Tag: Packet

Understanding Evasions and Their Significance in the Cloud Network Firewall (CNFW) Test

Posted on by CyberRatings.org

Attackers are continually devising new techniques to evade detection by security tools such as firewalls. Often, attackers start with an “exploit” to take advantage of a vulnerability within a firewall. But “evasions” are far worse.  An attacker can use an evasion to disguise or manipulate malicious network traffic, enabling threats to slip past firewall defenses unnoticed. Evasions can involve altering packet structures, fragmenting data in unusual ways, or using encoding methods that standard firewall inspection processes cannot reliably detect.

In our recent Cloud Network Firewall (CNFW) test, we evaluated firewall effectiveness by assessing how well they recognize and counteract 2,500 attacks spanning 27 evasion techniques across multiple network layers. This provides a crucial measure of firewall robustness and overall security effectiveness.

For the CNFW test, CyberRatings integrates evasion scoring into a comprehensive security effectiveness metric through a detailed multiplier approach.

Security Effectiveness = Routing & Access Control × TLS/SSL Functionality × Exploits × Evasions × Stability & Reliability

Each component is scored on a scale from 0% to 100%. A low score, especially for evasions, significantly reduces the overall security effectiveness of the test.

How Firewall Evasion Impacts Your Security Posture in the CNFW Test

Our CNFW scoring starts at 100% and deducts points based on the firewall’s ability to detect evasions. Failing to detect lower-layer evasions, which are fundamental within the CNFW testing scenario, has the most significant impact.

OSI Layers and CNFW Test Impact

The OSI (Open Systems Interconnection) model provides a standardized framework for understanding data flow in network systems. Our CNFW test specifically evaluates evasion techniques across Layers 3, 4, and 7:

Layer 3 (Network Layer)

High Impact (50% per category, up to 100% total impact)

Layer 3 evasions, such as IP fragmentation and header manipulation, present the most significant risk in the CNFW test because they take place at the fundamental levels of network traffic inspection.

Common Layer 3 evasions:

  • IP fragmentation: Data packets split to evade inspection.
  • Header manipulation: Packet headers modified to bypass security.

Layer 4 (Transport Layer)

Moderate Impact (20% per category, up to 60% total impact)

In Layer 4, the CNFW test assesses evasions that manipulate packet sequencing or segmentation, challenging firewall connection monitoring.

Typical Layer 4 evasions:

  • TCP segmentation: Packet fragmentation to disrupt monitoring.
  • Sequence number manipulation: Confusing stateful inspection.

Layer 7 (Application Layer)

Lower Impact (1% per category, up to 10% total impact)

Layer 7 evasions within CNFW tests embed threats in typical web traffic, testing firewalls’ deep inspection abilities.

Examples of Layer 7 evasions:

  • Manipulated HTTP headers: Concealed malicious requests.
  • Chunked encoding: Traffic in misleading fragments.

CNFW Test Evasion Technique Scoring Breakdown

Linking CNFW Evasion Scores to Severity

The severity of evasion detection is particularly crucial in the context of our CNFW testing. An undetected evasion can create significant vulnerabilities, potentially allowing attackers unrestricted access. Therefore, firewalls that score poorly in evasion detection should be promptly reviewed, reconfigured, or replaced to maintain an optimal security posture against cyber threats.

Packet Pushers: Inside an Equipment Test Lab

Posted on by CyberRatings.org

Third-party test labs can help buyers make decisions about which products to purchase. While a testing lab can’t mimic the conditions of your specific production environment, it can assess a product’s fundamental capabilities and measure throughput, performance, and–in the case of security devices–effectiveness against a test suite of malware or attack techniques.

On today’s episode we talk with Vik Phatak, CEO of CyberRatings, a non-profit organization that tests IT equipment such as firewalls and other security gear and services. We discuss how the organization develops and performs its tests, how it decides which gear or services to assess, the level of vendor involvement in the testing, how results are delivered, and more.

Listed to the podcast here.

The Role of Encryption and Deep Inspection in Internet Security

Posted on by CyberRatings.org

Here we explore the world of encryption – its types, specific protocols like TLS/SSL, their use cases, limitations, and the nuances of deep packet inspection on encrypted traffic. This comprehensive guide is designed for IT professionals, network administrators, and cybersecurity enthusiasts.

What is Encryption?

Encryption is the process of encoding data to prevent unauthorized access. It transforms readable data (plaintext) into an unreadable format (ciphertext), which can be reversed (decrypted) only with a specific key.

Types of Encryption Used on the Internet

  1. Symmetric Encryption: Uses the same key for encryption and decryption. Examples include AES (Advanced Encryption Standard) and DES (Data Encryption Standard).
  2. Asymmetric Encryption: Involves a public key for encryption and a private key for decryption. RSA (Rivest–Shamir–Adleman) is a common example.
  3. Hash Functions: While not encryption in the traditional sense, hash functions like SHA (Secure Hash Algorithm) create a fixed-size hash value from data, often used in securing passwords.

TLS/SSL and Cipher Suites

TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide secure communication over a computer network. TLS, the successor to SSL, is more commonly used today.

Cipher Suites: A cipher suite is a set of algorithms that help secure a network connection that uses TLS or SSL. It defines key exchange, encryption, and message authentication code (MAC) algorithms.

Types of Cipher Suites

  • RSA-based Cipher Suites: Traditional and widely used, but vulnerable to quantum computing attacks.
  • ECC (Elliptic Curve Cryptography) Cipher Suites: Offer stronger security at lower bit sizes, making them more efficient.
  • AEAD (Authenticated Encryption with Associated Data) Cipher Suites: Such as AES-GCM, provide confidentiality, integrity, and authenticity.

Deep Inspection of Encrypted Traffic

Deep Packet Inspection (DPI) of encrypted traffic, commonly known as TLS/SSL inspection, involves intercepting, decrypting, inspecting, and re-encrypting TLS/SSL-encrypted traffic.

Requirements for DPI

  • TLS/SSL Intercepting Proxy: Acts as a middleman between the client and the server.
  • Certificates: The proxy must possess a trusted certificate to avoid security warnings.
  • Computational Resources: Decryption and re-encryption require significant processing power.

Challenges and Considerations

  • Privacy Concerns: Decrypting traffic can raise privacy issues and may conflict with certain legal or compliance standards.
  • Performance Impact: DPI can introduce latency and requires adequate hardware to maintain performance.
  • Encrypted Malware: Advanced threats can hide in encrypted traffic, making DPI crucial for security.

Use Cases for Different Types of Encryption

  • Symmetric Encryption: Ideal for scenarios where data needs to be encrypted and decrypted quickly, such as file encryption and securing data at rest.
  • Asymmetric Encryption: Used where secure key exchange is crucial, such as in digital signatures and securing data in transit.
  • Hash Functions: Best for verifying data integrity and securing sensitive information like passwords.

Limitations and Ineffectiveness

  • Symmetric Encryption: Not suitable for scenarios where key exchange over insecure channels is required.
  • Asymmetric Encryption: Due to its computational intensity, it’s not ideal for encrypting large amounts of data.
  • TLS/SSL: Can’t protect against threats on either end of the encrypted tunnel (client-side or server-side vulnerabilities).
  • Deep Packet Inspection: Ineffective if the traffic uses pinning techniques or if the DPI system doesn’t recognize specific encryption standards.

Conclusion

Encryption is a cornerstone of cybersecurity but understanding its types, specific protocols, and appropriate use cases is crucial. While encryption ensures data confidentiality and integrity, its effectiveness depends on the context and the threats an organization faces.

Further Reading

For more detailed information, consider consulting:

  • “Applied Cryptography” by Bruce Schneier – Provides an in-depth look at cryptographic techniques.
  • “SSL and TLS: Theory and Practice” by Rolf Oppliger – Offers insights into SSL/TLS protocols and their implementation.
  • “The Code Book” by Simon Singh – A comprehensive guide to the history of encryption

Stateful vs. Stateless Inspection: Use Cases and Limitations

Posted on by CyberRatings.org

This post focuses on Stateful and Stateless Packet Inspection – their definitions, use cases, and the contexts where they may not be as effective. This insight is crucial for IT professionals, network administrators, and cybersecurity enthusiasts who want to optimize their network security strategies.

What are Stateful and Stateless Packet Inspections?

Stateless Packet Inspection

Definition: Stateless inspection, also known as static packet filtering, examines packets in isolation, without considering the state of a connection or packets that have previously passed through the firewall.

Function: It typically checks packet headers for source and destination IP addresses, port numbers, and other surface-level information, allowing or blocking them based on pre-defined rules.

Stateful Packet Inspection

Definition: Stateful inspection, in contrast, tracks the state of active connections and makes decisions based on the context of the packet within a conversation.

Function: It examines not just the packet headers but also the state of the connection, including sequence numbers and flags in TCP headers, offering a more nuanced approach to filtering.

Use Cases for Stateless Inspection

  • Basic Network Perimeter Defense: Stateless inspection is suitable for simple network environments where basic access control and packet filtering are sufficient.
  • Low-resource Environments: In scenarios where computing resources are limited, stateless inspection provides a less resource-intensive solution.
  • High-speed Networks: For networks where speed is a priority, stateless inspection offers less latency compared to stateful inspection.

Use Cases for Stateful Inspection

  • Complex Network Environments: Stateful inspection is ideal for complex environments requiring dynamic access control and in-depth traffic analysis.
  • Enhanced Security Posture: It’s beneficial for networks needing a higher level of security, capable of understanding and tracking the state of network connections.
  • Regulatory Compliance: In industries where compliance mandates sophisticated network security measures, stateful inspection is often a requirement.

Limitations and Ineffectiveness

Stateless Inspection Limitations

  • Surface-Level Filtering: Lacks the depth to understand the context or the state of connections, potentially allowing more sophisticated threats to pass through.
  • Vulnerability to Spoofing and Evasion Techniques: Due to its superficial inspection, it’s more susceptible to IP spoofing and other evasion methods.
  • Inadequate for Complex Protocols: Not suitable for protocols that require the tracking of connection states or dynamic port numbers.

Stateful Inspection Limitations

  • Resource Intensity: Can be resource-intensive, potentially slowing down network performance.
  • Complexity in Large-scale Networks: Managing and configuring stateful inspection rules in large-scale or highly dynamic environments can be challenging.
  • Struggles with Asymmetric Routing: Can face difficulties in environments where packet flows are asymmetric and not all packets of a connection pass through the same path.

Scenarios Where Stateful/Stateless May Be Overkill or Ineffective

  • Highly Encrypted Traffic: Both stateful and stateless inspections have limited visibility into encrypted traffic, reducing their effectiveness.
  • Ultra-High-Speed Networks: In environments where processing speed is critical, the added latency from stateful inspection might be a concern.
  • Static Environments with Minimal Threat Exposure: In networks with minimal exposure to external threats and low variability in traffic, advanced stateful inspection might be more than what is required.

Conclusion

Both stateful and stateless packet inspections have their place in network security, with their effectiveness depending on the specific requirements and characteristics of the network environment. Understanding these methods’ capabilities and limitations allows network security professionals to make informed decisions and optimize their security posture.

Further Reading

For a deeper dive into stateful and stateless packet inspections, consider these resources:

  • “Network Security Essentials” by William Stallings – Offers a comprehensive overview of different network security measures, including packet inspection techniques.
  • “Computer and Network Security Essentials” by Kevin Daimi and Mourad Debbabi – Provides insights into various network security technologies and methodologies.
  • “Firewalls and Internet Security: Repelling the Wily Hacker” by William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin – Includes detailed discussions on firewall technologies, including packet inspections.

CyberRatings.org Announces First-of-its-Kind Test on Cloud Network Firewall

Posted on by CyberRatings.org

AUSTIN, Texas – June 6, 2022 – CyberRatings.org, the non-profit entity dedicated to providing transparency on cybersecurity product efficacy, has completed an independent test of FortiGate-VM, Fortinet’s virtual network firewall, as part of the first-ever Cloud Network Firewall evaluation. Fortinet received the highest possible rating of ‘AAA’ with Management and Reporting Capabilities, Routing and Policy Enforcement, SSL/TLS Functionality, Threat Prevention and Performance all earning ‘AAA’ ratings.

The CyberRatings exploit repository contains exploits that demonstrate a wide range of protocols and applications. Exploit sets for individual tests are selected based on CVSS score (how widely used is an application + what can an attacker do?), use case, and relevance to customers. Fortinet’s Threat Protection was rated excellent, blocking 35 out of 35 evasion techniques, 977 out of 977 exploits, and passing all the stability and reliability tests.

While the firewall market is one of the largest and most mature security technology segments, cloud network firewalls are relatively new. Firewalls have undergone several stages of development, from early packet filtering and circuit relay firewalls to application layer (proxy-based) and dynamic packet filtering firewalls. This latest evolution virtualizes this functionality to provide scalable and elastic policy enforcement in a cloud environment.

“This Cloud Network Firewall test is the first of its kind,” said Vikram Phatak, CEO of CyberRatings.org “This is a new technology, deployed within a cloud service that by definition is constantly changing, protecting resources that are also deployed within that same cloud service. It is always fun to be the first to test new technologies because we get to learn new things and apply what we have learned,” added Phatak.

“We are extremely proud to have received top marks across all five categories in CyberRatings’ assessment of FortiGate-VM. With cyberattacks more advanced and persistent than ever before, it’s crucial for the safety of people, devices, and data everywhere that cybersecurity products deliver the performance and protection that vendors claim,” said John Maddison, CMO and EVP of Products at Fortinet. “Independent testing from nonprofits like CyberRatings plays a critical role in helping organizations stay ahead of the threat landscape because it offers an unbiased assessment of effective security solutions that meet an evolving set of requirements and aids customers in their decision-making process.”

To read the CyberRatings in-depth report on the various CNFW capabilities offered by Fortinet, go to CyberRatings.org.