19 avr 2017 · Transparent, reverse and non-inline deployment ▫ Central Management/ ADOMs ▫ REST API ▫ Included vulnerability scanner ▫ Virtual
Previous PDF | Next PDF |
[PDF] FortiSandbox Administration Guide - AWS
12 fév 2019 · GUI or JSON API to perform virtual sandboxing without the need for a separate Click the Reset button on the floating widget tool bar To add a
[PDF] FortiSandbox 312 Administration Guide - AWS
1 jui 2020 · GUI or JSON API to perform virtual sandboxing without the need for a separate Click the Reset button on the floating widget tool bar To add a
[PDF] Fortisandbox rest api guide - Weebly
REST API Reference 2 3 REST API Samples FortiSandbox allows customers to automate some key features and processes using a simple API In this section
[PDF] FortiOS JSON API Reference
24 mar 2015 · FortiOS REST API HTTP Response Codes 11 CMDB API When making requests to the FortiGate using REST APIs, you will need: 1 A valid
[PDF] Integrating a Sandbox Into Your Infrastructure - Fortinet
today now provide tight integration into the rest of your security infrastructure approach: Fortinet FortiSandbox offers you the ultimate combination of as well as an open, standards-based API allow for information sharing to third-party
[PDF] Fortinet Developer Network Data Sheet
Official API Documentation Documentation for FortiOS REST API, FortiManager/ FortiAnalyzer JSON API, FortiSandbox JSON API and more How-to Articles
[PDF] Securing Web Applications with FortiWeb and FortiSandbox
19 avr 2017 · Transparent, reverse and non-inline deployment ▫ Central Management/ ADOMs ▫ REST API ▫ Included vulnerability scanner ▫ Virtual
[PDF] Fortinet - Insight
with the 2013 release of its breach detection system (BDS), FortiSandbox The new FortiSandbox-VM with API expands deployment options, for example, If you do not agree to these conditions, you should not read the rest of this report but
[PDF] Next generation security by Fortinet - AVAD
Key FortiSandbox Components FortiGate / FortiSandbox in Security Fabric Push Notification • Configuration change • Endpoint Actions • REST API •
[PDF] fortisandbox vm admin guide
[PDF] fortisandbox vm datasheet
[PDF] fortiwan end of sale
[PDF] fortiweb 600d datasheet
[PDF] fortiweb admin guide
[PDF] fortiweb api protection
[PDF] fortiweb aws
[PDF] fortiweb azure
[PDF] fortiweb cloud
[PDF] fortiweb cloud datasheet
[PDF] fortiweb cookbook
[PDF] fortiweb deployment type
[PDF] fortiweb machine learning
[PDF] fortiweb vm datasheet
© Copyright Fortinet Inc. All rights reserved.
Securing Web Applications with FortiWeb and
FortiSandbox
Shaun Carriveau Channel Systems Engineer
4/19/2017
4Fortinet
»Who we are and what we do
FortiGuard Labs
Threat Landscape
»Understanding Security Challenges
FortiSandbox
»Identifying the unknown
FortiWeb
»Protecting the web based applications
Agenda
Fortinet
Company Overview
6Fortinet Facts
#1UNIT SHARE
WORLDWIDE
In Network Security (IDC) $ 1.3B REVENUE
FOUNDED 2000 OVER 3 MILLION
DEVICES SHIPPED
30%+GROWTH
EMPLOYEES 4,650+
300,000+ CUSTOMERS
MARKET LEADING
TECHNOLOGY
358+ PATENTS
292+ PENDING
100+OFFICES
WORLDWIDE
SUNNYVALE, CA HQ
IPO 2009
7Fortinet: Global Network Security Leader
Fortune Companies
in America of theTOP 7 10
Fortune Companies
in EMEA of theTOP 8 10
Fortune Companies
in APAC of theTOP 9 10
Fortune
Telecommunications
Companies
10 of theTOP 10
Fortune Retail and Commercial
Banks 9
of theTOP 10
Aerospace and
Defense 7
of theTOP 10
FortiGuard Labs
9FortiGuard Threat Map
10The FortiGuard Minute
Per Minute
21,000
Spam emails intercepted
470,000
Network Intrusion Attempts resisted
95,000
Malware programs neutralized
160,000
Malicious Website accesses blocked
32,000
Botnet C&C attempts thwarted
43 million
Website categorization requests
Per Week
46 million
New & updated spam rules
1,000Intrusion prevention rules
108 million
New & updated AV definitions
1.4 million
New URL ratings
8,000Hours of threat research globally
Total Database
326Terabytes of threat samples
19,000
Intrusion Prevention rules
5,800Application Control rules
250 million
Rated websites in 78 categories
375Zero-day threats discovered
Based on Q2 2016 data
Image: threatmap.FortiGuard.com
11FortiGuard by the numbers
Threat Landscape
Understanding Security Challenges
13Infrastructure. Constant Change.
Green centers use 0.01% of global powerSDN/NFV
Software-defined
everything. SD WAN SaaSOn average, companies
have 10+ applications running via the Cloud IaaSSecurity still the
No.1 inhibitor
IoT35B devices, mostly
headless attaching to the networkVirtualization
80% of data center
apps are virtualizedMobile
No control of
endpoints (BYOD)Social
Bandwidth ever
increasingBandwidth
Wi-Fi speeds rival LANs.
100G networks here
Analytics
Big Data
Internet 2
100 Gbps and
UHDTV 5GWireless
FUTURE
100GTODAY 14
Security is borderless.
Branch Office
Campus
Data Center
Remote Office
Mobile
IoT PoSEndPoint
Mobile
1.The attack surface has
increased2.Strategy changes bring
new security challenges3.There are security holes
in existing infrastructure (ATP, unsecured wireless, no dedicated security...) => Security is Borderless 0-DayFortiSandbox
Identifying the Unknown
16Advanced Threat Protection
Multi-layered filtering with Code Emulator, AV engine, Cloud query and Virtual OS sandbox Handles multiple file types, includes files that are encrypted or obfuscated Examine files from various protocols, included those that usesSSL encryption
Flexible Operation Modes
Receives file sample using integration with FortiGate/FortiMail, sniffer mode and manual file uploads Capture files from remote locations using deployed FortiGatesMonitoring and Reporting
Detailed analysis reports and real-time monitoring and alertingIntroducing FortiSandbox
File Submission
Malicious
Analysis
outputLatest AV Signature Update
2 3 4Centralized File Analysis
1 Advanced Threat Protection solution designed to identify and thwart the highly targeted and tailored attacks 17KEY SANDBOX COMPONENTS
Call Back Detection
Full Virtual Sandbox
Code Emulation
Cloud File Query
AV Prefilter
Quickly simulate intended activity
OS independent and immune to evasion/obfuscation
Apply top-rated anti-malware engine
Examine real-time, full lifecycle activity to get the threat to expose itself Check FortiSandbox community intelligence & file reputation Identify the ultimate aim, call back & exfiltrationMitigate w/FortiGuard updates
Intelligence Sharing Distribute real-time updates
Feed global systems
18CPRLSIG
TYPE(pe)
H(IS_NOTDLL)
SZ(GT,8000)
setIP(PE_HEADER) W(0x5c) chk(word & 2, 2) //check subsystem version getSecNum() setIP(SECTION_HEADER)W(8) getD($m1) // last section VS
W(4) getD($m2) // last section RS
cmp($m2 >= 0x2300) cmp($m1 >= 0x2300) // min W(0x10) chk(dword & 0xE0000060, 0xE0000060) // last section charS(1,END) op($m1 = $IP) op($m1 -= 0x2000)
S(0x2a00,END)
CheckEncVirut:
I(L(0x100,81 e3 00 f0 ff ff),CHECK_NOTENCRYPTED_VIRUT) // Implement X-ray detectionI(getKey(XOR_B, E8 00 00 00 00), POS_XOR)
TRY_SUB: I(getKey(SUB_B, E8 00 00 00 00), POS_SUB) TRY_SUBADD: I(getKey(SUB_B, ADD_B, E8 00 00 00 00),POS_SUB_ADD)
TRY_XORADD: I(getKey(XOR_B, ADD_B, E8 00 00 00 00),POS_XOR_ADD)
TRY_NEXT_EP:
// brute force?.... heheheheI(cmp($m6 == 1),SrchAgn1)
op($m6 = 1) // set flagR(-1) G(CheckEncVirut)
SrchAgn1:
TRY_SUB: I(getKey(SUB_B, E8 00 00 00 00), POS_SUB) TRY_SUBADD: I(getKey(SUB_B, ADD_B, E8 00 00 00 00),POS_SUB_ADD)
TRY_XORADD: I(getKey(XOR_B, ADD_B, E8 00 00 00 00),POS_XOR_ADD)
TRY_NEXT_EP:
// brute force?.... heheheheI(cmp($m6 == 1),SrchAgn1)
op($m6 = 1) // set flagR(-1) G(CheckEncVirut)
SrchAgn1:
I(L(0x1000,00 00 00 00),Cont1)
I(L(0x1000,00 00 00 00),Cont1)
I(cmp($m5 == 3),ExitSig)
I(cmp($m5 == 1),Vir10)
I(cmp($m5 == 2),Vir11)
cmp($m5 == 0) getSecNum() setIP(SECTION_HEADER)W(8) getD($m1) // last section VS
W(4) getD($
S(0x2c00, END)
Life of a Sample
1 Advanced Malware Threat Protection
1.Code Emulation engine is
focusing on encrypted and/or packed malware. No code evasion possible as this code is not run.2.Realtime AV Engine decrypts,
decodes then tracks behaviors of polymorphic code.3.CPRL (patented) is used to detect
suspicious code and behavior of a virus and all variants. 19Life of a Sample
FortiGuard Services
1.Fortiguard Cloud File Query #1 : a hash of the file is sent to
Fortiguard Service and checked against our intelligence database. It is the last chance to detect a malware before the sandbox analysis (step 3).2.Fortiguard URL Rating: during sandbox analysis, all
connections attempts to any web URL are checked againstFortiguard Webfiltering database.
3.Fortiguard IP Rating: during sandbox analysis, it detects
connection attempts to C2 servers.4.Fortiguard Cloud File Query #2: all files generated during
the sandbox analysis are sent to the intelligence databse.5.Fortiguard File Submission: If sandbox analysis verdict is
suspicious, entire file is submitted to Threat IntelligenceSharing with the FortiGuard Community.
fortiguard 2 20Life of a Sample
Sandbox Analysis
Alert VIRUS
3 21Life of a Sample
Sandbox Analysis
1.Execution of the file in an emulated environment. All
major windows & android releases supported.2.Anti Evasion techniques
3.Analysis performed by a sophisticated tracer engine.
4.Complete Reporting: Network activity is captured, all
processes are detailed and listed, all changes are tracked, logs and original files are available for download.Windows XP
Windows 7
Windows 8
Windows 10
3 22Life of a Sample
Rating Engine
1.Clean / Unknown: not detected as suspicious / malicious or the
file could not be processed. It might be re-processed later.2.Suspicious: Low means the sample is a riskware, medium
represents downloaders or adwares or greywares, high risk is usually an infector, a dropper or a hijacker3.Malicious: the sample is a virus detected by the extended AV
techniques and engines.Static Analysis
Fortiguard Intelligence
4 23FortiSandbox Series
FortiSandbox FSA-1000D FSA-3000D FSA-3000E FSA-3500D FSA-VMVM Sandboxing
(Files/Hour) 160 560 1,120 720* (Upgradable** to1,200) (160 per node) Hardware Dependent
AV Scanning
(Files/Hour) 6,000 15,000 15,00030,000* (Upgradable**
to 48,000) (6,000 per node)Hardware Dependent
Number of VMs
(WinXP, 32-bit) 8 28 8 + 48 optional 36* (Upgradable** to60) (8 per node) Total: 2 to 54
Interfaces 6x GE RJ45 ports, 2x
GE SFP slots
4x GE RJ45 ports, 2x
GE SFP, 2x 10GE
SFP+ slots
4x GE RJ45 ports, 2x
10GE SFP+ slots
20x GE RJ45 ports,
10x 10 GE SFP+ slots
(4x GE RJ45 ports, 2x10 GE SFP+ slots per
node)Hardware Dependent
FSA-3500D: comes with default 5 nodes, up to 8 maximum * Based on the assumption that 1 blade will be used as master in HA-cluster mode. ** By adding 3 more SAM-3500D nodes to the same chassis.. 24FortiSandbox Series
FSA-1000D FSA-3000D FSA-VM FSA-CLOUD
VM Sandboxing
(Files/Hour) 160 560 Hardware Dependent UnrestrictedAV Scanning
(Files/Hour) 6,000 15,000 Hardware Dependent UnrestrictedNumber of VMs 8 28 4 to 54 Not applicable
Interfaces 6x GE RJ45 ports, 2x GE SFP
slots4x GE RJ45 ports, 2x GE
SFP, 2x 10GE SFP+ slots Hardware Dependent Not applicable Scan Engines Similar scan engines across all platforms (release dates may vary)Input methods FortiGate, FortiMail Integration, Sniffer mode, manual on-demand file upload, submission API,
network file share inspectionFortiGate, FortiWeb, FortiMail
Integration
Status & Analysis
Visibility
Full (rating, source, destination, MD5/SHA, observed behaviors, full logs, pcap, etc) on-box, statistics overview on FGT onlyFortiGate, FortiWeb, FortiMail.
Detailed reports on FG only.
Info submission to
FortiGuard Labs
configuration All info if rated with risk levelsFile Quarantine On-box file quarantine for network file share scanning. FortiMail submits and queues mails for
suspicious content NILProtection Manual policy configuration, FortiGuard AV signature update, requires FortiGuard premium service
for SLASource Quarantine on FGT
(*V5.2.3+) *roadmap, may subject to changes 25FortiGate, FortiMail, FortiWeb, FortiClient
»Block as many threats as possible
»Submit at risk objects for additional analysis»Mitigate previously unknown threats
Sandbox for Payload Analysis
»Accept at risk objects for additional analysis»Execute objects to assess and rate risk
»Provide intelligence and generate updates for
prevention products9 Identify more, previously unknown, threats
9 Minimize the cost of comprehensive coverage
9 Speed and simplify response
ADVANCED THREAT PROTECTION IN ACTION
Network
FortiGate, FortiMail, FortiWeb
FortiSandbox
Callback
Detection
CloudFile Query
AVPrefilter
CodeEmulation
FullSandbox
FortiClient
FortiWeb
Protecting Web Based Applications
27Web Application Security Trends
Web application vulnerabilities
are a top source of breachesIPS alone can not protect
against zero-day threatsPCI compliance needed to
accept/process credit cardsNon-compliance needs growing
Strong awareness and top 5
investment priority with CIOs11.6% of web sites use HTTP/2
Notes/Sources:
1.Verizon 2016 Data Breach Report.
2.Gartner Magic Quadrant for Web Application Firewalls 2016.
3.IDC Research WAF market size and growth estimates for 2016 to 2020; includes hardware and
hosted WAF services. $1.5B+Market size with a CAGR
of 6% expected through 20203100%Ĺ
Published Critical
Vulnerabilities exploited in
1 year1
40%of data breaches caused by application vulnerabilities1quotesdbs_dbs20.pdfusesText_26