Exciting Blog Changes Just Around the Corner

I am excited to announce the upcoming launch of our redesigned and refreshed blog.

Over the past six years, WatchGuard Security Center has provided IT professionals with breaking news and analysis about the most important information security (InfoSec) issues. Our mission has always been to distill the often complex topics of computer and network security into something any technical professional can understand and act on. Our newly redesigned blog, Secplicity, takes this mission to the next level.

Our team has worked hard to create a faster, easier to browse, and more useful blog for everyone interested in information security—based in part on your feedback. On top of the design changes, you’ll also enjoy more regular content, both written and video, from a more diverse group of authors and researchers. We also plan to cater our content to your questions and feedback.

The new site goes live in the next 48 hours. When it does, we’ll automatically redirect WatchGuardSecurityCenter.com visitors to the new Secplicity.org site. Your email, WordPress, and RSS subscriptions should continue to work, but in the event that you stop receiving updates please visit the blog and re-subscribe.

We’re looking forward to many more years of InfoSec community service, and hope you continue to visit us for the latest security news and analysis, simplified.

— Corey Nachreiner, CISSP (@SecAdept)

Network Discovery shines a light on shadow IT

Last week we posted about the security and network visibility highlights included in the new Fireware 11.11 release. Today we want to take a closer look at one the major updates that we mentioned, Network Discovery. This new service performs a complete network scan to generate a visual map of every connected device, providing Firebox administrators total visibility into all assets on their network. Information Security professionals have long understood that the first step in any vulnerability management program is to discover and identify all of the assets and their role in a network. You cannot secure a network that you do not understand. The term “shadow IT” is used to describe people installing and using their own, non-company-sanctioned applications, equipment, and software in the workplace. Here are just a few examples of security risks that could result from unknown devices:

• An employee brings in a personal device or laptop that does not have the full corporate anti-virus solutions installed and connects it to a network, introducing malware.
• Old servers or applications installed without IT authorization may not be patched to current secure levels, exposing vulnerable software.
• Unauthorized or rogue access points may be providing unwanted wireless connectivity, providing an avenue for hackers to exploit.

The best way to understand the new capability is to look at a sample screenshot:

Network Discovery allows IT staff to map out the network behind their firewall. It uses information from a nmap scan (link), DHCP fingerprinting, HTTP header information, and the new WatchGuard FireClient app. Assets in the network are identified and represented with an icon with the following information:

• Host Name
• IP Address
• MAC Address
• Type of device – iOS, Android, MAC, Windows, etc.
• Open ports – and protocols that may be running

Admins can search and filter all device data to zero in on key areas of interest. One click through to FireWatch or Traffic Monitor will provide a clear visual indication of the type of traffic that is passing through the IP address. Admins can mark devices as “known” and assign descriptive names. New or unfamiliar devices will immediately stand out when they appear without names. One Beta tester said: “Excellent feature and the GUI looks good. Found a couple of computers that should not have been on my network.” 

Are you confident that you can identify every device on your network? Find out more. Download the new Tech Brief that describes more detail about the service with more screenshots.

Network Discovery is available on all Firebox and XTMv models. The service is included in the UTM Security Suite for all new and existing customers. We’ve added the new feature key to all current security suite subscriptions on Firebox T or M Series and XTMv. Synchronize your feature key to get the latest license from our WatchGuard Servers and try out the new service today. This short video explains how to synchronize a feature key.

 

WatchGuard Product Releases

WatchGuard recently announced the General Availability of major new releases of both the Fireware operating system and WatchGuard Dimension, both of which are now available to download at the software center. These releases provide increased visibility across the entire network for distributed enterprises and small and midsize businesses (SMBs). I was in Europe last week at a number of WatchGuard events and I heard a lot of positive reaction firsthand. Many partners and end users are already quite familiar with the new capabilities because we conducted extensive beta testing for these new releases over the last two months. The Beta participation numbers are impressive:

• 640 users logged into our Beta portal from 45 different countries
• Over 220 unique pieces of feedback were submitted, including bugs and suggestions for product improvement
• 176 users filled out a survey sharing their thoughts on the Beta and the new software

So what is everyone excited about? Key highlights in the new releases are:

Fireware 11.11:

• Network Discovery: a subscription service that generates a visual map of every connected device, providing Firebox administrators total visibility into all assets on their network. Included in all UTM Security Suites on Firebox and XTMv models.
• Botnet Detection:integrated into the Reputation Enabled Defense service. Customers gain real-time visibility into infected clients and command and control communication is immediately blocked. This feature is available on all XTM and Firebox appliances for any customer with a license for Reputation Enabled Defense (which is included in the UTM security suite).
• Mobile Security:allows Firebox administrators to enforce access controls and only allow mobile devices that adhere to current corporate policies, and are free of malware. Available as an optional subscription service on all Firebox and XTMv models.

Dimension 2.1:

• Subscription Services Dashboard: a reporting interface that gives businesses a comprehensive performance summary with statistics to show what has been scanned by a Firebox and attacks or malware that have been prevented.
• Policy Usage Report: a new report that provides valuable insight into how frequently policies are used, thereby enabling IT teams to keep firewall policies current and eliminate unnecessary or unused policies.
• User Anonymization: an innovative feature that enables businesses to conform to data privacy regulations, such as the European Union’s General Data Protection Regulation framework.

There are hundreds of more features than what we can cover in a short blog post. Check out the What’s new in Fireware 11.11 and What’s new in Dimension 2.1 presentations to find out full details, including screenshots. Also, watch for more posts on this blog over the next few weeks that go into depth for some of these features.

 

WatchGuard receives Grand Trophy and five other 2016 Global Excellence Awards

It was a busy week down at the RSA conference in San Francisco, but it kicked off right on Monday night when we learned that InfoSecurity Products Guide, the industry’s leading information security research and advisory guide, recognized WatchGuard Technologies as a Grand Trophy winner for their 2016 Global Excellence Awards®.

More than 50 judges from around the world formed a broad spectrum of industry voices and their average scores determined the 2016 Global Excellence Awards Finalists and Winners.

Beyond the Grand Trophy, we brought home a total of five Info Security Product Guide Global Excellence Awards in a diverse set of categories:

• Gold Winner Award for Network Security and Management: WatchGuard Dimension Command
• Gold Winner Award for Security Products and Solutions for Small Businesses and SOHO: WatchGuard Firebox T50
• Silver Winner Award for Security Products and Solutions for Enterprise (Medium): APT Blocker
• Bronze Winner Award for Integrated Security and Unified Threat Management: WatchGuard Firebox M300 Firewall (Firebox M300 running Fireware 11.10.4 firmware)
• Bronze Winner Award for People Shaping Info Security: Corey Nachreiner, Chief Technology Officer at WatchGuard Technologies, for Raising InfoSecurity Awareness Through Education

Info Security Product Guide’s recognition of our products and personnel stands as further validation of this company’s commitment to best-in-class security solutions. We’re proud to receive yet another endorsement of WatchGuard’s vision and execution in the field of security for SMBs and enterprises, and for general education and awareness about infosecurity.

Network Security: Mining the Alphabet Soup for What Matters

The security industry likes to create acronyms – IAM, UTM, NGFW, MFA, EDR, etc. Perhaps it comes from the general human tendency of wanting to simply define complex topics. In an ever-changing industry, like information security, these acronyms and groupings create major challenges over time. Each year there are new threats, and with that comes more innovation and different approaches to security – all of which we try to initially force into predefined groupings – often diluting the value of the evolving technologies and confusing end-users. One such example is the ongoing attempt to force network security platforms into two distinct groups: Next-Generation Firewall (NGFW) and Unified Threat Management (UTM) appliances. The confusion between the two has become so apparent that analysts at last year’s Gartner’s Security and Risk Management Summit held a roundtable discussion on the very topic. The fact is that most end customers just want good security that solves their network security threats – they care less about NGFW and UTM. Today, I hope to both clear up some of that confusion, and share some data that quantitatively illustrates why UTM protections measurably increase your security efficacy.

UTM vs. NGFW; What’s the Difference?

At one point in time, when analysts first defined these two product segments, they had clear feature delineations in mind. At the highest level, NGFW appliances were firewalls with Intrusion prevention systems (IPS) and application control, whereas UTM appliances were firewalls with IPS, antivirus (AV), URL filtering, and anti-spam capabilities. However, over time both markets have organically evolved and changed. Now both solutions share a similar core set of capabilities. For instance, some NGFW solutions have added new security controls (like malware detection), which used to fall into the UTM camp. Meanwhile, UTMs have adopted all of the security features that helped define the NGFW market—such as application control—and have even added additional new security services to the mix.

This melding of feature sets between NGFW and UTM has made it a bit more difficult to differentiate products, but I think one high level description holds true. UTM solutions focus on unifying as many security controls as possible in one place, making them easier and more cost effective to manage, whereas NGFW solutions focus on only consolidating a limited subset of controls; specifically, ones that make the most sense in certain use cases, such as in a big data center environment. In plain English, UTM solutions tend to include more types of security controls than NGFWs.

How Layered UTM Security Improves Overall Defense

In essence, UTM’s core value proposition is that it combines many security controls in one place, increasing your overall security efficacy, and making layered security attainable for some organizations that couldn’t implement it otherwise. To really appreciate this, you need to understand why layered security improves your overall defense efficacy.

Ultimately, there are two reasons UTM layered security offers the best defense:

1. No single security control is infallible – History has proven that information security is a constant arms race. The good guys invent a new security control that blocks an attack at first, but the bad guys react and find new ways to evade those defenses. Antivirus (AV) is a great example of this. The industry started with signature-based solutions that originally did a good job, but eventually the bad guys evolved, and reacted with new evasion techniques that bypassed reactive signature-based solutions. Today, we have more advanced, behavioral-based AV solutions, but already attackers are exploring ways to trick these new solutions. The point is, no matter how great a security control might seem, attackers will find ways around it, which is why it’s important to have the additional layers of security a UTM appliance provides to pick up the slack.
2. There are different stages to a modern, blended attacks – You can break down modern network attacks into multiple stages. For example, the initial attack delivery, the exploit portion of the attack, the payload or malware delivery, the call home to the attacker, and so on. Security experts often refer to these stages as the Kill Chain. The importance of these stages is twofold; First, each stage is an additional opportunity for you to catch the attack. If you miss the first stage, you might still stop the second. Also, each of these stages requires a different type of defense. For instance, IPS isn’t intended to catch malware, but rather block software exploits. WatchGuard’s UTM appliances break the Kill Chain by incorporating all the different types of defenses necessary for each stage of an attack, and by layering them together so that a miss at one stage doesn’t rule out a block at another stage. Simply put, the more stages of an attack you protect against, the more effective your overall defense is, even when new threats bypass one defense.

At WatchGuard we care less about what you call what we do – UTM, multi-layered security, NGFW – we care more for the fact that we have created a mechanism to catch all the various stages of a modern network attack, and by layering these protections together, we give you multiple opportunities to block the threat even when one defense fails.

 

Don’t Just Take My Word for It!

On a theoretical level, it’s pretty easy to understand the value that WatchGuard’s layered UTM solutions provide, but analytical, scientific-minded people require quantifiable proof before they believe in any theory. Fortunately, NSS Labs, one of the world’s leading independent security product testing laboratories, has recently released a new threat warning service and testing methodology that proves the value of layered UTM security.

NSS Labs’ Cyber Advanced Warning System (CAWS)  enables vendors and end-users alike to view how effectively a variety of network security solutions are blocking real-time security threats. The system enables subscribers to view the efficacy of different solutions operating under different profiles: the base profile only enables specific so-called NGFW features as defined earlier in this blog, as well as the advanced profile, where a vendor can enable value-added UTM services such as I described in the example above, and which we provide at WatchGuard.

WatchGuard has actively participated in the CAWS service for the past few months, and it not only has helped us increase our security efficacy, but has also provided a very quantifiably measure of why UTM defenses works. Here’s a chart showing WatchGuard’s “block rate” results for about a month of new CAWS attacks:

Figure 1: Image courtesy of NSS Labs CAWS system

In the chart above, the lower, orange line represents a traditional NGFW, that primarily only uses IPS to catch threats. However, the upper, muddy-yellow line represents our product using the full UTM feature set, which includes antimalware services like GAV and APT Blocker, as well as all our URL filtering services.

What’s important to note is the drop in our IPS only block rate during January 31^st. While there could be a few reasons for this, it’s typically indicative of a new attack that our IPS didn’t catch. So why would I highlight this IPS miss? Well, looks at the yellow, UTM line… its block rate stays relatively high, despite the fact that IPS might have temporarily missed something new. Whether or not our daily IPS efficacy goes up or down, our full UTM defenses still catch well over 90% of the new threats each day, this further reinforces the importance of a layered approach to security as dips in IPS efficacy is not unique to WatchGuard.

Some have claimed, defense-in-depth, or layered security is dead. They make this declaration out of frustration, because lately we’ve seen so many organizations get compromised despite some defenses. However, I believe layered security is still the most effective way to prevent the majority of attacks. Breaches will still happen because no defense is infallible, but WatchGuard’s NSS Labs’ CAWS testing proves that having the layered security of a UTM appliance increases your overall security efficacy, and can even successfully block an attack when one layer of security misses. — Corey Nachreiner, CISSP (@SecAdept)

Firebox M4600 & M5600

Today WatchGuard is pleased to announce the new Firebox M4600 and M5600 models, completing the replacement of all of our older XTM appliances with a new generation of hardware. Now, from the smallest Firebox T10 to the top of the line Firebox M5600, there is a new Firebox appliance that provides critical network and security functions in a single, centrally managed UTM platform that is easy to set up, deploy and manage.The WatchGuard Firebox M4600 and Firebox M5600 appliances both provide two empty bays that can be used to add expandable network modules to meet the needs of a wide range of network configurations. Both models support three modular interface options that each add either four or eight interfaces to the Firebox:

1. 8 x 1 Gb Fiber
2. 4 x 10 Gb Fiber
3. 8 x 1 Gb Copper

The picture above shows an M4600 with options 1 and 2 in the two expansion bays. Expandable network modules offer room to grow for the future. If the need for more network ports into the firewall grows, the business doesn’t have to do a costly rip out and replace. The network admin can simply add a new module to the existing appliance to add extra ports.

Resources
These exciting new products are Generally Available (GA) now. Learn more through some of the new resources that are available with today’s public launch:

The M4600 provides 8 Gbps UTM throughput, and the M5600 is the fastest Firebox ever with 11 Gbps UTM. Download the datasheet with the full technical specifications for the two new appliances.

Use our new interactive module selector on the web to explore the different network module options available for each model, and see how the firewall throughput can depend on module configuration.

We also have a new technical brief that explains in detail how the new network modularity concept works in WatchGuard appliances.

 

Secure Wi-Fi helps SMBs protect their customers online

Wi-Fi access is becoming increasingly popular for businesses to attract and retain customers. From retail stores to hotels to hospitals, wireless access has gone mainstream and many companies are jumping on the bandwagon. While offering Wi-Fi to customers and employees certainly has its benefits, wireless access can ultimately doom any business if it’s not properly secured. According to the National Small Business Association, nearly 50 percent of small businesses have already been impacted by cyber-attacks with an average cost of more than 20 thousand dollars. I’ve got some valuable advice on how you can protect your business when offering free Wi-Fi to customers. Check out my article on Help Net Security to find out more. (Read more)

Big Security in a Small Package

At WatchGuard, we believe that good things can come in small packages. Our smallest tabletop appliances run the same operating system, or firmware, as the largest rack mount units. This means we can provide enterprise class security in a small form factor that helps protect small offices, retail stores, and remote branches of a distributed enterprise.

This is why we are very excited to introduce the next generation of our tabletop appliances today, the WatchGuard Firebox T30 and T50, which replaces our existing XTM 25/26 and XTM 33. With the Firebox T Series, companies of all sizes can benefit from our suite of sophisticated security technologies that have been developed to protect the most demanding enterprises. For example, with the WebBlocker service, every link is checked against the Threat Seeker cloud URL database from Websense. Using Intrusion Prevention Service (IPS), the Firebox looks for attacks against known vulnerabilities using technology from Trend Micro. Our newest subscription service, APT Blocker provides a defense against advanced malware. We check unknown files in a next generation sandbox in the cloud using full system emulation technology from Lastline.

You might think that these services would slow performance. In fact, the new T50 provides up to 165 Mbps of Unified Threat Management (UTM) performance[1] in a compact form factor with 7 Ethernet ports. The smaller T30 appliance has 5 ports and provides up to 135 Mbps UTM throughput. These powerful new boxes provide full security inspection of Internet traffic at the fast connection speeds available today.

The T30 and T50 don’t just provide faster throughput. New features support the growing needs for secure wireless access. Both models have options for an integrated 802.11ac wireless version – providing faster speeds over the less congested 5 GHz channel. Each model also includes a Power over Ethernet (PoE) port, which can be used to provide power to a WatchGuard Wireless Access Point. With PoE, small locations like retail shops don’t have to install expensive power runs to the ceiling for wireless access points. They can simply run an Ethernet cable from the Firebox to the mounting point. Of course the Firebox also comes with the integrated Gateway Wireless Controller software.

That’s a lot of sophisticated security technology in a small box. I’ve been running a Beta version of the T50 at home for a couple of months now. In today’s world, it’s reassuring to know that I have enterprise level security technology protecting my family and any work that I do for my company from home.

Find out more about the new T30 and T50 appliances at watchguard.com, here.

[1] Remember that UTM performance measures the throughput when the most demanding security services are enabled, including IPS and Gateway Antivirus. Not all vendors publish a combined performance number like this, but we believe that it is important to enable all security services and measure the combined throughput.

 

HIPAA-Compliant Wi-Fi: What You Need To Know

Did you know your medical Personally Identifiable Information (PII) is worth 50x more than your credit card information on the black market? It’s also the target of exponentially rising attacks.

A recent report from Keeper Security has highlighted staggering stats informing us that 90% of all healthcare organizations have had a data breach, affecting nearly one-third of the U.S. population.

As cyber attacks on healthcare organizations are increasing rapidly, IT administrators are reviewing their cyber security policies from the ground up.  Wireless access is one area that deserves close attention given the proliferation of the BYOD phenomena, staff equipped with tablets to access Electronic Health Records (EHR), and increasing adoption of wirelessly connected medical devices.

HIPAA has historically provided the guiding principles for securing access to patient information. However, you won’t find specific implementation requirements for a wireless LAN (WLAN) within HIPAA.  Instead, you’ll find it somewhat buried inside the Code of Federal Regulations (CFR) Title 45, Part 164, Subpart C.  The CFR splits WLAN requirements into three categories: administrative (office processes and policies), physical (hardware), and technical (securing WLAN traffic).

Adhering to the following requirements will ensure your Wi-Fi network is HIPAA compliant:

Administrative requirements

1. Collect logs of the WLAN administrators’ logon and logoff events
2. Use a WLAN solution with central management (controller/cloud) so that administrator account passwords are maintained in one system
3. Use a WLAN solution with detection of wireless security threats such as rogue access points
4. Make a backup of your WLAN configuration from the controller/cloud management system and store it safely offsite in case of an emergency
5. Use a WLAN solution that allows healthcare staff to remain connected to patient information if the internet or central controller is unavailable to the access points

Physical requirements 

1. Use access points that offer protection from physical tampering, such as Kensington locks
2. Store any on-site WLAN controller equipment behind access-restricted areas

Technical requirements 

1. If you offer public-facing Wi-Fi access, separate this traffic from your internal EHR-facing network using separate SSIDs and/or VLAN IDs
2. At a minimum, use WPA2 with PSK encryption and if possible, implement WPA2 enterprise 802.1x with client-side certificate security protection
3. Use a WLAN solution the provides visibility into wireless client activity such as bandwidth consumed, source/destination information, and that has the ability to selectively block any traffic

-Ryan Orsi, Product Manager (@RyanOrsi)

How to Save Yourself an 802.11ac Wave 2 Headache

The latest Wi-Fi standard to hit the market is 802.11ac and it’s been split up into two flavors; Wave 1 and Wave 2. Wave 1 has been out for awhile, but Wave 2 consumer routers and business access points have recently become available. With that in mind, what do you need to know about these new standards?

It’s important to know the two main differences between Wave 2 versus Wave 1:

1. Multi-User MIMO (MU-MIMO) essentially allows a Wave 2 router or access point (AP) to communicate with more than one client at a time. Until Wave 2, APs served wireless clients one at a time. That means each wireless device had to wait its turn among all the other clients. MU-MIMO has the effect of occupying the radio waves for a shorter time (known as airtime demand). The lower airtime demand, the faster your neighbor across the café gets his email attachment, and the faster you get your important Instagram pictures, which means the happier all Wi-Fi users will be.
2. 160MHz bandwidth channels are supported in Wave 2. Without diving into the weeds, the wider the bandwidth, the faster your downloads complete.

Should you rush to buy Wave 2 routers and access points?

I highly recommend you don’t yet. Why not? Consider the following:

• Routers and access points are infrastructure (like a cellular base station is for our smart phones). Infrastructure needs friends to play with, or client devices. To realize Wave 2 benefits, our laptops, smart phones, tablets, game consoles, and other gear have to use Wave 2 wireless chips. I don’t expect many Wave 2 clients to show up on the market until 2016, and even then it will take a year longer before the majority of clients support Wave 2.
• For the home user—especially gamers—the bandwidth provided by the 160MHz channel could be a win. For everyone else, it’s a yawn. That’s because even though it provides faster speed to single clients, it also translates to less overall speed for the combined group. Think of it like the width of your shopping cart at the grocery store. If we’re all wheeling around a 6ft. wide monster cart, only one of us could cruise a shopping isle at a time, which slows down shopping for everyone. However, if we all sported 2ft. wide carts, we could fit three of them in the isle at a time, allowing everyone to get their shopping done in a reasonable period.

In summary, to avoid an unnecessary 802.11ac Wave 2 headache, I recommend you go ahead and buy Wave 1 routers or APs today. You can rest easy and not worry, because doing so won’t put you behind the times.

-Ryan Orsi, Product Manager (@RyanOrsi)