WatchGuard Brings Advanced Persistent Threat Protection (APT) to the Masses

Seattle-based WatchGuard Technologies has deployed a new operating system for its family of security appliances and Next Generation Firewalls (NGFW). Fireware OS 11.9 incorporates advanced security technologies, such as an APT (Advanced Persistent Threat) protection service, as well as improved application security controls. It works across the company’s complete family of appliances and also offers significant improvements to management controls, policy configuration and multi-appliance deployment, making WatchGuard’s UTM (Unified Threat Management) and NGFW solution one of the most secure and easiest-to-deploy offerings in the market.

The increasing importance of APT protection

The explosive growth of APTs (Advanced Persistent Threats) confounds many organizations simply because APTs are only detected after damage is done. One of the latest enterprises to learn how damaging an APT can be is retail giant Target, which experienced the theft of around 40 million credit and debit card numbers and 70 million customer records. More than half a year after the breach came to light, Target continues to suffer from the fallout. Target’s CEO has resigned, and shareholder advisory group ISS opposes the re-election of over half of Target’s board members. Clearly, APTs can cause serious damage.

Truth be told, APT-style attacks are not all that new . The fabled stuxnet attack, which crippled Iran’s nuclear program back in 2007, used elements of targeting, persistence, stealth and orchestration typical to an APT-style attack.

But APTs have evolved and expanded beyond the realms of international espionage into the criminal world. The compromise of corporate systems can lead to substantial financial gains by nefarious organizations seeking to profit from fraud and corporate espionage. WatchGuard aims to take the bite out of those attacks (and many others) with the enhancements made to the company’s Fireware OS.

A closer look at Fireware OS 11.9

When I last reviewed WatchGuard’s UTM Appliances, I came away impressed with their capabilities and with the robustness of the Fireware OS. In brief, I found the company’s Dimension analytics platform an excellent tool for managing, analyzing and reporting on IP traffic flowing through WatchGuard-protected connections. I also found the native UTM (Unified Threat Management) tools comprehensive, easy to deploy, and, more importantly, easy to manage, all thanks to the well thought-out Firewaire 11.8 operating system.

Nevertheless, Fireware OS version 11.9 brings much-needed enhancements. That list of improvements numbers in the dozens and ranges from minor improvements to significant new features. While all of the enhancements are welcome, the most impressive change comes in the form of APT Blocker, a hybrid service that leverages cloud technology to identify and contain APT attacks.

WatchGuard Fireware OS 11.9 APT Blocker options

WatchGuard Fireware OS 11.9 APT Blocker options

WatchGuard Fireware OS 11.9 APT Blocker settings

WatchGuard Fireware OS 11.9 APT Blocker settings

APT Blocker’s primary functionality is provided by WatchGuard’s partnership with Redwood City, CA-based Lastline, which provides cloud-based emulated systems used to identify APT threats. Lastline runs multiple data centers that provide a cloud-based presence to their advanced malware and APT detection platform. That platform, which consists of emulated Windows and Android systems, is used to identify files that may house APT threats. Lastline accomplishes that by actively running an OS and the suspicious files in a sandboxed environment. In other words, an emulated system pretends to be an active user and accesses the suspicious file content.

Thoroughly testing files requires an emulated environment because unlike a virtual environment, an emulated environment emulates a CPU, allowing any and all calls to the CPU to be validated. In a digital sandbox run using a virtualized environment that relies on a hypervisor, software calls to the CPU may be missed, allowing potential malware to escape detection.

Lastline claims that files can be tested and validated in a few seconds, adding minimal latency to the scanning process. What’s more, if a threat is detected in a file, the threat information is hashed and passed down to the WatchGuard appliance, meaning that future access to the file can be blocked without having to run it through the sandbox again.

Lastline’s service is critical when it comes to detecting APT malware, and WatchGuard was wise to deploy the technology in the cloud. Doing so means that no additional load is placed on the WatchGuard Appliance, since all sandbox processing takes place in a remote data center. Sites with even thousands of users will not tax local security appliances, regardless of the amount of APT activity they encounter.

While APT detection (and prevention) is a significant addition to WatchGuard’s family of security appliances, the security enhancements to Fireware OS 11.9 do not end there.

WatchGuard has also enhanced many of the product’s policy and rule settings, giving more comprehensive and granular control to administrators seeking to better understand and control their secured environments. For example, WatchGuard has added custom rules for DLP (Data Loss Prevention), which allows administrators to set up granular controls over data moving across IT resources.

WatchGuard Fireware OS 11.9 Dashboard front panel

WatchGuard Fireware OS 11.9 Dashboard front panel

Other improvements include enhanced traffic management, where new monitoring offers have been added and the interface vastly simplified, making traffic management much easier to administer, monitor and report on.

WatchGuard Fireware OS 11.9 Dashboard subscriptions

WatchGuard Fireware OS 11.9 Dashboard subscriptions

A new gateway wireless controller and wireless AP system adds capabilities such as channel conflict mapping, improved device management, and enhanced monitoring. Administrators will find it much easier to deploy wireless access points, reduce interference between those units, and validate speeds, usage and throughput in real time. To accomplish those advancements in the AP controller, WatchGuard hardware now treats APs as independent interfaces, easing policy definition and control to groups of access points.

Other improvements worth mentioning include IPSec VPN capabilities, which incorporate Diffie-Hellman groups 14,15,19, and 20 for improved encryption and compatibility. The VPN engine now supports the ability to remotely enable and disable branch office VPN, giving administrators the ability to encrypt only what is important while offering faster connectivity speeds for traffic that requires less security.

Other encryption enhancements include improvements to the Mobile VPN with SSL feature set, which now offers automatic reconnect, LAN Bridge enforcement (for Bridged VPN traffic) and an improved end user interface which now offers domain lists to ease logon.

Administrators will also appreciate other authentication enhancements, such as the ability to lock out user access to hotspots, authentication server timeouts, and role-based device management, which gives administrators granular control over who can do what when managing the security environment and individual devices.

All of the above features tie into improved logging functionality, which records more information and integrates with SIEM (Security Incident Event Management) systems and provides ample information for access auditing to support compliance initiatives.

While APT protection and digital sandboxing may be the big news around WatchGuard’s latest offering, the company has also made many strides in other areas, making its appliances worthwhile for consideration for small and medium enterprises looking to get the most out of security appliances that incorporate UTM (Unified Threat Management), as well as Next Generation Firewall solutions.

Header photo courtesy of Shutterstock.

Latest Articles

Follow Us On Social Media

Explore More