Tijdens ons security event van 9 juni vertelde WatchGuard hoe we ons het best kunnen wapenen tegen de aanvallen van morgen.

1. Een dag in het leven van
‘de gebruiker’
Martijn Nielen
Sr. Sales Engineer

2. Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
About WatchGuard – Who We Are
2
A WatchGuard FireBox
is deployed every
4 minutes
around the world
WatchGuard
Appliances conduct
more than
1 BILLION
security scans
every hour
WatchGuard
prevented
22+
BILLION
attacks against our
customers in
2015
WatchGuard has
saved customers
more than
16 years
of labor with
RapidDeploy
Founded in 1996
Headquarters: Seattle, WA
4 operations centers and direct
presence in 15 countries
470+ employees
100+ distributors and
9,000+ active VARs globally
Mission: To bring widely-deployable, enterprise-grade
security to small-to-medium sized organizations and
distributed enterprises.

3. Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
The Value of UTM
3
URL
Filtering
Application
Control
Data Loss
Prevention
(DLP)
Advanced
Malware
Protection
Gateway
AntiVirus
Packet
Filtering
SPAM
Protection
Intrusion
Prevention
Services (IPS)
Firewall
Unified Threat Management (UTM) solutions combine a variety of must-have
network security solutions into one easy to deploy and manage solution.
Fewer appliances. Configure Once. Manage Centrally.

4. Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
The Value of UTM
4
Unified Threat Management (UTM) solutions combine a variety of must-have
network security solutions into one easy to deploy and manage solution.
URL
Filtering
Application
Control
Data Loss
Prevention
(DLP)
Advanced
Malware
Protection
Gateway
AntiVirus
Packet
Filtering
SPAM
Protection
Intrusion
Prevention
Services (IPS)
Firewall
Centralized Management. Complete Network Visibility.

5. Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
Firebox® T30 & T50:
Small offices, branch offices
and wireless hotspots
Firebox® M200 & M300:
Small and Mid-sized
businesses
WatchGuard’s Suite of UTM & NGFW Solutions
M5600: Large enterprises
and corporate data centers
Virtual Firewall
Four virtual software license versions
with full UTM features
Software Scalability:
Single version of WatchGuard Fireware® OS
runs on all solutions, including virtual
M4600:
Large distributed enterprises
The strongest UTM performance at all prices points – delivering a
solution for organizations of all sizes.
Firebox® T10:
Small office/home office and
small retail environments
Firebox® M440:
Multi port option
Firebox ® M400 & M500:
Mid-sized businesses and
distributed enterprises
Instant Visibility:
WatchGuard’s award-winning threat visibility platform,
Dimension, comes standard on every appliance.
Scalable Wi-Fi:
WatchGuard tabletop appliances offer build-in Wi-Fi
capabilities, however, every WatchGuard appliance
has a built-in wireless gateway controller – making Wi-Fi
expansion and centralized management a breeze.
Centralized Management:
Every appliance comes with built-in features
to expedite deployment and simplify ongoing
network and appliance management. .

6. Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
WatchGuard Benelux
Benelux kantoor in Den Haag – Nederland.
Account Manager: Laura van Heeren
Laura.vanHeeren@watchguard.com

8. lllllll

9. Launch Internet Explorer Browser
Finds and displays information and Web sites on the Internet

10. https://www.penthouse.com

11. https://www.penthouse.comwww.bing.com
What the administrator sees:

12. boobs
www.bing.com

13. www.bing.com

14. www.bing.comwww.cricinfo.com
Administrator can enforce Safe Search:

15. www.cricinfo.comwww.facebook.comwww.cricinfo.com
Time-Based Policy
and App Control

16. www.facebook.com

17. www.facebook.com

18. www.facebook.com

19. www.facebook.com

20. www.facebook.comwww.cisco.com
What the administrator sees:

21. www.cisco.com

22. http://www.cisco.com/web/about/ac40/about_cisco_careers_home.htmlwww.patrol4x4.com
WebBlocker looks at the whole URL, not just the domain portion

23. www.patrol4x4.comwww.gmail.com

25. Bij ons zit alles in cloud?
Hoe garandeer voorrang performance bedrijfskritische
applicaties ?

26. Voorrang belangrijke applicaties
Beperking onbelangrijke sites
Deep Inspection onzekere sites

27. What the administrator sees:
Skype alleen nog via WiFi ?

29. What the administrator sees:

31. http://www.youtube.com/watch?v=X_RmQSXQ9PE
Safe Search enforced for YouTube too.

32. Oh no! The user clicked on a link in a spam email…

34. http://11.lamarianella.info/bigpond.aspx
Reputation Enabled Defense – feeds from AVG, Kaspersky, Malware Domain
List and PhishTank

35. Botnet Detection
 A botnet comprises a large number of malware-infected
client computers that are controlled by a remote server
to perform malicious acts
– Denial-of-service attacks
– Sending spam and viruses
– Stealing private data from clients
 Botnets are now finding other paths to control infected
botnet clients using non-traditional network ports, social
networks, and PTP networks
40

36. Reputation Enabled Defense – Botnets
41
• New IP reputation feed
• Botnet Command & Control

37. Botnet Detection
 The new Botnet Detection Subscription Service uses a
feed of known botnet site IP addresses from Kaspersky
and adds these addresses to the Blocked Sites List
– Note: The Botnet Sites list is too large to display in the Blocked
Sites List
 Enables your Firebox to block botnet activity at the
packet filter level
 Botnet Detection is enabled with the RED feature key
available e.g. with Security Suite
42

38. Botnet Detection — Configuration
 Botnet Detection is enabled by default
 You can create exceptions to the Botnet Detection Sites
list
43

39. Data Lek Preventie
• Preventie lekken belangrijke documenten
• Bedrijfsschade
• Concurrentiepositie
• Reputatieschade
• Aansprakelijkheden
• Wetgeving

40. Wat zegt Nederlandse wetgeving?
• Niet meer gegevens gebruiken dan nodig is
• Bewaar de data niet langer dan noodzakelijk of toegestaan (retentieperiode)
• Toegang tot gegevens beperken
• Bewaar data alleen binnen EU of land met passend beschermingsniveau
• Moderne beveiligingstechnieken gebruiken
• Zorgen voor monitoring via logging gegevens
• Meld het datalek
Europese wetgeving aanvaard op 14 april 2016, introductie nu in voorbereiding
Bron: https://cbpweb.nl/nl/over-privacy/persoonsgegevens/beveiliging-van-persoonsgegevens

41. Moderne beveiligingstechniek gebruiken
De organisatie moet uw persoonsgegevens beveiligen in overeenstemming
met de stand van de techniek.
Dit houdt in dat de organisatie geen verouderde techniek gebruikt om uw
gegevens te beveiligen.
Hierdoor krijgen bijvoorbeeld hackers geen of weinig kans om zich toegang te
verschaffen tot uw persoonsgegevens.

42. WatchGuard Data Lek Preventie
Over 200 predefined rules for sensitive and personally identifiable information,
including Government ID numbers (e.g. SSN); bank account numbers; health care
records; confidential document markers;
• Predefined sensors for PCI and HIPAA Compliance mandates
• Personal Identifiable Data (PII) detection

43. Detectie van landspecifieke kenmerken
Personal Identifiable Data (PII) detection including
Netherlands, Belgium and other European specific
identifiers
48
The Netherlands
Belgium
Global and European specific (e.g. IBAN)

44. Ad Blocking

45. Cryptolocker & het gevecht tegen
IT’s grootste nieuwe vijand
Martijn Nielen
Sr. Sales Engineer WatchGuard

46. Houston, we have a problem!
• « My antivirus and IPS are updated but I got infected anyway »

47. First reason: « Zero Day »
• The vulnerabilty is still unkown
• Or the fix is still not available

48. Second reason: Technology changes, including hackers…
• “Antivirus is Dead” Brian Dye Senior VP of Symantec

49. *Malwise - An Effective and Efficient Classification System for
Packed and Polymorphic Malware, Deakin University, Victoria, June
2013
Nearly 88% of malware morphs to
evade signature-based antivirus
solutions*
Antivirus can’t keep up

50. AV Vendor Review
57
http://labs.lastline.com/lastline-labs-av-isnt-dead-it-just-cant-keep-up
• Average of 2 days for at least one AV scanner to detect what was not
detected on day 0
• Detection rates increase to 61% after two weeks
• After a year 10% of scanners still do not detect some malware
• The 1-perecentile of malware least likely to be detected was undetected by
a majority of AV scanners for Months
• In some cases the malware was never detected

51. Advanced Persistent Threat (APT)
• Nation-State techniques now used for financial gain
• Antivirus can’t keep up. New malware has been created as a variant of
existing malware to avoid detection by classic techniques
58

52. 59
Evolution of APTs
Today, normal criminal malware exploits the
same advanced tactics as nation-state APTs.
Every organization is at risk of advanced
threats!
Zeus copies Stuxnet 0day
Criminals use 0day malware (Cryptolocker)
Zeus uses stolen certificates
Criminal spear phishing
Criminal watering hole attacks

53. 60
« Cryptolockers »
APT or not APT…

54. 61

55. 63

56. Simple Threats
OpportunisticAttacks
APT
Solutions
Antivirus
Solutions
TargetedAttacks
Packing
Sophisticated Threats
Plain
Virus
Poly-
morphic
C&C
Fluxing
Persistent
Threats
Evasive
Threats
Malware (r)evolution

57. AV OS / ApplicationSandBox
Malware And
Virus Detection
Zero Day Threat Curve

58. Sandbox
OS – XP /Win 7
Hypervisor
Server
Process
Emulation
XP /Win 7
Functions
XP /Win 7
Functions
XP /Win 7
Functions
XP /Win 7
Functions
CPU Memory
Server
System
Emulation
OS – XP /Win 7
CPU / Memory
Server
High Fidelity
Low Visibility
Low Fidelity
High Visibility
High Fidelity
High Visibility
Advanced Malware Analysis
1st
2nd 3rd

59. APT Blocker with Code Emulation
• Evasion detection is critical
67

60. Stalling
Looping
Malware?
Exploit
Key logger C&C Network Traffic
Inaction
• Malware Checks the Environment
• Multi-Path execution
• Next step based on results
• Stalling / Looping
• Wait long enough for analysis to time out
Malware Checks the Environment Stalling / Looping
Multi-Path execution Wait long enough for analysis to time out
Next step based on results
Dynamic evasions

61. AntiVirus
URL
Filtering
AntiSpam
IPS
App Control
Data Loss
Prevention
APT
Platform
WatchGuard
Management
WatchGuard Best of Breed Defense in Depth

62. Lastline recommended by NSS: 2015 BDS Security Value Map
73

63. Unified Threat Management Platform
Security Eco System
74
Default Threat Protection
Proxy – Web, Email, FTP
Application Control / IPS
Webblocker / RED / SpamBlocker
AV - Malware APTBlocker

64. 75
APT Blocker: Configuration

65. APTBlocker
Local
Cache
Remote
“Cache”
File
inspection
APT Blocker

66. Did you get Locky ?
http://watchguardsecuritycenter.com
Once I verified that many of our UTM’s security services could detect Locky, I ran through one last
test… I personally tried to download the malicious file “Rechnung-263-0779.xls” from my webmail.
I’ve configured my WatchGuard Firebox with HTTPS Deep Inspection. This feature allows
WatchGuard’s security services, such as GAV and Intrusion Prevention Service (IPS), to run security
scans even on encrypted web traffic, like the webmail I was using to download this ransomware.
Despite the encrypted webmail connection, our Firebox detected and blocked the Locky invoice file
with the GAV service. It was unable to reach my workstation.
As you can see, WatchGuard XTM and Firebox appliances have several features that can help
prevent ransomware like Locky. However, these protections only work if you turn them on and
configure them properly. If you want to keep Locky off your network , I highly recommend you read the
Knowledgebase Article “How to prevent ransomware and other malicious malware with your
Firebox” — Jonas Spieckermann
You need to enable HTTPS DPI on your Firebox!
84

67. An APT solution should
• not be dependent on (AV) signatures
• not depend on traditional sandbox technology
• detect evasions
• take prompt actions in real-time
85

68. True APT’s – even obvious from the Dutch file-names
• Advanced: trigger interest
• Targeted e.g. containing the
name of the organization
• Threats: True APT’s
• Watering holes –
“Eucharistieviering”, Dutch
• Chain-of-Trust: by using
‘religious activities’ and social
engineering based factors
• Non-profit organizations
targeted
88

69. 90

70. WatchGuard Dimension
demo
93

71. Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved
WatchGuard Update
Martijn Nielen – Sr. Sales Engineer
WatchGuard Technologies

72. Fireware 11.11 introduction
 New Features and Enhancements
– Network Visibility
– Mobile Security
– Botnet Detection
– Explicit Proxy
– Allowed Google Apps domains
– Multiple Hotspot Portals
– RADIUS Single Sign-On
– BOVPN virtual interface interoperability
And much more…
95

73. What’s New in Dimension v2.1
 Subscription Services
 Policy Usage report
 Admin auditing on report generation
 Anonymized Mode for reports
 Administration with RADIUS users
97

74. Network Visibility
98
• Know what’s on
your network
• OS Type
• Open Ports
• Integrate with
firewall visibility

75. Network Visibility — Scan Details
 Several scan stages to
determine host details
– Quick Host Discover
– TCP and OS
– UDP and Service
Version
 UDP and Service
Version scan stage
takes the longest time
 A full scan for a
x.x.x.x/24 network with
100 active hosts can
take several hours
101

76. Network Visibility — View Devices
 From the Network Map tab, you can:
– Select a device
– View the address in FireWatch or Traffic Monitor
– Remember Device — Add descriptive details for the Firebox and
save the description in the map configuration
103

77. Network Visibility — Device List
 Select System Status > Network Visibility > Device
List tab
104

78. Extend firewall security to mobile devices
Mobile Security
105

79. Mobile Network Access
106
• Set policy by device type
• Enforce OS level
• Limit access to clean
devices
• No Malware
• No Jailbroken devices
• No Rooted devices
• Approved download
sources
• License required

80. 4. The Firebox allows traffic from compliant devices
Mobile Security Overview
107
1. Enable and configure Mobile Security
3. The user runs the FireClient app to
check compliance
2. The Android or iOS device
connects to the network
The Firebox drops traffic from mobile devices that are not
compliant
FireClient

81. Mobile Security — Device Compliance
 FireClient downloads the device-specific compliance
settings to use as criteria for mobile device compliance
– Android and iOS devices have different available settings
108
Reconnection
settings
Settings for
Android or iOS
devices

82. Allowed Google Apps
Domains
120

83. Allowed Google Apps Domains
 Inserts
X-GoogApps-Allowed-
Domains HTTP header
followed by a domain
name list into all
requests for
*.google.com
 Google services that
do not require
authentication, such as
Google Search or
YouTube, cannot be
blocked
121

84. Configure different hotspot portals for different Firebox
interfaces
Multiple Hotspots
122

85. Guest Services – what it is
 Enables hotels, restaurants, and shops to
provide wireless access to their customers
– Custom hotspot splash pages
– Company logos and styles
– Custom Terms and Conditions
 Flexible Account Options
– Configurable time limits
– Batch generated guest usernames and passwords
– Password only (voucher) option
 Guest Administrator Role (ideal for Hotel
Manager or Receptionist)
– Non IT staff can generate accounts
– Printed vouchers with Guest Account details
(customizable)
Temporary User Accounts

86. Guest Services Admin WEB portal
124

87. Printed Voucher Example
125

88. Guest Services Example
126
www.guesthotspot.com

89. Hotspots & client certificates
 Authentication now done over HTTP
 Guest users don’t require Firebox certificates
 HTTPS authentication optionally via External Guest
Authentication
Removed HTTPS certificate dependency
127

90. Multiple Hotspots Overview
 You can now configure multiple hotspots
 You can enable each hotspot for one or more interfaces
– Interfaces can be physical or virtual (VLAN, bridge, link
aggregation, wireless)
 Each hotspot can use a different authentication type
– Connect without credentials
– Require users to authenticate with generated credentials
(user name and passphrase or passphrase only)
 External Guest Authentication
– There is still only one external guest hotspot
– You can now enable it for multiple interfaces
128

91. 129
3rd Party Captive Portal:
 Turn hotspots into marketing tools
 Uses WatchGuard’s external hotspot API
 Cloud hosted, fully customizable captive
portal
– SMS, Email, Token (thermal printer)
– Facebook Login: Coming soon
– Add advertisements and offers with the
web page editor using pictures and text
– Form fields can easily be added &
removed for additional data collection
Contact:
http://guestair.net
Email: guestair@guestair.net
Phone: +354 519 0300

92. Single Sign-On with RADIUS
RADIUS SSO
130

93. RADIUS SSO — Overview
 RADIUS SSO (RSSO) enables single sign-on for users
who have already authenticated to a RADIUS server with
802.1x authentication
– Targeted primarily at wireless users
• Many universities and large schools have existing wireless networks
that use RADIUS for user authentication
– Can also work for a wired network
• Switch must have 802.1x enabled and must be used for NAC
(network access control) with the RADIUS server
131

94. RADIUS SSO — Overview
– Requirement for RSSO
• The wireless access point (AP), switch, or access controller (AC)
that users connect to must support 802.1x authentication and
RADIUS accounting
• The AP or AC switch must send RADIUS accounting messages that
include the user’s IP address to the RADIUS server
132

95. RSSO — How it Works
1. Client authenticates to the AP with WPA/WPA2
Enterprise
2. AP interacts with RADIUS server to authenticate the
user
3. AP sends RADIUS accounting messages with user
name and IP address through RADIUS proxy server to
the Firebox
4. Firebox creates a firewall session for the authenticated
user
133

96. Dimension Threat Visibility
139

97. Dimension 2.1
 Subscription Services Dashboard
 Policy Usage report
 Admin auditing on report generation
 Anonymized Mode for reports
 Administration with RADIUS users
140

98. Policy Usage report
Get more detail on Policy Usage information for a managed device
over a specified time range.
142
• Gain awareness of which policies
are most active.
• Learn which policies are least used.

99. Anonymized Mode for reports
143
Meet key privacy requirements for many European countries
• New Anonymization Officer role.
• Each session has a unique, randomized
key.

100. 144
IaaS
SaaS
Cloud
Solutions
Customer environments are changing

101. 145
It will cover more cloud support including IKEv2, AWS & Azure
amongst many others.
WatchGuard Confidential.
Roadmap ahead

102. 146
Het HawkEye G-platform van Hexis maakt dreigingen zichtbaar en
geeft organisaties de tools om snel en effectief op
cyberincidenten te reageren.
Dankzij passieve en actieve heuristiek voor het opsporen van
onbekende dreigingen en een verfijnd scoremodel biedt HawkEye G
ongeëvenaarde zichtbaarheid van het netwerk en is daarmee het meest
geavanceerde response- en detectieproduct op de markt.
Overname beveiligingstechnologie HawkEye G

103. 147
New Secure Wireless solution
Veel nieuwe security features
Keuze tussen on-premise en cloud controller
Nieuwe authenticatie methodes
Veelzijdige beheerscontrole mogleijkheden
Traceren van bezoekers, b.v. gedrag in winkels
Etc. etc. etc.

104. Thank You