and the logs issued an “SSL_Version_Not_Supported” error, as seen in this screenshot:

Unless you look at the logs, the user interface does not indicate that TLS 1.3 is not being appropriately As shown in the above screenshots. you can check a box that is supposed to turn on TLS 1.3 support, but it does not turn it on. Moreover, while Cisco says TLS 1.3 is on, and when TLS 1.3 traffic is sent across the Cisco cloud firewall, the logs clearly state that the TLS/Cipher suites are not supported and do not decrypt the data. In addition, Cisco does not support the CHACHA20 cipher suites despite claiming otherwise.

Forcepoint NGFW

Follow their instructions; the product doesn’t require any special configuration.

Product page: https://aws.amazon.com/marketplace/pp/prodview-svzncd5l73lu2

Documentation: https://help.forcepoint.com/ngfw/en-us/7.0.4/index.html

Fortinet FortiGate-VM

Follow their instructions; the product doesn’t require any special configuration.

Product page: https://aws.amazon.com/marketplace/pp/prodview-wory773oau6wq

Documentation: https://docs.fortinet.com/document/fortigate/7.2.6/administration-guide/954635/getting-started

Juniper Networks vSRX

Follow their instructions; the product doesn’t require any special configuration.

Product page: https://aws.amazon.com/marketplace/pp/prodview-z7jcugjx442hw

Documentation: https://www.juniper.net/documentation/us/en/software/vsrx/vsrx-consolidated-deployment-guide/vsrx-consolidated-deployment-guide.pdf

Palo Alto Networks VM-Series Next-Generation Firewall w/ Advanced Threat Prevention

Follow their instructions; the product requires special configuration. See below.

Evasion defenses are not enabled by default. Please follow the instructions below. These are a combination of their best practices guide as well as additional instructions per the Palo Alto Engineers we worked with.

Product page: https://aws.amazon.com/marketplace/pp/prodview-mn63yjbq37n4c

Documentation: https://docs.paloaltonetworks.com/best-practices/security-policy-best-practices/security-policy-best-practices

Next, you will have to follow the detailed instructions as documented by Palo Alto Networks: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/best-practices-for-securing-your-network-from-layer-4-and-layer-7-evasions

After following those instructions, then issue the following commands in the command line interface (CLI).

To do this:

  • Enable SSH on the device.
  • Log in to the device with your admin credentials.
  • Run the following commands:

Set system setting ctd block-on-base64-decode-error enable
set system setting ctd block-on-bdat-chunk-decode-error enable
set system setting ctd block-on-chunk-decode-error enable
set system setting ctd block-on-qp-decode-error enable
set system setting ctd block-on-utf-decode-error enable
set system setting ctd block-on-uu-decode-error enable
set system setting ctd block-on-zip-decode-error enable

set deviceconfig setting session resource-limit-behavior bypass

request plugins vm_series set-cores dp-cores 3

While the below configuration change will not improve your evasion protection, it may improve your performance. If you are worried about client-side attacks, do not make this change!

Disable Server Response Inspection (DSRI) – see screenshot below.

To Enable or disable DSRI:

  1. Go to Policies>Security>untrust-to-trust>Action.
  2. Check the “Other Settings “section for the DSRI option.
  3. Select the checkbox to enable.
  4. Unselect the checkbox to disable.

We have been informed that an upcoming version of the Palo Alto OS will enable these evasions by default.

Sophos Firewall

Follow their instructions; the product doesn’t require any special configuration.

Product page: https://aws.amazon.com/marketplace/pp/prodview-ga4qvij427bvw

Documentation: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/index.html

Versa Networks NGFW

Follow their instructions; the product doesn’t require any special configuration.

Unlike the other products in this guide, Versa only offers a bring-your-own license (BOYL). This means products can be deployed using Versa Director (their central management system) or through EC2 on AWS.

Product page: https://aws.amazon.com/marketplace/pp/prodview-egtkta2usoxfa

Documentation: https://academy.versa-networks.com/versa-academy-library/

Documentation: https://docs.versa-networks.com

WatchGuard Firebox Cloud

Follow their instructions; the product doesn’t require any special configuration.

Product page: https://aws.amazon.com/marketplace/pp/prodview-5qg2dngtf3fgu

Documentation: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/_intro/home.html

Exploring the Landscape of Cloud Network Firewalls Available on AWS

Posted on by CyberRatings.org

Today we focus on the diverse array of Cloud Network Firewalls available on Amazon Web Services (AWS). This comprehensive overview aims to inform IT professionals, network administrators, security analysts, and cybersecurity enthusiasts about the various firewall options on AWS, beyond just AWS’s native offerings.

Cloud Network Firewalls on AWS: A Broad Spectrum

AWS hosts a range of third-party cloud network firewalls, each offering unique features and capabilities tailored to different organizational needs. Here’s a rundown of some key players:

  1. Arista Networks Cloud Network Firewall
    Arista Networks provides a cloud network firewall offering for AWS environments, with a focus on traffic management and security. Its features include firewall capabilities, detailed traffic inspection, and policy enforcement tools. The offering is designed for compatibility with complex network architectures, providing various deployment options to meet diverse cloud security requirements.
  2. Barracuda CloudGen Firewall
    The Barracuda CloudGen Firewall, designed for AWS, offers security for cloud-connected networks. Its features encompass threat protection, VPN connectivity, and application-based traffic management. The firewall is developed to adapt to the evolving requirements of cloud infrastructures and includes centralized management for administration across distributed network setups.
  3. Check Point CloudGuard
    Check Point CloudGuard is a network security offering for AWS, including features like intrusion prevention, identity awareness, and anti-bot technology. It is designed for AWS service integration, aiming to protect cloud assets. CloudGuard supports auto-scaling to adapt its security measures in response to network traffic variations. This offering is intended for cloud environments, providing capabilities for managing security policies and handling network traffic.
  4. Cisco Cloud Network Firewall
    Known for its firepower series and ASA (Adaptive Security Appliances), Cisco offers a cloud network firewall tailored for AWS environments, equipped with features to manage network traffic and enforce security policies. This offering includes capabilities for inspecting and controlling traffic flow, as well as implementing security rules across cloud deployments. Designed to integrate with AWS, Cisco’s firewall aims to provide network security management suited to various cloud infrastructure requirements.
  5. Forcepoint Cloud Network Firewall
    Forcepoint’s cloud network firewall for AWS offers capabilities like SD-WAN integration and centralized management to safeguard network perimeters in cloud environments. The Forcepoint offering is structured to provide security management for cloud-based networks. It incorporates features for monitoring network activities and implementing security protocols to address potential threats.
  6. Fortinet FortiGate-VM: The Fortinet FortiGate-VM is a virtual firewall solution tailored for AWS environments, providing a range of network security capabilities. It offers features such as intrusion prevention, web filtering, and SSL inspection, aimed at safeguarding virtualized and cloud infrastructures. Key aspects include its ability to scale dynamically with AWS workloads, integration with AWS services for enhanced management and monitoring, and support for centralized control through Fortinet’s FortiManager. FortiGate-VM is designed to address various security requirements for AWS deployments, from basic VPC protection to advanced threat prevention, catering to diverse network architectures and compliance needs. As with any cloud network firewall solution, its effectiveness and suitability can vary based on specific organizational requirements and network configurations.
  7. Hillstone Networks: Focused on visibility and control, Hillstone offers advanced features for threat detection and mitigation. The offering includes capabilities for inspecting network activities and enforcing relevant security measures. Hillstone’s firewall is developed to support the security needs of cloud deployments, providing functionalities that facilitate the management of network traffic and the implementation of security policies in cloud environments.
  8. Juniper Networks vSRX Cloud Network Firewall
    Juniper Networks offers the vSRX Cloud Network Firewall for AWS, providing network traffic management and policy enforcement. This firewall includes features for monitoring network activities and implementing security protocols. The vSRX offering is designed for AWS environments, aiming to address various network security management needs in cloud infrastructures.
  9. Palo Alto Networks VM-Series
    The VM-Series from Palo Alto Networks is a cloud network firewall available on AWS, focusing on network traffic security and policy management. It offers features for inspecting network traffic and applying security rules. The VM-Series is developed to integrate with AWS, providing network security capabilities for different cloud deployment scenarios.
  10. Sophos UTM and XG Firewalls
    Sophos offers the UTM and XG Firewalls for AWS environments, delivering features to manage network security and traffic. These firewalls include tools for network activity monitoring and security protocol enforcement. Both the UTM and XG Firewalls by Sophos are structured to support security management in cloud-based networks, with functionalities aimed at maintaining network integrity and implementing necessary security measures.
  11. Versa Networks Cloud Network Firewall
    Versa Networks specializes in next-generation firewall capabilities integrated with SD-WAN, suitable for enterprises looking for a combination of security and network optimization. Its cloud network firewall solution for AWS is equipped to handle network security and traffic control. Versa Networks’ firewall is tailored for AWS cloud environments, focusing on meeting diverse network security management requirements in cloud infrastructures.

Choosing the Right Cloud Network Firewall on AWS

Selecting the right cloud network firewall on AWS depends on specific security requirements, scalability needs, and integration capabilities. Factors to consider include:

  • Security Features: Assess the firewall’s capability to protect against the specific threats your organization faces.
  • Performance and Scalability: Ensure the firewall can handle your current and projected traffic volumes without compromising performance.
  • Integration with AWS Services: Look for firewalls that offer seamless integration with other AWS services for streamlined security management.
  • Cost: Consider both upfront and ongoing costs associated with each firewall solution.

Conclusion

The choice of a cloud network firewall on AWS should be guided by your organization’s unique security, performance, and budgetary requirements. Each of the mentioned firewalls brings distinct advantages and specialties to the table, catering to a wide range of cloud-based security needs.

Stay tuned for our Cloud Network Firewall test results coming in March.