1. Enable and Properly Configure Protocol Analyzers
A protocol analyzer is a critical component in many NGFWs, designed to inspect and ensure compliance with protocol standards. However, this feature is often either disabled or improperly configured.
Steps to Implement:
- Enable Protocol Analyzers: Ensure that the protocol analyzer feature is activated in your firewall settings.
- Configure for RFC Compliance: Set the analyzer to detect and block non-compliant protocols.
- Monitor Protocols and Ports: Ensure protocols are operating over their standard ports to prevent evasion tactics that involve non-standard port usage.
Malware can evade detection by embedding malicious payloads in various sections of a packet header or footer. By enforcing protocol compliance and monitoring port usage, you can block these evasion attempts effectively.
2. Implement Protocol Enforcement
Protocol enforcement ensures that traffic conforms to expected behaviors, such as using standard ports for specific protocols. This reduces the risk of malware using unconventional ports to bypass security measures.
Steps to Implement:
- Activate Protocol Enforcement: Enable this feature in your firewall settings, focusing on standardizing protocol-port assignments.
- Block Non-standard Traffic: Configure the firewall to block or alert on traffic that does not comply with expected port usage.
By restricting applications to their designated ports, you can prevent malware from evading detection through protocol misuse.
3. Deploy Signature-Based Intrusion Prevention Systems (IPS)
While signature-based systems should not be your primary defense, they are effective in detecting and blocking known evasion techniques. These systems inspect the payload of packets to identify and mitigate threats.
Steps to Implement:
- Activate IPS: Ensure your NGFW has the IPS feature enabled.
- Update Signatures Regularly: Keep your signature database up to date to protect against the latest threats.
- Monitor and Block Malformed Traffic: Configure IPS to detect and block malformed HTTP requests, encoding evasion, and other common techniques.
Using a comprehensive set of signatures tailored to detect evasion tactics can significantly enhance your firewall’s ability to block sophisticated threats.
4. Utilize SSL Deep Packet Inspection (DPI)
A substantial amount of web traffic, including malware communication, occurs over HTTPS. SSL DPI allows your firewall to inspect the contents of encrypted traffic, ensuring threats do not bypass security through encryption.
Steps to Implement:
- Enable SSL DPI: Configure your firewall to perform SSL inspection.
- Deploy Intermediary Certificates: Ensure the firewall presents its certificate to intercept SSL connections transparently.
- Monitor for Certificate Pinning: Be aware of malware that uses certificate pinning to avoid SSL DPI, and adjust your security policies accordingly.
SSL DPI helps in identifying and blocking threats hidden within encrypted traffic, which is essential given the high volume of HTTPS traffic in modern networks.
5. Adopt a Multi-Layered Defense Strategy
No single security measure is foolproof. A multi-layered defense strategy that integrates various security mechanisms can provide a more robust defense against evasion techniques.
Steps to Implement:
- Use Threat Intelligence Feeds: Integrate feeds to block known command and control servers.
- Leverage Application Identification: Block proxy avoidance and tunneling applications using application-aware policies.
- Monitor and Block Tunneling Traffic: Use IPS to detect and block attempts to tunnel data through standard protocols like HTTP or DNS.
By combining these methods, you create overlapping layers of security that can catch threats that might slip past a single defense mechanism.
Conclusion
Protecting your network from sophisticated evasion techniques requires more than just investing in a powerful next-gen firewall. It involves configuring and leveraging the advanced features of your firewall, such as protocol analyzers, SSL DPI, and IPS, and adopting a multi-layered security strategy. By implementing these five defensive techniques, you can significantly enhance your network’s resilience against evasion tactics, ensuring a more secure environment for your organization.
