Advanced Network Protection Mcafee Generation Firewall 35250

Interested in learningmore about security?

SANS InstituteInfoSec Reading RoomThis paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.

Advanced Network Protection with McAfee NextGeneration Firewall

Copyright SANS InstituteAuthor Retains Full Rights

http://www.sans.org/info/36923



A SANS Product ReviewWritten by Dave Shackleford

June 2014

Sponsored by McAfee, part of Intel Security

Advanced Network Protection with McAfee Next Generation Firewall

©2014 SANS™ Institute

Attacks today incorporate increasingly sophisticated methods of social engineering and client-side software manipulation to ex!ltrate data without detection. Some attackers leverage so-called spearphishing to entice employees to give up access information and spread their attacks to other enterprise systems; others use password crackers against compromised applications in order to gain further access rights to the network. The attackers might also set up channels for command and control communications with the compromised systems, as in the case of the Zeus or SpyEye bot infections.

New types of network detection and prevention—with the ability to inspect complex network tra"c and correlate its results with additional information, such as user IDs

and system names—must replace traditional !rewalls. Such technologies enable deeper investigation of network attacks and help analysts distinguish those from benign anomalies.

These enhanced or “next-generation” !rewalls may be able to completely replace other network protection systems such as IPS or traditional !rewalls, although not in every case. The !rst major feature consideration for such systems is application inspection and identi!cation. Conventional !rewalls focus primarily on Layer 4 ports (e.g., ICMP, TCP and UDP), with some additional inspection of Layer 7 (applications), but next-generation !rewalls go further, performing deeper analysis of tra"c and looking for unusual protocol speci!cations and behavior.

Another core feature for any next-generation !rewall is the ability to track application tra"c (particularly tra"c identi!ed as being potentially malicious or suspicious in nature) to speci!c users and systems within the environment. In order to do this, a next-generation !rewall needs to integrate natively with user directory services such as Microsoft Active Directory or Lightweight Directory Access Protocol (LDAP).

We had the opportunity to review McAfee Next Generation Firewall (McAfee NGFW) to see if it stands up to advanced threats and meets these requirements. We found McAfee NGFW’s interface easy to access and use and its policies simple to create and push to devices. The VPN capabilities worked as advertised, and the ability to create simple rules that automatically create VPN tunnels can help organizations protect data in transit. Its availability and redundancy features were easy to con!gure and functioned properly, and McAfee NGFW caught the advanced evasion techniques we threw at it, demonstrating a sophisticated application and protocol assembly and interpretation engine that will certainly help organizations defend against advanced attacks in their networks.

SANS ANALYST PROGRAM1

Introduction

Advanced Features: McAfee Next Generation Firewall

In this review, McAfee Next Generation Firewall (McAfee NGFW) met the demands for next-generation !rewall features, including:

It was simple to add a new !rewall node and remotely push policies to the devices.

The integrated VPN features let us easily examine rules, such as a client-to-site VPN rule, test the connectivity and evaluate a site-to-site VPN connection.

We evaluated these critical features for advanced, high-capacity !rewalls by looking at McAfee NGFW’s clustering con!guration options. We tested the functionality of a !rewall cluster and then built a simulated WAN connection with redundant ISP links to test a larger-scale deployment with multiple sites and distributed WAN connectivity; in both cases, failover happened seamlessly.

Most importantly, when we evaluated the platform’s Advanced Evasion Technique (AET) protection, it was able to stop sophisticated attacks even when we modi!ed tra"c and attack payloads to mimic their attempts to avoid detection.


Ease of Use and Policy Management


The !rst use cases we evaluated with McAfee NGFW focused on basic functionality and operational simplicity.

Adding New Firewalls to Manage

To see how easy it was to use, we started with McAfee Security Management Center (SMC), which runs on Linux or Windows clients and provides a “single pane of glass” view that reduces the amount of resources needed to con!gure and manage !rewalls. Once in the GUI, we simply right-clicked the !rewall category, and added a “single !rewall” object as shown in Figure 1.

A new window opened, in which we were able to enter information about the new device. As shown in Figure 2, we used SANS-Test as its host name.

Simplicity such as this provides real advantages to IT security teams who are strapped for resources and need a better way to add, change and con!gure !rewalls from a central location.


Figure 1. Adding a Firewall Object in Security Management Center

Figure 2. Initial Device Con!guration

Ease of Use and Policy Management (CONTINUED)


Network Interface Con!guration

Adding network interface con!guration details to our !rewall object was also simple. We con!gured two interfaces (Interface 0 for unprotected WAN tra"c and secure, in-band management tra"c and Interface 1 for protected LAN tra"c), as shown in Figure 3.

We then con!gured the device’s basic functions via its command line interface (CLI), which we accessed via Telnet. Other options involve a direct connection through the device’s serial interface, booting from a USB drive or using an innovative “plug and play” option. The latter uses a secure cloud service operated by McAfee to download and install the device’s initial con!guration and enables secure communication between the McAfee NGFW and SMC. McAfee NGFW receives its !nal con!guration and associated policies without any hands-on interaction required. This process can reduce setup time to a few minutes of a non-expert user’s day.


Figure 3. McAfee NGFW Network Interface Con!guration

McAfee’s “plug and play”

con!guration option uses

a secure cloud service to

con!gure and set up the

device without any hands-on

interaction required.



A simple menu-driven CLI wizard enabled us to con!gure the local device settings and then link the device to the placeholder object in SMC. One of the CLI wizard screens, for a single-device !rewall with the host name SANS-SingleNode, is shown in Figure 4.

Once we had linked a device to the corresponding object in SMC, we did all further work through the GUI.

Adding Firewall Policies

Through SMC, security analysts can create and reuse !rewall policy templates for e"ciency and simplicity. After completing the wizard and adding the new !rewall into SMC, we uploaded a policy to the new device to block users from going to speci!c websites. In this case, we con!gured the rule to drop all tra"c destined for Amazon.com, Box.net and Facebook. McAfee had already created a default policy template for our testbed, called NGFW_SingleNode. We pushed that policy, shown in Figure 5 with the ID of 15.1, to the device.


Figure 4. CLI Wizard for New Device Setup

Figure 5. Initial Policy Blocking Speci!c Site Access



Once the rule was applied, we did a simple test to see if it was working. We logged in to a test client workstation via Remote Desktop Protocol (RDP) and used its web browser to access a number of sites such as Amazon, Google and MSN; the last two were allowed, but access to Amazon was blocked. We con!rmed this in the real-time logs in SMC. Figure 6 illustrates that the Amazon service and all other sites appearing in the red rows are blocked tra"c.

In the next use case, we wanted to explicitly block access to a certain internal subnet from user bsmith (prede!ned in Active Directory by McAfee during the testbed setup). Using the SMC policy editor shown in Figure 7, we easily added the rule to the policy.


Figure 6. Blocked Access to Amazon.com

Figure 7. Adding a Policy Rule



The rule we created had the ID of 15.2 and blocked any HTTP tra"c from user bsmith and with a destination of a speci!ed network subnet. The !nal rule set is shown in Figure 8.

Testing this use case was simple: We used RDP to log in to a test workstation as several di#erent users. First, we logged in as user Lisa Dataleak (ldataleak) and successfully accessed a website at IP address 70.100.100.150. We then logged out, logged back in as user bsmith and attempted to access the same IIS site; this failed. The log from SMC is shown in Figure 9.


Figure 8. New NGFW Policy Rule in Place

Figure 9. User bsmith Blocked



Investigating a New Firewall Event

We found troubleshooting easy to accomplish with the help of SMC’s view of log events, which enables drill down into events to obtain detailed information such as the rule triggering the event. To begin our investigation of the !rewall event, we drilled into the details of the event, which provided a simple visual representation of what happened, along with all the di#erent !elds in the generated event (shown in Figure 10).

We found it simple to add the McAfee NGFW to SMC. Creating some basic rules was fast and easy, as well. The rules worked perfectly, blocking tra"c based on user IDs, IP addresses and URLs.


Figure 10. Detailed Event View

The next use cases we reviewed focused on VPN policies and access control. McAfee’s VPN capabilities are part of McAfee NGFW’s included feature set and include the ability to have an augmented VPN—which combines multiple VPNs into one logical VPN—with IPsec. Con!guring the VPN is a simple process; one !rst creates a gateway in SMC, drags and drops remote sites (e.g., a branch o"ce) to add to the con!guration and, !nally, deploys the updated con!guration.

In the !rst example, we established a client VPN connection to the !rewall. We entered credentials into the VPN client for user bsmith. Figure 11 shows the status of the VPN authentication process.


VPN Policies and Access Management


Figure 11. Starting the VPN Client Authentication Process

VPN Policies and Access Management (CONTINUED)


Simultaneously, we monitored the McAfee NGFW logs in SMC to see the IPSec authentication process, shown in Figure 12 by the white rows of the table.

The policy rule in place for this use case explicitly forbids the use of RDP to a speci!c network zone by user bsmith while on a VPN connection, as shown in Figure 13.

We tested this rule by logging into a client workstation as user bsmith, and then attempting to RDP to 30.100.3.110. The connection failed, as demonstrated in NGFW logs (see Figure 14).

We then disconnected the VPN client as bsmith, logged in again as user ldataleak and successfully initiated an RDP connection to 30.100.3.110.

For the second VPN scenario, we tested a site-to-site VPN connection with NGFW rules in place to allow !le transfers with FTP. First, we logged in to a desktop system as the user bsmith, then used WinSCP to log in to the host 30.100.3.110 using the FTP protocol. While the connection was occurring, we viewed the logs in SMC, as shown in Figure 15.


Figure 12. VPN IPSec Authentication

Figure 14. RDP Connection Discarded for bsmith

Figure 15. FTP Events for bsmith

Figure 13. RDP Discard Rule

VPN Policies and Access Management (CONTINUED)


We right-clicked on the events shown and selected View Rule; this displayed a rule enforcing a site-to-site VPN connection between the internal network and the “branch” range (de!ned elsewhere in SMC), as shown in Figure 16.

This rule allowed any services between the speci!ed source and destination, as long as a site-to-site VPN was in place. More detail on the events generated with the FTP transfer are shown in Figure 17.

We found the process of setting up both client-to-site and site-to-site VPN connections to be quick and simple, while generating rules in the McAfee NGFW platform that leveraged VPN connectivity (or behaved in speci!c fashions depending on connection state) was also easy. Such rules are invaluable for organizations looking to ensure connection security before certain types of communication are allowed.


Figure 16. Site-to-Site VPN Rule

Figure 17. Site-to-Site VPN Connection Event Details

The next category of con!guration options we tested centered on availability. Given that the McAfee NGFW may replace existing !rewall and network platforms, it must be highly available and operate seamlessly in a load-balanced and clustered con!guration. The native clustering features of McAfee NGFW replace external load balancers, simplifying network design and making troubleshooting simpler than before.

A McAfee NGFW cluster supports up to 16 physical devices and provides native, on-the-box load balancing of the network tra"c. Another convenient feature of McAfee’s clustering technology is its ability to support a mixed physical and code environment, which enables an organization to perform upgrades in either sphere without taking down the cluster.

The !rst use case we walked through was adding a new node to an existing cluster, a straightforward process in SMC. First, we right-clicked on the icon for our !rewall cluster (which McAfee had set up for our testing with two nodes) and selected Add Node; in the pop-up window, we noted the new node’s “One Time Generated Password,” outlined in red in Figure 18.


Availability and Redundancy Settings and Options


Figure 18. New Cluster Node with One-Time Password

McAfee NGFW’s native

clustering features simplify

network design and make

troubleshooting simple.

Availability and Redundancy Settings and Options (CONTINUED)


Then we used the CLI wizard to connect the new node to SMC; the step where we !nalized the connection and entered the one-time password is shown in Figure 19.

After refreshing the new node’s policy in SMC, the third cluster node connected successfully, as denoted by its green icon in Figure 20.


Figure 19. Finalizing Connectivity to SMC

Figure 20. Completed Firewall Cluster



To test the availability aspects of the cluster, we took one of the nodes o$ine (in this case, node 2) as a simulated node failure or maintenance outage. This process is shown in Figure 21.

Using the bsmith account, we browsed to several YouTube videos and started them from a workstation. The tra"c continued in this con!guration (nodes 1 and 3 online, and node 2 o$ine) without fail. We then took node 1 o$ine and the tra"c continued through node 3 (the remaining node), as shown by the HTTP events in Figure 22.


Figure 21. Taking a Cluster Node O"ine

Figure 22. Cluster Node 3 Passing YouTube Tra#c



Our second use case for availability focused on McAfee NGFW’s “Multi-Link” feature, which adds redundancy and provides quality of service (QoS) and bandwidth aggregation capabilities for more e"cient tra"c management.

We created a simple Multi-Link using two ISP connections de!ned by McAfee in the test environment, as shown in Figure 23.

We then added a network address translation (NAT) rule to our !rewall cluster, directing it to use the Multi-Link, as shown in Figure 24.


Figure 23. New Multi-Link Connection

Figure 24. New Multi-Link NAT Rule



Once the Multi-Link was established and online, we took one of its ISP connections down manually, as shown in Figure 25.

With the same bsmith account, we veri!ed that YouTube videos continued playing seamlessly when the link was disabled, verifying the immediate failover condition, as we did earlier when we took two out of three !rewall nodes o$ine.

Redundancy and availability is a critical aspect to any !rewall deployment, and ensuring uninterrupted connectivity for users and systems is paramount. McAfee NGFW makes the creation of redundant clusters and multi-links for ISP connectivity very easy and manageable. We also veri!ed that all tra"c %owed without interruption, even when cluster nodes and links were forced o$ine.


Figure 25. Disabling One ISP Connection in a Multi-Link

McAfee NGFW’s AET (Advanced Evasion Technique) protection includes a number of built-in packet reassembly and inspection techniques that can detect and prevent attacks that disguise their tra"c via multiple techniques such as these:

1 In addition, attackers can randomize the payload data with tools that leverage these extensions. The NGFW platform can easily reverse this process, taking advantage of the same tcp_paws libraries that attackers use.

This technique bypasses the signature matching used by most IPS and !rewall platforms, but McAfee NGFW can reconstruct unusual, nonstandard fragmented packets for analysis with the same ipv4_frag libraries that attackers use.

This places the highest (most signi!cant) byte of a packet !rst, instead of last (the normal order), confusing the !rewall or IPS into thinking the packets are benign because they don’t match any entries in the signature database for malicious programs. McAfee NGFW uses the Microsoft RPC big-endian libraries to analyze this type of tra"c and foil this attack.

For our test, we used the publicly available McAfee Evader attack simulator, which can generate well-known exploits (similar to those from Metasploit and other attack frameworks) to attack systems and test the e"cacy of defense systems.2


Packet Inspection and Reassembly with AET

1 PAWS is described in IETF RFC 1323, www.ietf.org/rfc/rfc1323.txt2 http://evader.mcafee.com


Packet Inspection and Reassembly with AET (CONTINUED)


We tested a number of well-known attacks that modern defense systems should always catch, such as exploits attacking unpatched Windows systems missing the MS08-067 patch. The Evader system con!guration is shown in Figure 26.

The tool was targeting a Windows XP SP2 desktop system in our test environment, one that we knew to be susceptible to all the attacks preloaded into Evader. All attacks were going through a single-device !rewall; the Windows Calculator application would open upon successful exploit of the XP desktop’s vulnerability.


Figure 26. Evader Target Con!guration

Packet Inspection and Reassembly with AET (CONTINUED)


For this test, we attempted three di#erent exploits with IPv4 fragmentation, big-endian encoding, TCP timestamp and other evasions. When we ran these through the !rewall cluster, McAfee NGFW decoded and normalized the tra"c, performing a horizontal data stream analysis that examined all the protocol layers and detected all of the exploits hidden in the protocol layers; meanwhile, our target remained untouched. Logs of the attempts displayed in SMC are shown in Figure 27.

In this screenshot, all the red events are blocked attack tra"c that correspond to the attacks we generated using the Evader tool. The green events are unrelated. McAfee NGFW handled all the protocol anomaly detection and packet inspection automatically in software—so we did not need to spend any time con!guring protocol handlers to see accurate detection and prevention actions successfully taken.


Figure 27. Evasion Techniques Successfully Detected

After testing the various con!guration options and features of McAfee Next Generation Firewall, we declared that the system works as advertised in all categories. Through McAfee Security Management Center, all functions were readily available and easy to !nd. We successfully added a new node to a !rewall cluster, pushed a policy to the device and tested that the policy was functioning properly. Then, we created a new policy that restricted tra"c from a speci!c user and tested this successfully as well.

McAfee NGFW’s VPN capabilities were simple to con!gure and evaluate. We created and tested client-based and site-to-site VPN policies. Both successfully enforced policies based on a variety of conditions over a VPN connection.

Availability features such as clustering and multiple WAN links were easy to con!gure. When tested, both worked with various components disabled, and we never experienced a disruption in tra"c passing through the devices.

Finally, McAfee NGFW’s advanced evasion detection capabilities worked as expected. We sent a number of well-known exploits through the !rewall cluster, using several di#erent protocol and application evasion tactics, and it caught all of them.

In short, McAfee NGFW was simple to con!gure and o#ered powerful !rewalling and threat detection capabilities, while providing highly available and redundant connectivity and sophisticated, policy-based connection security.


Conclusion


About the Author

Sponsor


is the founder and principal consultant with Voodoo Security, a SANS analyst, instructor and course author, and a GIAC technical director. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. He is a VMware vExpert and has extensive experience designing and con!guring secure virtualized infrastructures. He has previously worked as CSO for Con!guresoft and CTO for the Center for Internet Security. Dave is the author of the Sybex book Virtualization Security. Recently, Dave co-authored the !rst published course on virtualization security for the SANS Institute. Dave currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.

SANS would like to thank this paper’s sponsor:


Last Updated: December 29th, 2014

Upcoming SANS TrainingClick Here for a full list of all Upcoming SANS Events by Location

SANS Brussels 2015 Brussels, BE Jan 26, 2015 - Jan 31, 2015 Live Event

SANS Dubai 2015 Dubai, AE Jan 31, 2015 - Feb 05, 2015 Live Event

Cyber Threat Intelligence Summit & Training Washington, DCUS Feb 02, 2015 - Feb 09, 2015 Live Event

SANS Scottsdale 2015 Scottsdale, AZUS Feb 16, 2015 - Feb 21, 2015 Live Event

10th Annual ICS Security Summit Orlando, FLUS Feb 22, 2015 - Mar 02, 2015 Live Event

SANS Munich 2015 Munich, DE Feb 23, 2015 - Mar 07, 2015 Live Event

SANS Secure India 2015 Bangalore, IN Feb 23, 2015 - Mar 07, 2015 Live Event

SANS DFIR Monterey 2015 Monterey, CAUS Feb 23, 2015 - Feb 28, 2015 Live Event

SANS Cyber Guardian 2015 Baltimore, MDUS Mar 02, 2015 - Mar 07, 2015 Live Event

SANS Secure Singapore 2015 Singapore, SG Mar 09, 2015 - Mar 21, 2015 Live Event

SANS Northern Virginia 2015 Reston, VAUS Mar 09, 2015 - Mar 14, 2015 Live Event

SANS Abu Dhabi 2015 Abu Dhabi, AE Mar 14, 2015 - Mar 19, 2015 Live Event

SANS Secure Canberra 2015 Canberra, AU Mar 16, 2015 - Mar 28, 2015 Live Event

SANS Stockholm 2015 Stockholm, SE Mar 23, 2015 - Mar 28, 2015 Live Event

SANS Oslo 2015 Oslo, NO Mar 23, 2015 - Mar 28, 2015 Live Event

SANS Houston 2015 Houston, TXUS Mar 23, 2015 - Mar 28, 2015 Live Event

SANS Security East 2015 OnlineLAUS Jan 16, 2015 - Jan 21, 2015 Live Event

SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced


http://www.sans.org/link.php?id=36600

http://www.sans.org/belgium-2015


http://www.sans.org/dubai-2015


http://www.sans.org/cyber-threat-intelligence-summit-2015


http://www.sans.org/scottsdale-2015


http://www.sans.org/ics-security-summit-2015


http://www.sans.org/munich-2015


http://www.sans.org/secure-india-2015


http://www.sans.org/dfir2015


http://www.sans.org/cyber-guardian-2015


http://www.sans.org/secure-singapore-2015


http://www.sans.org/northern-virginia-2015


http://www.sans.org/abu-dhabi-2015


http://www.sans.org/secure-canberra-2015


http://www.sans.org/stockholm-2015


http://www.sans.org/oslo-2015


http://www.sans.org/houston-2015


http://www.sans.org/security-east-2015


http://www.sans.org/ondemand/about.php

Advanced Network Protection Mcafee Generation Firewall 35250

Documents

Transcript of Advanced Network Protection Mcafee Generation Firewall 35250