Tag: Sophos

2024 Best Practices for Cloud Network Firewall Deployment

Posted on by CyberRatings.org

The security industry is working towards a secure by default configuration. However, when setting up products for the 2024 Cloud Network Firewall group test, we found that not all products are secure by default. We, therefore, documented the changes we made and are publishing them in this guide.

Last year, the Cybersecurity & Infrastructure Security Agency (CISA), along with ten U.S. and international partners, published guidelines for their “Secure by Design, Secure by Default” principle. In their April 2023 publication, they stated the following:

“Secure-by-Default” means products are resilient against prevalent exploitation techniques out of the box without additional charge. These products protect against the most prevalent threats and vulnerabilities without end-users having to take additional steps to secure them. Secure-by-Default products are designed to make customers acutely aware that when they deviate from safe defaults, they are increasing the likelihood of compromise unless they implement additional compensating controls.

This guide should be used as a supplement to what the vendors already make available to their customers. Please see the links below to the best practices and guides for each product we tested. We have also provided additional information for three products: Cisco Secure Firewall Threat Defense Virtual, Palo Alto Networks VM-Series, and Amazon Web Services (AWS) Network Firewall.

Cloud Network Firewall Test Topology

The following steps were taken for each firewall:

Deploy the firewall in Amazon Web Services (AWS). For this example, we are using Fortinet:

  1. Review Firewall options and pricing, then Click to Subscribe.

2. Once you have picked your instance type, Continue to Configuration.

3. Review selection and Continue to Launch.

4. Launch the software from the website, or the EC2 dashboard – selected in the drop-down menu.

5. In the EC2 dashboard, define who has access to the firewall, launch Instance.

  • Connect the interfaces required for the topology. This is information that is found in each vendor guide.
  • Register the device to the centralized management system. This is information that is found in each vendor guide.
  • Validation of license/s, which in turn enabled software updates, threat updates, etc. This is information that is found in each vendor guide.
  • Define access policies:
    • Trust to untrust
    • Untrust to trust

  • Define IPS policies:
    • Enable threat signatures, advanced protection, cloud lookup, etc. Each product handles this differently, but this information is in their guides.
  • Upload the required server certs, keys, and CA certs if needed. This is information that is found in each vendor guide.
  • Define TLS decryption policies (1.2 and 1.3). Configure it to decrypt all traffic. We make a few exceptions to test whether the product can bypass decryption based on specific IP addresses or domain name(s). If something cannot be decrypted or is using an older TLS/SSL version and or an insecure cipher then the product is set to block.
  • Link IPS and TLS policies to the overall access policy.
  • Validate configuration:

Make sure you can pass traffic.

Make sure you can block attacks by sending something malicious.

Tune out false positives.

Firewall Configurations

For each firewall listed below, we have included:

  • Link to the AWS page where the firewall can be selected and deployed
  • Link to best practices and additional information

Amazon Web Services (AWS) Network Firewall

Product, best practices, and documentation: https://aws.amazon.com/network-firewall/

Following the best practices resulted in a deployment that was unable to stop any threats in our Cloud Network Firewall testing harness. After consulting AWS, we were instructed to make changes to the policy. The resulting deployment was successful in blocking 5.39%.

The configuration suggested by AWS:

  • No stateless rules

  • No default stateful action

  • Only Alert actions in the unmanaged signatures

This configuration should send all traffic through the inspection engine.

Our configuration that was tested before the conversation with AWS was slightly different. We had a rule for all stateless traffic to be forwarded to the stateful engine. Under the Stateful default actions, we had “Drop established,”“Alert all,” and “Alert established enabled. For rules we had the following:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”allow-ssm”;flow:established,to_server;sid:88889;rev:1;)
pass tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”allow-ssm”;flow:established,to_server;sid:8888;rev:1;)
pass tcp any any -> any any (msg:”allow-ssm”;flow:established,to_server;sid:888888;rev:1;)
pass UDP any any -> any any (msg:”allow-udp”;sid:88881;rev:1;)
pass ICMP any any -> any any (msg:”allowing-ourbuddyping”;sid:88882;rev:1;)

Both configurations resulted in the same security block rate of 5.39%.

Barracuda CloudGen Firewall

Follow their instructions; the product doesn’t require any special configuration.

Product page: https://aws.amazon.com/marketplace/pp/prodview-nf2s254wcmqfw

Documentation: https://campus.barracuda.com/product/cloudgenfirewall/doc/98209931/overview

Check Point CloudGuard

Follow their instructions; the product doesn’t require any special configuration.

Product page: https://aws.amazon.com/marketplace/pp/prodview-3xp7nph2367yc

Documentation: https://support.checkpoint.com

Cisco Secure Firewall Threat Defense Virtual

Follow their instructions; the product requires special configuration. See below.

We followed the best practices for deploying Cisco Secure Firewall Threat Defense Virtual including updating the software from 7.2.0 to 7.2.5-208 and then to 7.3.0-69.

We also registered the Cisco Secure Firewall Threat Defense into the Cisco Secure Firewall Management Center (FMC). We enabled TLS 1.2 and 1.3 following Cisco’s instructions. This included updating from Snort v2 to Snort v3, which is required to enable TLS 1.3—as per Cisco: “You must be using Snort 3 to match TLS 1.3 connections.” See https://www.cisco.com/c/en/us/td/docs/security/firepower/730/fdm/fptd-fdm-config-guide-730/fptd-fdm-ssl-decryption.html for more details.


After deploying the firewall following their best practices, we were able to verify that TLS 1.2 was decrypting properly, as seen in this screenshot:

Even though we followed the instructions provided by Cisco to enable TLS 1.3, the Cisco Firewall failed to decrypt TLS 1.3 and the logs issued an “SSL_Version_Not_Supported” error, as seen in this screenshot:

Unless you look at the logs, the user interface does not indicate that TLS 1.3 is not being appropriately As shown in the above screenshots. you can check a box that is supposed to turn on TLS 1.3 support, but it does not turn it on. Moreover, while Cisco says TLS 1.3 is on, and when TLS 1.3 traffic is sent across the Cisco cloud firewall, the logs clearly state that the TLS/Cipher suites are not supported and do not decrypt the data. In addition, Cisco does not support the CHACHA20 cipher suites despite claiming otherwise.

Forcepoint NGFW

Follow their instructions; the product doesn’t require any special configuration.

Product page: https://aws.amazon.com/marketplace/pp/prodview-svzncd5l73lu2

Documentation: https://help.forcepoint.com/ngfw/en-us/7.0.4/index.html

Fortinet FortiGate-VM

Follow their instructions; the product doesn’t require any special configuration.

Product page: https://aws.amazon.com/marketplace/pp/prodview-wory773oau6wq

Documentation: https://docs.fortinet.com/document/fortigate/7.2.6/administration-guide/954635/getting-started

Juniper Networks vSRX

Follow their instructions; the product doesn’t require any special configuration.

Product page: https://aws.amazon.com/marketplace/pp/prodview-z7jcugjx442hw

Documentation: https://www.juniper.net/documentation/us/en/software/vsrx/vsrx-consolidated-deployment-guide/vsrx-consolidated-deployment-guide.pdf

Palo Alto Networks VM-Series Next-Generation Firewall w/ Advanced Threat Prevention

Follow their instructions; the product requires special configuration. See below.

Evasion defenses are not enabled by default. Please follow the instructions below. These are a combination of their best practices guide as well as additional instructions per the Palo Alto Engineers we worked with.

Product page: https://aws.amazon.com/marketplace/pp/prodview-mn63yjbq37n4c

Documentation: https://docs.paloaltonetworks.com/best-practices/security-policy-best-practices/security-policy-best-practices

Next, you will have to follow the detailed instructions as documented by Palo Alto Networks: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/best-practices-for-securing-your-network-from-layer-4-and-layer-7-evasions

After following those instructions, then issue the following commands in the command line interface (CLI).

To do this:

  • Enable SSH on the device.
  • Log in to the device with your admin credentials.
  • Run the following commands:

Set system setting ctd block-on-base64-decode-error enable
set system setting ctd block-on-bdat-chunk-decode-error enable
set system setting ctd block-on-chunk-decode-error enable
set system setting ctd block-on-qp-decode-error enable
set system setting ctd block-on-utf-decode-error enable
set system setting ctd block-on-uu-decode-error enable
set system setting ctd block-on-zip-decode-error enable

set deviceconfig setting session resource-limit-behavior bypass

request plugins vm_series set-cores dp-cores 3

While the below configuration change will not improve your evasion protection, it may improve your performance. If you are worried about client-side attacks, do not make this change!

Disable Server Response Inspection (DSRI) – see screenshot below.

To Enable or disable DSRI:

  1. Go to Policies>Security>untrust-to-trust>Action.
  2. Check the “Other Settings “section for the DSRI option.
  3. Select the checkbox to enable.
  4. Unselect the checkbox to disable.

We have been informed that an upcoming version of the Palo Alto OS will enable these evasions by default.

Sophos Firewall

Follow their instructions; the product doesn’t require any special configuration.

Product page: https://aws.amazon.com/marketplace/pp/prodview-ga4qvij427bvw

Documentation: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/index.html

Versa Networks NGFW

Follow their instructions; the product doesn’t require any special configuration.

Unlike the other products in this guide, Versa only offers a bring-your-own license (BOYL). This means products can be deployed using Versa Director (their central management system) or through EC2 on AWS.

Product page: https://aws.amazon.com/marketplace/pp/prodview-egtkta2usoxfa

Documentation: https://academy.versa-networks.com/versa-academy-library/

Documentation: https://docs.versa-networks.com

WatchGuard Firebox Cloud

Follow their instructions; the product doesn’t require any special configuration.

Product page: https://aws.amazon.com/marketplace/pp/prodview-5qg2dngtf3fgu

Documentation: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/_intro/home.html

Exploring the Landscape of Cloud Network Firewalls Available on AWS

Posted on by CyberRatings.org

Today we focus on the diverse array of Cloud Network Firewalls available on Amazon Web Services (AWS). This comprehensive overview aims to inform IT professionals, network administrators, security analysts, and cybersecurity enthusiasts about the various firewall options on AWS, beyond just AWS’s native offerings.

Cloud Network Firewalls on AWS: A Broad Spectrum

AWS hosts a range of third-party cloud network firewalls, each offering unique features and capabilities tailored to different organizational needs. Here’s a rundown of some key players:

  1. Arista Networks Cloud Network Firewall
    Arista Networks provides a cloud network firewall offering for AWS environments, with a focus on traffic management and security. Its features include firewall capabilities, detailed traffic inspection, and policy enforcement tools. The offering is designed for compatibility with complex network architectures, providing various deployment options to meet diverse cloud security requirements.
  2. Barracuda CloudGen Firewall
    The Barracuda CloudGen Firewall, designed for AWS, offers security for cloud-connected networks. Its features encompass threat protection, VPN connectivity, and application-based traffic management. The firewall is developed to adapt to the evolving requirements of cloud infrastructures and includes centralized management for administration across distributed network setups.
  3. Check Point CloudGuard
    Check Point CloudGuard is a network security offering for AWS, including features like intrusion prevention, identity awareness, and anti-bot technology. It is designed for AWS service integration, aiming to protect cloud assets. CloudGuard supports auto-scaling to adapt its security measures in response to network traffic variations. This offering is intended for cloud environments, providing capabilities for managing security policies and handling network traffic.
  4. Cisco Cloud Network Firewall
    Known for its firepower series and ASA (Adaptive Security Appliances), Cisco offers a cloud network firewall tailored for AWS environments, equipped with features to manage network traffic and enforce security policies. This offering includes capabilities for inspecting and controlling traffic flow, as well as implementing security rules across cloud deployments. Designed to integrate with AWS, Cisco’s firewall aims to provide network security management suited to various cloud infrastructure requirements.
  5. Forcepoint Cloud Network Firewall
    Forcepoint’s cloud network firewall for AWS offers capabilities like SD-WAN integration and centralized management to safeguard network perimeters in cloud environments. The Forcepoint offering is structured to provide security management for cloud-based networks. It incorporates features for monitoring network activities and implementing security protocols to address potential threats.
  6. Fortinet FortiGate-VM: The Fortinet FortiGate-VM is a virtual firewall solution tailored for AWS environments, providing a range of network security capabilities. It offers features such as intrusion prevention, web filtering, and SSL inspection, aimed at safeguarding virtualized and cloud infrastructures. Key aspects include its ability to scale dynamically with AWS workloads, integration with AWS services for enhanced management and monitoring, and support for centralized control through Fortinet’s FortiManager. FortiGate-VM is designed to address various security requirements for AWS deployments, from basic VPC protection to advanced threat prevention, catering to diverse network architectures and compliance needs. As with any cloud network firewall solution, its effectiveness and suitability can vary based on specific organizational requirements and network configurations.
  7. Hillstone Networks: Focused on visibility and control, Hillstone offers advanced features for threat detection and mitigation. The offering includes capabilities for inspecting network activities and enforcing relevant security measures. Hillstone’s firewall is developed to support the security needs of cloud deployments, providing functionalities that facilitate the management of network traffic and the implementation of security policies in cloud environments.
  8. Juniper Networks vSRX Cloud Network Firewall
    Juniper Networks offers the vSRX Cloud Network Firewall for AWS, providing network traffic management and policy enforcement. This firewall includes features for monitoring network activities and implementing security protocols. The vSRX offering is designed for AWS environments, aiming to address various network security management needs in cloud infrastructures.
  9. Palo Alto Networks VM-Series
    The VM-Series from Palo Alto Networks is a cloud network firewall available on AWS, focusing on network traffic security and policy management. It offers features for inspecting network traffic and applying security rules. The VM-Series is developed to integrate with AWS, providing network security capabilities for different cloud deployment scenarios.
  10. Sophos UTM and XG Firewalls
    Sophos offers the UTM and XG Firewalls for AWS environments, delivering features to manage network security and traffic. These firewalls include tools for network activity monitoring and security protocol enforcement. Both the UTM and XG Firewalls by Sophos are structured to support security management in cloud-based networks, with functionalities aimed at maintaining network integrity and implementing necessary security measures.
  11. Versa Networks Cloud Network Firewall
    Versa Networks specializes in next-generation firewall capabilities integrated with SD-WAN, suitable for enterprises looking for a combination of security and network optimization. Its cloud network firewall solution for AWS is equipped to handle network security and traffic control. Versa Networks’ firewall is tailored for AWS cloud environments, focusing on meeting diverse network security management requirements in cloud infrastructures.

Choosing the Right Cloud Network Firewall on AWS

Selecting the right cloud network firewall on AWS depends on specific security requirements, scalability needs, and integration capabilities. Factors to consider include:

  • Security Features: Assess the firewall’s capability to protect against the specific threats your organization faces.
  • Performance and Scalability: Ensure the firewall can handle your current and projected traffic volumes without compromising performance.
  • Integration with AWS Services: Look for firewalls that offer seamless integration with other AWS services for streamlined security management.
  • Cost: Consider both upfront and ongoing costs associated with each firewall solution.

Conclusion

The choice of a cloud network firewall on AWS should be guided by your organization’s unique security, performance, and budgetary requirements. Each of the mentioned firewalls brings distinct advantages and specialties to the table, catering to a wide range of cloud-based security needs.

Stay tuned for our Cloud Network Firewall test results coming in March.

CyberRatings.org Announces Results from First-of-its-Kind Comparative Test on Cloud Network Firewall

Posted on by CyberRatings.org

AUSTIN, Texas – December 1, 2022 – CyberRatings.org, the non-profit entity dedicated to providing transparency on cybersecurity product efficacy, has completed an independent test of eight market leading security vendors in its first-ever Cloud Network Firewall comparative evaluation. Forcepoint, Fortinet and Juniper’s test reports were published earlier in the year, all with ‘AAA’ ratings. In this latest release of test reports, Check Point and Versa Networks received a ‘AAA’ rating. Palo Alto Networks received an ‘AA,’ Sophos an ‘A,’ and Cisco ‘CC.’

The test covered capabilities considered essential in a firewall including basic routing, access control, SSL / TLS decryption, threat prevention (exploits), evasion, performance, stability and reliability, and management. Amazon Web Services (AWS) was the public cloud service chosen to run the test. Ratings were calculated using a scale from 0 to 800.

Key Findings include:

  • Cloud services assume a shared security model, where cloud providers are responsible for the infrastructure and customers are responsible for securing the applications running on the infrastructure.
  • Roughly 80% of web traffic is encrypted and firewall decryption is not on by default: Firewalls will not see/block attacks delivered via (encrypted) HTTPS unless configured to do so.
  • Security vendors are used to controlling the platform on which their products are installed. In the cloud, they do not have that control; vendors are learning how to operate under these new conditions and there will be challenges.
  • Supply Chain attacks are on the rise. Using the cloud means relying on third parties to maintain software supply chain integrity. APIs, code reuse, open-source libraries, not maintained code, and other shared resources introduce unknown risks.

Security effectiveness scores ranged from 27% to 100%. The security effectiveness tests verified how effectively the firewall protected control network access, applications, and users while preventing threats (exploits and evasions), blocking malicious traffic while under extended load, and remaining resistant to false positives. Exploit block rates ranged from 88.3% to 100%. All products achieved 100% for resistance to evasion techniques.

“Security is your problem, not Amazon’s,” said Vikram Phatak, CEO of CyberRatings.org. “If you are migrating your data center to the cloud, create a plan for securing it,” Phatak added. “And if you needed a firewall for your data center, you probably need one for your cloud deployment.”

There are different ways consumers can purchase security products for the cloud. The individual test reports reflect the bring-your-own-license model while the comparative report illustrates the pay-as-you-go pricing. Both pricing models provide consumers with options to compare pricing on items important to their own organizations.

Endpoint Protection / Anti-Virus Products Tested for Malware Protection

Posted on by CyberRatings.org

AUSTIN, Texas – August 25, 2022 – CyberRatings.org, the non-profit entity dedicated to providing transparency on cybersecurity product efficacy, has published results of its Q2 2022 Endpoint Protection Comparative Test.

Focused on endpoint products that feature anti-virus protection, the products tested were Avast Free Antivirus, AVG AntiVirus Free, ESET Internet Security, McAfee Total Protection, Norton 360, Microsoft Defender, Sophos Home Premium and Trend Micro Maximum Security.

“The bad guys are getting bolder and malware / ransomware campaigns continue to get more sophisticated,” said Vikram Phatak, CEO of CyberRatings.org. “Most infections occur in the first few hours after a new campaign is launched. The time it takes for a security product to block the attack matters a lot,” adds Phatak. “That is why we tested not only how much malware a product blocks, but how quickly it blocks an attack.”

Over 40,000 live tests were performed on each product, providing a ±0.49% margin of error. Trend Micro Maximum Security offered the most protection, blocking 97.97% of malware. Sophos Home Premium provided the second-highest protection, blocking 97.47%, followed by Microsoft Defender at 97.13%. Sophos was the quickest to add protection for previously unblocked malware, closely followed by Trend Micro.

With more businesses embracing remote work, a user’s protection is likely limited to the web browser and their endpoint protection product. Therefore, it’s important to be informed about which products are performing as advertised.

The Comparative Test Reports provide metrics for products blocking malware over time, average time a product added protection and average time it took a product to add protection.

The test was funded by CyberRatings.org and no vendor paid to be in or out of the test. As a service to the community, CyberRatings.org is providing these reports for free.

The following endpoint protection / anti-virus products were tested:

  • Avast Free Antivirus – v22.4.6011 (build 22.4.7175.725)
  • AVG AntiVirus Free – v22.4.3231 (build 22.4.7175.725)
  • ESET Internet Security – v15.1.12.0
  • McAfee Total Protection – v16.0 R46
  • Norton 360 (latest updates)
  • Sophos Home Premium – v4.1.0
  • Trend Micro Maximum Security – v17.7.1243
  • Windows Defender – Antimalware Client v4.18.2203.5