Documente Academic
Documente Profesional
Documente Cultură
www.fortinet.com
ADVANCED DETECTION TECHNOLOGY 2
Contents:
OVERVIEW PAGE 3
www.fortinet.com
ADVANCED DETECTION TECHNOLOGY 3
Many hackers are now monitoring the patch release notifications from software
manufacturers and simply reverse engineer the patches to find the vulnerabili-
ties. Figure 1 illustrates the number of days it took to exploit a known vulnera-
bility from the time a patch was available. Notice how the time has dramatically
decreased with the most recent attacks.
Not only do IT and security professionals have to worry about known informa-
tion security threats, but now they also have to concentrate on how to prevent
new and unanticipated threats known as "zero-hour" or "day-zero" attacks. To
combat these newer threats, security technology has been evolving to include
deep-packet inspection firewalls, application firewalls, content filtering, anti-
spam, SSL VPN, network-based antivirus, and intrusion prevention systems
(IPS). But as the hacker's motives are shifting away from notoriety to financial
gain, we are seeing much more creative attacks being developed to bypass tra-
ditional security devices and social engineering is now a big part of modern
attacks.
Figure 1:
Gartner's Vulnerability
and Patch Timeline
Attacks that target new vulnerabilities are being created much faster than in the
past. The amount of social engineering being used in the latest generation of
attacks has also been increased significantly. Attackers are now designing their
attacks to imitate legitimate applications and email messages to fool the users
into executing them. Phishing attacks that claim to be from legitimate organi-
zations are fooling thousands of innocent victims into giving out their financial
and personal information. Adware, malicious Web sites, Web redirectors, and
other forms of Spyware are secretly installing tracking mechanisms, key loggers,
file sweepers, and other forms of malicious software onto the user's hosts with-
out their knowledge. Attacks using email as a delivery mechanism is now one
of the most popular attack methods. Viruses that are designed to use the per-
sonal address book of an email client to spread or further spam other users have
become the norm of modern attacks.
Figure 2
CSO's SecuritySensor VIII Study
shows that nearly 60% of all
respondents reported Spyware
incidents during Q4 2004.
www.fortinet.com
ADVANCED DETECTION TECHNOLOGY 5
>> The problem with As the level and intensity of attacks and threats increase, IT professionals must
understand the new threats and either add new detection and security devices
traditional stateful or re-architect their network resources to make themselves less vulnerable. For
firewalls is that hackers many years, companies have relied on stateful firewalls, intrusion detection sys-
tems, host-based antivirus, and anti-spam solutions to keep their corporate
have developed many users and resources safe. But the landscape is quickly changing and the effec-
tiveness of these traditional single purpose point security devices are no longer
ways to bypass firewall
proving adequate. In order to detect the newest attacks, security devices will
policies have to adopt multiple security functions.
Figure 4
Average "survival time"
SANS.ORG uses to track the
time between attacks - the
average time is 18 minutes
between reported attacks.
The problem with traditional stateful firewalls is that hackers have developed
many ways to bypass firewall policies. Some of the methods used to bypass tra-
ditional stateful firewalls include:
• Reconnaissance using port scanners can reveal the open ports that a
firewall supports.
www.fortinet.com
ADVANCED DETECTION TECHNOLOGY 6
Figure 5
Number of sites that are targeted
with attacks using well-known
ports (port 80)
>> IPS systems sit in-line • Mirroring or redirecting traffic from multiple Gigabit ports can easily
overrun IDS systems causing them to drop packets and miss attacks.
with network traffic and
• IDS systems can generate false positives and requires continuous
have the ability to monitoring and fine tuning to be effective - high maintenance over-
head. Many IT professions do not have the time to review IDS log
proactively drop or reset
entries and suspicious traffic often goes unnoticed.
suspicious and dangerous • Reactive IDS systems that are combined with firewalls are still to slow
against fast spreading network-based worms.
attack traffic in addition
to protocol anomaly To overcome the IDS shortfalls, some security vendors are converting their
reactive IDS technology to proactive Intrusion Prevention Systems (IPS). IPS
attacks such as SYN systems sit in-line with network traffic and have the ability to proactively
drop or reset suspicious and dangerous attack traffic in addition to protocol
floods, ICMP attacks,
anomaly attacks such as SYN floods, ICMP attacks, and so forth.
and so forth
Host-based antivirus software is the most widely deployed security applica-
tion - even more so than perimeter firewalls. Host-based antivirus software
became popular in the mid 1980's when file-based viruses first became
prevalent and have grown to become one of the most trusted security
applications used today. But relying on host-based security has its short-
comings too. Some of the drawbacks of host-based security applications
include:
• High maintenance overhead required to install, maintain, and keep
the attack signatures up-to-date.
• Many users do not enable automatic updating or perform regular
manual updates of antivirus signature files. In effect, rendering the
antivirus software useless against the latest threats and attacks.
• Users can accidentally or intentionally turn off host-based security
applications.
• The latest sophisticated Trojans are scanning for popular host-based
antivirus systems and shutting them down before loading - making
them virtually undetectable even with the latest antivirus signature files.
Companies that solely rely on host-based antivirus software and patch man-
agement for application and OS defenses are exposing their internal sys-
tems to much higher risk. With more mission critical systems being used to
conduct business on a continuous and global basis, getting downtime to
update operating system patches, virus signatures, and application
upgrades is becoming more difficult to do. All of this means corporate Web
servers, email servers, ecommerce servers, database servers, and application
servers are left unpatched for longer periods of time making them vulnera-
ble to new attacks. Another disadvantage of only relying on host-based
security is the fact that malicious code is permitted to enter into the corpo-
rate network before being detected and blocked by each individual host's
security defenses - greatly jeopardizing critical business systems and net-
work applications.
www.fortinet.com
ADVANCED DETECTION TECHNOLOGY 8
The solution will be different for each company and IT professionals must
fully analyze and understand their security needs and what it is they're try-
ing to protect through their efforts. A complete and effective security solu-
tion will not only include the latest security technologies, but also the
budgetary, social, and cultural aspects of the company.
Mobile devices are more susceptible to viruses, Trojans, and worms when they
are away from the office. As mobile users connect back to the corporate net-
work, infections and attacks installed on the mobile devices can spread to the
corporate network - infecting other systems that were once normally protected
by the corporate security defenses. To defend against this, IT professionals
must redesign their networks and provide more security zoning around critical
departments, server farms, and mission critical applications. In effect, creating
islands of secure resources to regulate access and contain outbreaks. Common
tools for security zoning include Access Control Lists (ACLs), firewalls, and
authentication technologies.
As network security becomes more important for both consumers and busi-
nesses alike, IDC predicts that UTM security devices will outpace traditional
firewall and VPN security devices over the next few years.
ADVANCED DETECTION TECHNOLOGY 11
As threats become more creative and stealthy in nature, the ability to quick-
ly identify and detect the attack before they enter the trusted network
becomes critical. In order to provide security against the latest threats,
Fortinet created several new security algorithms and detection techniques:
Complete Content Inspection, Dynamic Threat Prevention System, Heuristic
Scanning, and Anomaly Detection.
www.fortinet.com
ADVANCED DETECTION TECHNOLOGY 12
technology.
www.fortinet.com
ADVANCED DETECTION TECHNOLOGY 13
tion formatting.
• File contents are reassembled completely and fully inspected from beginning to end.
• AV signatures accelerated by Fortinet's CPRL and FortiASIC technologies are used for quick
www.fortinet.com
ADVANCED DETECTION TECHNOLOGY 14
If a signature match is not found and the Heuristic Scanning and Anomaly
Detection Engines are enabled, the session traffic will be further scrutinized and
www.fortinet.com
ADVANCED DETECTION TECHNOLOGY 15
Fortinet's File Analysis module is used to identify the file type that is associated
with the HTTP, FTP, POP3, SMTP, or IMAP data stream. Based on the file type
identified, the AV engine will employ other scanning techniques developed
www.fortinet.com
ADVANCED DETECTION TECHNOLOGY 16
specifically for the file type. Examples include Microsoft Office files, macros,
executable binary files, and compressed files.
The Worm Inspection module performs several checks against the file stream.
Static Worm inspection is performed against the file type and file characteristics
(such as size, CRC, etc.) to quickly identify well-known worms through signa-
ture matching technology. If a positive match is found, the session is blocked
and a notification is sent.
The File Type Analysis module performs specific scanning routines against the
file's known file type. For example, compressed files are uncompressed and
examined, Microsoft Word files are passed through the MS Word inspection
engine, and binary executables are passed through the binary inspection
engine. Each of the File Type inspection engines will use specific rules and poli-
cies for detecting known threats related to the file type it's designed to inspect.
The Signature Inspection module is used to scan for known threats. This mod-
ule employs Fortinet's Compact Pattern Recognition Language (CPRL) and the
FortiASIC hardware to scan the file stream with thousands of known signatures -
detecting known threats at incredible speeds with the advantage of hardware
acceleration. For hard-to-detect polymorphic viruses, additional scanning rou-
tines are employed with the Signature Inspection module.
By coordinating all scanning and detection functions with the Dynamic Threat
Prevention System, customers are assured of the highest possible detection rates
against both known and unknown threats and attacks.
www.fortinet.com
ADVANCED DETECTION TECHNOLOGY 17
The Stateful Inspection Engine is designed to track all communication layers for
every session traversing Fortinet's security platform - for both stateful connec-
tion-based and connectionless protocols. Cumulative state and session infor-
mation is collected and used to ensure that all subsequent packets for each ses-
sion are being sent and received properly.
The Content Reassembly module reassembles all packets to ensure that packets
belonging to each session are arriving in the correct order. This helps to
remove overlapped fragments, duplicate fragments, packets with invalid sizes,
and packets with invalid offsets - eliminating many sophisticated attacks that
rely on fragmentation, illegal offsets, fragroute evasion, and so forth.
The Communication Protocol Inspection engine ensures that the protocols are
indeed valid - TCP, UDP, ICMP, etc. All protocol headers are inspected for irreg-
ularities against the protocol's legal syntax and semantics. Packets with mal-
formed protocol information are identified and blocked.
The Application Protocol Inspection engine ensures that the application's head-
er is compliant according to the application's legal syntax and semantics. The
header values are validated and overflows are prevented. Legal applications
such as Telnet, FTP, HTTP, SMTP, POP3, etc are inspected for compliance while
malicious applications such as BackOrifice, SubSeven, TFN2k, etc are identified
and blocked proactively before they can cause damage to the network.
The Content Inspection module analyzes the application payload and searches
for both known and unknown malicious content. Using a sophisticated rating
system and past session activity patterns, the Content Inspection module per-
forms deep-packet analysis on every session flow and distinguishes between
application content types to maximize detection capabilities.
The Activity Inspection module takes anomaly detection to a new level. By cor-
relating session information in both directions, data information, channel infor-
mation, control information, active sessions, and zombie session information is
gathered and analyzed over time. As traffic information is cumulated, the sys-
tem develops knowledge of normal traffic patterns. When malicious and abnor-
mal traffic flows traverse Fortinet's security platform, they are quickly identified
and blocked.
The Dynamic Threat Prevention System correlates the inspection process and
helps detect a wide range of known and unknown "zero hour" attacks. By
www.fortinet.com
ADVANCED DETECTION TECHNOLOGY 18
Detecting and blocking known and unknown threats quickly and pro-actively at
the perimeter and other critical network chokepoints are critical to the security
of any network. Fortinet's advanced threat prevention system uses advanced
detection technology to perform activity inspection, full content reassembly,
deep-packet inspection, and packet-by-packet filtering - using both signature
based detection with advanced heuristic and anomaly detection methods.
To ensure that all Fortinet security platforms are updated with the latest
antivirus & attack signatures, heuristic scanning routines, and anomaly detec-
tion engines, customers can program their Fortinet security devices to automati-
cally update themselves from Fortinet's FortiProtect Network. With over 10
secure and fault tolerant data centers around the world, updates are quickly
sent or pulled from the FortiProtect Network as new signatures and updates
become available - usually within 5 minutes of the update being posted on the
FortiProtect Network.
www.fortinet.com
ADVANCED DETECTION TECHNOLOGY 19
For a complete list of awards and product recognition, please visit Fortinet's
web site: www.fortinet.com
Selecting the right security device to protect your mission critical assets can be a
difficult task. To experience the "next generation" security platform, below you
will find info on how to contact a Fortinet representative.
www.fortinet.com
ADVANCED DETECTION TECHNOLOGY 20
SALES
Please contact us at sales@fortinet.com
or phone toll-free in the U.S. (866) 868-3678 or +1(408) 235-7700.
POTENTIAL PARTNERS
Please contact us at partners@fortinet.com or visit us at www.fortinet.com.
www.fortinet.com
www.fortinet.com