[PDF] [PDF] Securing Web Applications with FortiWeb and FortiSandbox

[PDF] FortiSandbox Administration Guide - AWS

12 fév 2019 · GUI or JSON API to perform virtual sandboxing without the need for a separate Click the Reset button on the floating widget tool bar To add a 

[PDF] FortiSandbox 312 Administration Guide - AWS

1 jui 2020 · GUI or JSON API to perform virtual sandboxing without the need for a separate Click the Reset button on the floating widget tool bar To add a 

[PDF] Fortisandbox rest api guide - Weebly

REST API Reference 2 3 REST API Samples FortiSandbox allows customers to automate some key features and processes using a simple API In this section 

[PDF] FortiOS JSON API Reference

24 mar 2015 · FortiOS REST API HTTP Response Codes 11 CMDB API When making requests to the FortiGate using REST APIs, you will need: 1 A valid 

[PDF] Integrating a Sandbox Into Your Infrastructure - Fortinet

today now provide tight integration into the rest of your security infrastructure approach: Fortinet FortiSandbox offers you the ultimate combination of as well as an open, standards-based API allow for information sharing to third-party 

[PDF] Fortinet Developer Network Data Sheet

Official API Documentation Documentation for FortiOS REST API, FortiManager/ FortiAnalyzer JSON API, FortiSandbox JSON API and more How-to Articles

[PDF] Securing Web Applications with FortiWeb and FortiSandbox

19 avr 2017 · Transparent, reverse and non-inline deployment ▫ Central Management/ ADOMs ▫ REST API ▫ Included vulnerability scanner ▫ Virtual 

[PDF] Fortinet - Insight

with the 2013 release of its breach detection system (BDS), FortiSandbox The new FortiSandbox-VM with API expands deployment options, for example, If you do not agree to these conditions, you should not read the rest of this report but

[PDF] Next generation security by Fortinet - AVAD

Key FortiSandbox Components FortiGate / FortiSandbox in Security Fabric Push Notification • Configuration change • Endpoint Actions • REST API •

[PDF] fortisandbox rest api guide

[PDF] fortisandbox vm admin guide

[PDF] fortisandbox vm datasheet

[PDF] fortiwan end of sale

[PDF] fortiweb 600d datasheet

[PDF] fortiweb admin guide

[PDF] fortiweb api protection

[PDF] fortiweb aws

[PDF] fortiweb azure

[PDF] fortiweb cloud

[PDF] fortiweb cloud datasheet

[PDF] fortiweb cookbook

[PDF] fortiweb deployment type

[PDF] fortiweb machine learning

[PDF] fortiweb vm datasheet

© Copyright Fortinet Inc. All rights reserved.

Securing Web Applications with FortiWeb and

FortiSandbox

Shaun Carriveau Channel Systems Engineer

4/19/2017

4

ƒFortinet

»Who we are and what we do

ƒFortiGuard Labs

ƒThreat Landscape

»Understanding Security Challenges

ƒFortiSandbox

»Identifying the unknown

ƒFortiWeb

»Protecting the web based applications

Agenda

Fortinet

Company Overview

6

Fortinet Facts

#1

UNIT SHARE

WORLDWIDE

In Network Security (IDC) $ 1.3B REVENUE

FOUNDED 2000 OVER 3 MILLION

DEVICES SHIPPED

30%+

GROWTH

EMPLOYEES 4,650+

300,000+ CUSTOMERS

MARKET LEADING

TECHNOLOGY

358+ PATENTS

292+ PENDING

100+

OFFICES

WORLDWIDE

SUNNYVALE, CA HQ

IPO 2009

7

Fortinet: Global Network Security Leader

Fortune Companies

in America of the

TOP 7 10

Fortune Companies

in EMEA of the

TOP 8 10

Fortune Companies

in APAC of the

TOP 9 10

Fortune

Telecommunications

Companies

10 of the

TOP 10

Fortune Retail and Commercial

Banks 9

of the

TOP 10

Aerospace and

Defense 7

of the

TOP 10

FortiGuard Labs

9

FortiGuard Threat Map

10

The FortiGuard Minute

Per Minute

21,000

Spam emails intercepted

470,000

Network Intrusion Attempts resisted

95,000

Malware programs neutralized

160,000

Malicious Website accesses blocked

32,000

Botnet C&C attempts thwarted

43 million

Website categorization requests

Per Week

46 million

New & updated spam rules

1,000

Intrusion prevention rules

108 million

New & updated AV definitions

1.4 million

New URL ratings

8,000

Hours of threat research globally

Total Database

326

Terabytes of threat samples

19,000

Intrusion Prevention rules

5,800

Application Control rules

250 million

Rated websites in 78 categories

375

Zero-day threats discovered

Based on Q2 2016 data

Image: threatmap.FortiGuard.com

11

FortiGuard by the numbers

Threat Landscape

Understanding Security Challenges

13

Infrastructure. Constant Change.

Green centers use 0.01% of global power

SDN/NFV

Software-defined

everything. SD WAN SaaS

On average, companies

have 10+ applications running via the Cloud IaaS

Security still the

No.1 inhibitor

IoT

35B devices, mostly

headless attaching to the network

Virtualization

80% of data center

apps are virtualized

Mobile

No control of

endpoints (BYOD)

Social

Bandwidth ever

increasing

Bandwidth

Wi-Fi speeds rival LANs.

100G networks here

Analytics

Big Data

Internet 2

100 Gbps and

UHDTV 5G

Wireless

FUTURE

100G
TODAY 14

Security is borderless.

Branch Office

Campus

Data Center

Remote Office

Mobile

IoT PoS

EndPoint

Mobile

1.The attack surface has

increased

2.Strategy changes bring

new security challenges

3.There are security holes

in existing infrastructure (ATP, unsecured wireless, no dedicated security...) => Security is Borderless 0-Day

FortiSandbox

Identifying the Unknown

16

Advanced Threat Protection

Multi-layered filtering with Code Emulator, AV engine, Cloud query and Virtual OS sandbox Handles multiple file types, includes files that are encrypted or obfuscated Examine files from various protocols, included those that uses

SSL encryption

Flexible Operation Modes

Receives file sample using integration with FortiGate/FortiMail, sniffer mode and manual file uploads Capture files from remote locations using deployed FortiGates

Monitoring and Reporting

Detailed analysis reports and real-time monitoring and alerting

Introducing FortiSandbox

File Submission

Malicious

Analysis

output

Latest AV Signature Update

2 3 4

Centralized File Analysis

1 Advanced Threat Protection solution designed to identify and thwart the highly targeted and tailored attacks 17

KEY SANDBOX COMPONENTS

Call Back Detection

Full Virtual Sandbox

Code Emulation

Cloud File Query

AV Prefilter

Quickly simulate intended activity

OS independent and immune to evasion/obfuscation

Apply top-rated anti-malware engine

Examine real-time, full lifecycle activity to get the threat to expose itself Check FortiSandbox community intelligence & file reputation Identify the ultimate aim, call back & exfiltration

Mitigate w/FortiGuard updates

Intelligence Sharing Distribute real-time updates

Feed global systems

18

CPRLSIG

TYPE(pe)

H(IS_NOTDLL)

SZ(GT,8000)

setIP(PE_HEADER) W(0x5c) chk(word & 2, 2) //check subsystem version getSecNum() setIP(SECTION_HEADER)

W(8) getD($m1) // last section VS

W(4) getD($m2) // last section RS

cmp($m2 >= 0x2300) cmp($m1 >= 0x2300) // min W(0x10) chk(dword & 0xE0000060, 0xE0000060) // last section char

S(1,END) op($m1 = $IP) op($m1 -= 0x2000)

S(0x2a00,END)

CheckEncVirut:

I(L(0x100,81 e3 00 f0 ff ff),CHECK_NOTENCRYPTED_VIRUT) // Implement X-ray detection

I(getKey(XOR_B, E8 00 00 00 00), POS_XOR)

TRY_SUB: I(getKey(SUB_B, E8 00 00 00 00), POS_SUB) TRY_SUBADD: I(getKey(SUB_B, ADD_B, E8 00 00 00 00),

POS_SUB_ADD)

TRY_XORADD: I(getKey(XOR_B, ADD_B, E8 00 00 00 00),

POS_XOR_ADD)

TRY_NEXT_EP:

// brute force?.... hehehehe

I(cmp($m6 == 1),SrchAgn1)

op($m6 = 1) // set flag

R(-1) G(CheckEncVirut)

SrchAgn1:

TRY_SUB: I(getKey(SUB_B, E8 00 00 00 00), POS_SUB) TRY_SUBADD: I(getKey(SUB_B, ADD_B, E8 00 00 00 00),

POS_SUB_ADD)

TRY_XORADD: I(getKey(XOR_B, ADD_B, E8 00 00 00 00),

POS_XOR_ADD)

TRY_NEXT_EP:

// brute force?.... hehehehe

I(cmp($m6 == 1),SrchAgn1)

op($m6 = 1) // set flag

R(-1) G(CheckEncVirut)

SrchAgn1:

I(L(0x1000,00 00 00 00),Cont1)

I(L(0x1000,00 00 00 00),Cont1)

I(cmp($m5 == 3),ExitSig)

I(cmp($m5 == 1),Vir10)

I(cmp($m5 == 2),Vir11)

cmp($m5 == 0) getSecNum() setIP(SECTION_HEADER)

W(8) getD($m1) // last section VS

W(4) getD($

S(0x2c00, END)

Life of a Sample

1 Advanced Malware Threat Protection

1.Code Emulation engine is

focusing on encrypted and/or packed malware. No code evasion possible as this code is not run.

2.Realtime AV Engine decrypts,

decodes then tracks behaviors of polymorphic code.

3.CPRL (patented) is used to detect

suspicious code and behavior of a virus and all variants. 19

Life of a Sample

FortiGuard Services

1.Fortiguard Cloud File Query #1 : a hash of the file is sent to

Fortiguard Service and checked against our intelligence database. It is the last chance to detect a malware before the sandbox analysis (step 3).

2.Fortiguard URL Rating: during sandbox analysis, all

connections attempts to any web URL are checked against

Fortiguard Webfiltering database.

3.Fortiguard IP Rating: during sandbox analysis, it detects

connection attempts to C2 servers.

4.Fortiguard Cloud File Query #2: all files generated during

the sandbox analysis are sent to the intelligence databse.

5.Fortiguard File Submission: If sandbox analysis verdict is

suspicious, entire file is submitted to Threat Intelligence

Sharing with the FortiGuard Community.

fortiguard 2 20

Life of a Sample

Sandbox Analysis

Alert VIRUS

3 21

Life of a Sample

Sandbox Analysis

1.Execution of the file in an emulated environment. All

major windows & android releases supported.

2.Anti Evasion techniques

3.Analysis performed by a sophisticated tracer engine.

4.Complete Reporting: Network activity is captured, all

processes are detailed and listed, all changes are tracked, logs and original files are available for download.

Windows XP

Windows 7

Windows 8

Windows 10

3 22

Life of a Sample

Rating Engine

1.Clean / Unknown: not detected as suspicious / malicious or the

file could not be processed. It might be re-processed later.

2.Suspicious: Low means the sample is a riskware, medium

represents downloaders or adwares or greywares, high risk is usually an infector, a dropper or a hijacker

3.Malicious: the sample is a virus detected by the extended AV

techniques and engines.

Static Analysis

Fortiguard Intelligence

4 23

FortiSandbox Series

FortiSandbox FSA-1000D FSA-3000D FSA-3000E FSA-3500D FSA-VM

VM Sandboxing

(Files/Hour) 160 560 1,120 720* (Upgradable** to

1,200) (160 per node) Hardware Dependent

AV Scanning

(Files/Hour) 6,000 15,000 15,000

30,000* (Upgradable**

to 48,000) (6,000 per node)

Hardware Dependent

Number of VMs

(WinXP, 32-bit) 8 28 8 + 48 optional 36* (Upgradable** to

60) (8 per node) Total: 2 to 54

Interfaces 6x GE RJ45 ports, 2x

GE SFP slots

4x GE RJ45 ports, 2x

GE SFP, 2x 10GE

SFP+ slots

4x GE RJ45 ports, 2x

10GE SFP+ slots

20x GE RJ45 ports,

10x 10 GE SFP+ slots

(4x GE RJ45 ports, 2x

10 GE SFP+ slots per

node)

Hardware Dependent

FSA-3500D: comes with default 5 nodes, up to 8 maximum * Based on the assumption that 1 blade will be used as master in HA-cluster mode. ** By adding 3 more SAM-3500D nodes to the same chassis.. 24

FortiSandbox Series

FSA-1000D FSA-3000D FSA-VM FSA-CLOUD

VM Sandboxing

(Files/Hour) 160 560 Hardware Dependent Unrestricted

AV Scanning

(Files/Hour) 6,000 15,000 Hardware Dependent Unrestricted

Number of VMs 8 28 4 to 54 Not applicable

Interfaces 6x GE RJ45 ports, 2x GE SFP

slots

4x GE RJ45 ports, 2x GE

SFP, 2x 10GE SFP+ slots Hardware Dependent Not applicable Scan Engines Similar scan engines across all platforms (release dates may vary)

Input methods FortiGate, FortiMail Integration, Sniffer mode, manual on-demand file upload, submission API,

network file share inspection

FortiGate, FortiWeb, FortiMail

Integration

Status & Analysis

Visibility

Full (rating, source, destination, MD5/SHA, observed behaviors, full logs, pcap, etc) on-box, statistics overview on FGT only

FortiGate, FortiWeb, FortiMail.

Detailed reports on FG only.

Info submission to

FortiGuard Labs

configuration All info if rated with risk levels

File Quarantine On-box file quarantine for network file share scanning. FortiMail submits and queues mails for

suspicious content NIL

Protection Manual policy configuration, FortiGuard AV signature update, requires FortiGuard premium service

for SLA

Source Quarantine on FGT

(*V5.2.3+) *roadmap, may subject to changes 25

ƒFortiGate, FortiMail, FortiWeb, FortiClient

»Block as many threats as possible

»Submit at risk objects for additional analysis

»Mitigate previously unknown threats

ƒSandbox for Payload Analysis

»Accept at risk objects for additional analysis

»Execute objects to assess and rate risk

»Provide intelligence and generate updates for

prevention products

9 Identify more, previously unknown, threats

9 Minimize the cost of comprehensive coverage

9 Speed and simplify response

ADVANCED THREAT PROTECTION IN ACTION

Network

FortiGate, FortiMail, FortiWeb

FortiSandbox

Callback

Detection

Cloud

File Query

AV

Prefilter

Code

Emulation

Full

Sandbox

FortiClient

FortiWeb

Protecting Web Based Applications

27

Web Application Security Trends

ƒWeb application vulnerabilities

are a top source of breaches

ƒIPS alone can not protect

against zero-day threats

ƒPCI compliance needed to

accept/process credit cards

ƒNon-compliance needs growing

ƒStrong awareness and top 5

investment priority with CIOs

ƒ11.6% of web sites use HTTP/2

Notes/Sources:

1.Verizon 2016 Data Breach Report.

2.Gartner Magic Quadrant for Web Application Firewalls 2016.

3.IDC Research WAF market size and growth estimates for 2016 to 2020; includes hardware and

hosted WAF services. $1.5B+

Market size with a CAGR

of 6% expected through 20203

100%Ĺ

Published Critical

Vulnerabilities exploited in

1 year1

40%
of data breaches caused by application vulnerabilities1quotesdbs_dbs20.pdfusesText_26