Today we look more in detail about comparison – FortiAnalyzer vs Panorama, understand their purpose, capabilities, and key differences.   

What is FortiAnalyzer?

FortiAnalyzer is a centralized network security management solution having logging and reporting capabilities for Fortinet network devices at network security fabric layer. It performs functions such as viewing and filtering individual event logs, security reports generation, event logs management, alerting based on suspicious behaviour, and investigation activity via drill down feature. 

FortiAnalyzer can orchestrate security tools, people, and processes to have streamlined execution, incident analysis and response. It can automate workflows and trigger actions with playbooks, connectors, and event handlers. Response in real time for network security attacks, vulnerabilities, and warnings of compromise suspicion.

What is Panorama?

Palo Alto Panorama is a centralized management platform to have insight into network wide traffic logs and threats. Reduction in complexity by simplification of configuration, management, and deployment of Palo Alto network security devices. Panorama provides a graphical summary of applications on the network, users, and potential security impact.

You can deploy enterprise-wide policies along with local policies to bring in flexibility. Delegation of appropriate levels of administrative control at network device level and role-based access management is available. Central analysis of logs, investigation and reporting on network traffic, security incidents and notifications is available.

Comparison: FortiAnalyzer vs Panorama

Download: FortiAnalyzer vs Panorama Comparison Table

Continue Reading:

Cisco SD-WAN vs Palo Alto Prisma: Detailed Comparison

Fundamentals of FortiGate Firewall: Essential Guide

Are You Preparing For Your Next Interview

If you want to learn more about Palo Alto or Fortigate (Fortinet), then check our e-book on Palo Alto Interview Questions & Answers and Fortinet Interview questions & Answers in easy to understand PDF Format explained with relevant Diagrams (where required) for better ease of understanding.

Firewalls sit on the boundary of the network entry point and provide protection against malicious threats originating from the public net or Internet. A traditional or simple firewall is a stateful filter security device which simply scans incoming packets and rejects or accepts data packets. 

Next generation firewalls (NGFW) are advanced cousins of traditional firewalls, which not just scan data entering into the network but also provide additional features which a traditional firewall will not have. They integrate with other security features such as malware protection, intrusion prevention, URL filtering etc. due to their capability to operate at application layer. 

Unified threat management (UTM) is a well-advanced security system having the capability to unify security features of a traditional firewall, instruction prevention, Anti-malware protection, content filtering and VPN – all delivered from a single platform. 

What is a Firewall

Traditional firewalls operate at layer 3 (network layer) of OSI model and provide IP address, protocol and port number-based filtering services. Firewall is a basic network security device which sits at the network perimeter and provides protection against malicious traffic trying to enter an organization network. It has a basic functionality where a set of rules on firewall determine whether traffic will be accepted, rejected or dropped.

What is a  NGFW

NGFW are the successor of traditional firewalls and designed to handle advanced security threats in addition to features of a traditional firewall by operating at network + application layer (layer 3-7)  of OSI model. Stateful inspection and packet filtering is something it borrowed and carried forwarded along with enhanced capability to filter traffic based on applications and perform deep inspection of packets. 

What is UTM

Unified threat management (UTM) is a comprehensive threat management solution and its need arose due to the expanding threat landscape over the years. As the severity of cyber threats increased the need was felt for a single defense system which under its umbrella manages complete network security including  hardware, virtual and cloud devices and services. UTM devices are placed at key positions in the network to monitor, manage and nullify threats. UTM devices have capabilities of anti-malware, instruction detection and prevention, spam filtering, VPN and URL filtering. 

Comparison: Firewall vs NGFW vs UTM

Download the comparison table: Firewall vs NGFW vs UTM

In networking systems are addressed with a unique numerical value which is known as IP address. IP address is used to locate a system in the networks and basis of communication between systems. However, IP address alone is not enough as it is difficult to remember, each IP address has an associated host name. DNS or domain name systems map this host name to its corresponding IP address. DNS server or service is prone to a variety of cyber attacks DNS rebinding is one such mechanism. 

In today’s topic we will learn about DNS rebinding attack, how rebinding attacks works, Mitigation and preventive measures against DNS rebinding attacks.

DNS Rebinding Attack

DNS rebinding attack leverages the fact that when an exploit such as cross site scripting – XSS happens to compromise the domain the domain name server is also hijacked. In DNS binding attacks the DNS requests go to a specially crafted website by sending requests to name servers of compromised domains rather than the requesting address of a legitimate website. All traffic sent to different IP addresses is relayed back to the web server even if it is not a malicious URL or anything else used commonly during phishing scams and other kinds of attacks which occur online. 

When a DNS rebinding attack happens then there is no control over the nameserver and all requests to resolve hostname are redirected to an alternate nameserver which is under attacker control. Sometimes end users are tricked into creating phishing websites using these websites and all traffic that is redirected to the hijacked URL is sent back to the original server, which forces users to install phishing pages as a result.

DNS rebinding attacks let attackers access sensitive information such as credentials and confidential emails. 

How DNS Rebinding Attack works

The DNS rebinding attack happens to bypass security controls and policies which restrict someone from accessing a network device to which they have no authorization to access over a network. 

1. The attacker creates an A record in DNS for his hostname to point to his internet facing web server. The TTL (time to live) record is set for a very limited time such as a few seconds. 
2. The user visits malicious host name 
3. The attacker changes DNS A record of that hostname to point to its target IP address 
4. The JavaScript component in a malicious website tries to connect to a malicious hostname but since TTL is set with low value, the user system will again make a DNS request to the malicious hostname. This time the IP address is resolved as set by the attacker in step 2. 

The attacker can also create a CNAME record to an internal hostname to rebind their hostname to the internal hostname. DNS rebinding can be used to circumvent the same original policy. Internal websites are more prone to such attacks due to hosting sensitive information. Internal websites usually do not use HTTPS and there won’t be SSL mismatch errors which could hamper the attack. 

DNS rebinding can be used to target web servers or any other network devices. 

Mitigation & Prevention of DNS Rebinding Attacks

DNS pinning is one common technique to prevent these attacks. This makes the browser ignore TTL or DNS records and set itself TTL. This however can be bypassed as well if the attacker implements a firewall in front of the web server. 

Another way to protect web servers from rebinding attacks is configuring the webserver to check HTTP host header in the incoming request. If the host header does not match, the request will be dropped. The firewall can be configured to prevent external host names for resolution of internal IP addresses. 

Intrusion prevention systems or IPS provide security for the networks and hosts within a network. They can detect and block network-based attacks. IPS sensors can be enabled based on IPS signatures, IPS patterns and IPS filters. Many service providers provide separate hardware or software for IPS functionality. However, certain high-end firewall providers bundle IPS capability into their firewall box itself which is actually a complete threat management solution in itself. 

In today’s topic we will learn about how to configure Intrusion prevention (IPS) on a FortiGate firewall. 

What is FortiGate Firewall IPS

FortiGate intrusion prevention is designed to provide real time threat protection for networks. It leverages signature-based behaviour and anomaly-based detection techniques to detect and prevent security threats. FortiGate applies intrusion prevention using a variety of operational modes. All three modes have their own benefits and limitations, which one to choose is based on the placement.  

• L3 (NAT/route mode): In this mode FortiGate places an L3 network where traffic is routed. IP addresses are configured statistically or dynamically on each interface. MAC based policies are applicable for IPS policy source address in NAT route mode.
• Virtual wire mode: In this mode it is deployed between two network segments. It operates like a virtual wire and does not perform routing or NAT. 
• Transparent mode: In this mode it acts like a bridge. All interfaces in the same VDOM are in the same L2 forwarding domain.

Configuring IPS on FortiGate Firewall

To configure IPS on FortiGate firewall 

Step 1

Choose endpoint policy🡪 Infranet Enforcer

Step 2

Click on New Infranet Enforcer and select FortiGate firewall in platform from drop down

Provide name of Intranet Enforcer: ‘FortiGate 12D’ 

Enter FortiGate firewall IP address

Enter shared secret 

Enter port number 

Step 3

Click on Save changes and create policies on FortiGate firewall for enforcement of traffic

FortiGate has IPS sensors which are collections of IPS signatures and filters which define what IPS engine will scan when the sensor is applied. An IPS sensor could have multiple signatures or filters. Custom IPS signatures can also be created to apply to an IPS sensor. 

Step 4

From Security profiles 🡪 Intrusion prevention pane – create new sensor and also view list of predefined sensors. FortiOS has a predefined list of sensors having associated signatures. 

IPS engine does not examine network traffic by default for all signatures. It examines network traffic for signatures mentioned in IPS sensors. You need to create an IPS sensor and specify which IPS signature it is going to use. 

Step 5

To view IPS sensors go to security profiles🡪 intrusion prevention and to create new sensor click on ‘New’

Step 6

Under IPS signatures and filters, click create new to create a set of IPS signatures or set of IPS filters. 

IPS sensors can be created for specific types of traffic. FortiGuard periodically adds predefined signatures to update and counter new threats. These are included automatically in IPS sensors which are configured to use filters when new signatures match with specifications of filters.

Constant threats and vulnerabilities are permanent companions in the IT landscape. Various security solutions have emerged to protect perimeter, digital assets. As the cyber threat landscape is very vast and complex and requires specialized tools and technologies to effectively handle cyber threats and which are constantly evolving to reduce the threat landscape. 

In today’s article we understand the difference between endpoint detection and response (EDR) and Network detection and response (NDR) tools and technologies, their key features, key differences and use cases. 

What is Endpoint Detection and Response (EDR)

Endpoint detection and response tools focus on endpoints as the name suggests. They work on endpoints such as workstations, servers, mobiles, laptops and other mobile assets. They provide real time monitoring, detection and blocking of threats with advanced threat detection capabilities. It can identify malware and other malicious activities on devices and provide rapid incident response. EDR solutions provide threat hunting, malicious activity discovery and its containment to prevent incidents and reduce the attack surface. 

Features of EDR

• Real time visibility into activities happening on endpoints 
• Wide range of threat detection techniques being used such as anomaly detection, heuristics and scans based on threat signatures
• Rapid incident response to isolate suspected endpoints , malicious content blocking and threat remediation with minimal or no impact on operations
• Proactive threat hunting is supported to identify hidden threats and potential vulnerabilities on endpoints 

What is Network Detection and Response (NDR)

Network detection and response or NDR as the name suggests focus is network perimeter / network traffic. Continuous monitoring of network traffic is performed to create a baseline for normal network behaviour patterns. When any pattern outside the baseline is detected then potential threat presence is recorded and notified. NDR tools collect and analyze network data using machine learning techniques to detect potential threats. It detects unusual traffic based on baseline derived by network analysts which might get missed out due to unknown or new signatures. 

Features of NDR

• Capturing network packets and analyzing them for their content for unusual behaviour detection, threat identification with deep packet inspections
• Behaviour analytics to establish normal network traffic baseline
• Continuous monitoring of network traffic for anomaly detection such as unusual high data transfers, multiple login attempts and suspected breach indicated with data flows
• It is integrated with threat intelligence feeds to detect unknown threats from dark web
• Network traffic analysis in real time using machine learning and AI algorithms
• On detection of suspicious activity real time threat alerts are generated 

Comparison: EDR vs NDR

Below table summarizes the differences between the two:

Download the comparison table: Endpoint Detection and Response vs Network Detection and Response

In today’s topic we will learn about the zero trust architecture approach, its need, how zero trust security is achieved and its benefits. 

What is  Zero Trust Architecture (ZTA)

Zero trust architecture’s basic principle is ‘Never trust, always verify’ which focuses on stringent access controls and user authentication. It helps organizations to improve their cyber defenses and reduce network complexity. Pre-authorized user access concept no longer exists in zero trust architecture.

Due to cloud computing penetration and diminishing physical boundaries and network complexity of enterprises is increased. Implementing several layers of security is tough to manage and maintain. Traditional perimeter-based security is no longer adequate. Zero trust architecture helps organizations build policy-based access which are meant to prevent lateral movement across networks with more stringent access  controls. User policies can be defined based on location, device and role requirement. 

How Zero Trust works

Zero trust works by combination of encryption, access control, next generation endpoints security, identity protection and cloud workloads advantages. Below set principles are the basis for NIST zero trust architecture as under:

• Access to resources is managed at organization policies level considering several factors such as user, IP address of user, operating system and location.
• Corporate network or resource access is based on with secure authentication for every individual request 
• User or device authentication do not automatically provide resources access
• All communication is encrypted and authenticated 
• Servers, endpoints and mobile devices are secured with zero trust principals which together are considered corporate resources 

How to implement Zero Trust Architecture?

The very first step is to define the attack surface which means identify what you need to protect which areas? Based on this you need to deploy policies and tools across the network. The focus should be protection of your digital assets.

Define Attack Surface 

• Sensitive data – the organization collects and stores what kind of sensitive data such as employees and customers personal information 
• Critical applications – used by business to tun its operations or meant for customers 
• Physical assets – IoT devices, POS devices any other equipment
• Corporate services – all internal infrastructure meant to provide day to day operations  

Implement controls around network traffic 

The routing of requests within the network for example access to a corporate database which could be critical to business so as to ensure access is secure. Network architecture understanding will help to implement network controls relevant to its placement.

Create a Zero-Trust Policy 

Use the Kipling method here to define the zero-trust policy : who, what , when , where , why and how need to be well thought out for every device, user. 

• Architect a zero-trust network 
• Use a firewall to implement segmentation within the network. 
• Use multi-factor authentication to secure users 
• Eliminate implicit trust 
• Consider all components of organization infrastructure in zero-trust implementation scope such as workstations, servers, mobile devices, IoT devices, supply chain , cloud etc.

Monitor the Network 

Once a network is secured using zero trust architecture it is important to monitor it. 

Reports, analytics and logs are three major components of monitoring. Reports are used to analyze data related to system and users and could be an indication of anomalous behaviour. Data collected by systems can be used to gain insight into behaviour and performance of users. Logs produced by different devices in your network provide a record of all kinds of activities. These can be analyzed using the SIEM tool to detect anomalies and patterns. 

Every organization, be it small, medium or large are impacted by third party risks. This risk is exponentially increased as more and more providers are building and using AI technologies in their products which resulted in apart from security but privacy concerns also. 

In today’s topic we will learn about top 10 TPRM Tools (third party risk management tools) available in the market.

List of TPRM Tools

Upguard 

Upguard has seven key features to detect threats at multiple levels. It covers security risks associated with Internet facing third party assets. Auto detection happens using third- and fourth-party mapping techniques. 

Key features of Upguard 

• Evidence gathering involves combining risk information from multiple sources to get complete risk profile
• Monitoring third party attack surfaces via automated scan 
• Third parties trust and security pages to showcase information about their data privacy standards, certifications, cybersecurity programs 
• Elaborate security questionnaires to assess risk posture of third party
• Third party baseline security posture 
• Vulnerability model of third party 

SecurityScore card 

SecurityScore card detects security risks associated with third party vendors.

Key features of SecurityScore

• Detection of security risks associated with internal and third-party attack surface mapped to NIST 800-171 
• Projected impact of remediation tasks and board summary reports 
• Third parties risk management via Atlas to manage security questionnaires and calculate third-party risk profiles 
• Third-party monitoring via security score feature and track performance 

Bitsight

Bitsight multiple third-party risk identification techniques work together to present a comprehensive risk profile from third-party exposure. 

Key features of Bitsight 

• Automatic identification of risks associated with alignment gaps with regulations and cyber frameworks such as NIS 2 and SOC 2 
• Track third-party cybersecurity performance using security ratings
• Monitor emerging cyber threats across cloud, geographies, subsidiaries and remote workers
• Multiple threat sources are used to create a risk profile

OneTrust

OneTrust identifies risks across onboarding and offboarding phases of third-party vendors.

Key features of OneTrust 

• Predictive capabilities to gather insights about privacy and security , governance risks 
• Maintain updated vendor inventory but workflow automation across vendor onboarding / offboarding
• AI engine (Athena) to expedite internal and third-party vendor risk discovery 

Prevalent

Prevalent point in time risk assessments with automated workflows to monitor third-parties and track emerging risks in real time. 

Key features of Prevalent 

• Impact of third-party risks on organization and security ratings from 0-100
• Point in time risk assessments with continuous monitoring capabilities
• Identification of common data leak sources, dark web forums and threat intelligence feeds 

Panorays

Remain informed of third-party risks with built-in risk assessment workflow for risk assessment creation quickly. But it does not support threat and risk intelligence into supply chain data. 

Key features of Panorays

• Detection of common data breach vectors
• Library of questionnaire templates mapped to popular standards and frameworks
• Combining data from security ratings and questionnaires to support third-party risk attack surface
• Workflows customization with external applications using JSON based REST API 

RiskRecon

Third-party risk exposure assessments with deep reporting and security ratings. 

Key features of RiskRecon 

• Uses risk analysis methodology having 11 security domains and 41 security criteria to get contextualized insight into third-party security posture
• Security rating scoring system 0-100 
• Standard API to create extensive cybersecurity ratings  

CyberGRX

Expediting third-party risk discovery during vendor due diligence. More frequent risk assessments are supported coupling third-party risk data streams.

Key features of CyberGRX

• Security questionnaires to establish vendor security posture
• Continuous updates to library of point in time assessments to map current risks to threat landscape
• Monitor emerging risks related to phishing, email spoofing, domain hijacking, and DNS issues

Vanta

Focuses on detection of risks associated with misalignment to frameworks and standards. 

Key features of Vanta 

• Intuitive dashboard to monitor third-party risks related to compliance and track their progress
• Alignment tracking with security frameworks and standards such as SOC 2, ISO 27001, GDPR and HIPAA.

Drata

Full audit readiness assessment by security tools monitoring and compliance workflows to streamline operations 

Key features of Drata 

• Policy builder to map specific compliance requirement for third-party risk analysis
• Maintain compliance across 14 cybersecurity frameworks
• Continuous monitoring of compliance controls 

Palo Alto Firewall Architecture : An Overview

Palo Alto Firewall Architecture is based upon an exclusive design of Single Pass Parallel Processing (SP3) Architecture. This setup enables high-throughput, low-latency network security integrated with remarkably features and technology. Palo Alto Networks fixes the performance problems that impact today’s security infrastructure with the SP3 architecture (, which is composed of two key components:

1. Single Pass software
2. Parallel Processing hardware

Single Pass Software

Palo Alto Networks Next-Generation Firewall is provided with a Single Pass Software. It processes the packet to perform features such as networking, user identification (User-ID), policy lookup, traffic classification with application identification (App-ID), decoding, signature matching for detecting threats and malicious contents. Processing of a packet in one go or single pass by Palo Alto Networks Next-Generation Firewall significantly reduces the overhead of packet processing.

On the contrary, other firewall vendors leverage a different type of network architecture, which produces a higher overhead when processing packets traversing the firewall. Another notable feature introduced in other Firewall vendor’s Next-Generation Firewalls is Unified Threat Management (UTM) which processes the packet and then verifies the contents of packet. As a result, spike in CPU overhead affects latency and throughput of the Firewalls, a degradation in performance.

Single Pass software is designed to achieve two key parameters.

• Firstly, the single pass software performs operation per packet. When packet is processed in this mechanism the functions like policy lookup, application identification and decoding and signature matching for all threats and content are all performed just once.
• Secondly, the packet processed in Single Pass software is stream based, and uses uniform signature matching to detect and block threats. Single Pass does not use separate engines and signature sets and file proxies requiring for file download prior to scanning, the single pass software in our next generation firewalls scans packets once and stream based fashion to avoid latency and throughput.

This Single Pass software content processing enables high throughput and low latency with all security functions active. It also offers the additional feature of a single fully integrated policy, enabling easier management of enterprise network security.

Related – Palo Alto Administration & Management

Parallel Processing Hardware

Palo Alto Networks Parallel Processing hardware makes sure function specific processing is done in parallel at the hardware level, which in conjunction with the dedicated data plane and control plane, produces amazing performance results. By separation of the data plane and control plane, Palo Alto Networks is ensuring heavy utilization of either plane will not impact the overall performance of the platform.

Palo Alto Firewall Architecture : Control Plane & Data Plane

Control plane is liable for tasks such as management, configuration of Palo Alto firewall and it also takes care of logging and reporting features. Palo Alto Networks Next-Generation Firewall’s main feature is the set of dedicated processors which are responsible for specific functions (all of these work in parallel). The data plane in the high end models contains three types of processors (CPUs) connected by high speed of 1Gbps busses.

Types Of Processors:

The three type of processors are-

1. Security Matching Processor: Dedicated processor that performs vulnerability and virus detection tasks.
2. Security Processor: Dedicated processor that performs hardware acceleration and handles security tasks such as SSL decryption, IPsec decryption and similar other tasks.
3. Network Processor: Dedicated processor responsible for network tasks such as routing, NAT, QOS, route lookup, MAC Lookup and network layer communications.

First, Palo Alto Firewall Architecture design split up the 2 planes i.e. it has separate data plane and control plane. This separation means that heavy utilization of one plane will never impact the other. The second important element is the Parallel Processing hardware which includes discrete specialized processing groups that work in harmony to perform several key functions.

• Routing, flow lookup, traffic analysis statistics, NAT and similar other functions are performed on network specific hardware.
• User-ID, App-ID and policies all occur on a multi core security engine with hardware acceleration for encryption, decryption and compression, decompression.
• Content-ID content analysis uses dedicated and specialized content scanning engine.
• On the control plane, a dedicated management processor (with dedicated disk and RAM) drives the configuration management, logging and reporting without interfering user data.

Conclusion

Network Architecture of Palo Alto consists of Single Pass software and Parallel Processing hardware, which is perfectly apposite combination in network security and empowers the Palo Alto Networks next-generation firewalls to restore visibility and control over enterprise networks.

Continue Reading:

SSL VPN Configuration in Palo Alto

Palo Alto GlobalProtect

Firewall is a network security device which grants or rejects network access to traffic flowing between untrusted zone (External networks) to trusted (Internal networks) zone. Starting from initial days of Stateful inspection firewalls and then onto UTM (unified threat management), Application aware next generation firewalls have now become synonyms for firewalls.

Palo Alto is one such Next Gen firewall which provides flexible deployment options for your network, firewall platforms, available both for physical and virtual platforms. 

In this article we will learn more about how to reset Palo Alto firewall to factory default, why it is required and so on.

Reset Palo Alto Firewall to Factory Default Settings

There could be three scenarios or cases where it is required to reset the Palo Alto firewall to its default settings. In case you don’t have admin password or you have admin password or with admin password need to remove all logs and restore the default configuration of firewall.

Steps to Restore Default Configuration

To reset the firewall to default configuration you need to go to maintenance mode first. 

Step 1 : connect the console cable from console port to your system and verify console settings as under speed – 9600, data bits – 8, parity – none and stop bits – 1 

Step 2: enter maintenance mode and power on or reboot the device 

Step 3: during boot below screen will appear

Booting PANOS (sysroot0) after 5 seconds…

Entry: Type ‘Maint’ and Enter

Step 4: There will be multiple options on display you need to choose PANOS (maint) mode

Step 5: it will display the maintenance recovery section. Press enter to proceed further

Step 6: Choose ‘Factory reset’ and press enter

Step 7: Warning message will display along with factory reset option. Select factory reset and press enter.

The progress will be displayed on screen with percent complete 

Factory reset on completion will display as per screen below to complete process reboot the device

Continue Reading:

Palo Alto Troubleshooting CLI Commands

NAT Configuration & NAT Types – Palo Alto

In today’s topic we will learn about phishing, common types of phishing and how to prevent phishing for remote workers.  

What is Phishing? 

Phishing is a social engineering technique which is usually performed using an email as a medium to trick a user into entering credentials data, click on malicious links which install malware on the victim system or take him to a malicious website for downloading malware or any other infected software meant to steal personal information. Latest Verizon report indicated that ‘90% of security incidents and data breaches are result of phishing attacks’

Phishing Attack Types

Phishing attacks are of various types as under:

• Email Phishing – is the most common form of phishing where fake mails are presented to the victim with mention of a piece of personal information of user interest
• Spear Phishing – Specific individuals or organizations are targeted here.
• Clone Phishing – is creation of exact copy of legitimate emails but with fictitious or dubious links 
• Vishing – uses phone and pretend to be legitimate caller and try to gain personal information over phone
• Smishing – SMS based phishing uses text messages asking personal information
• Whaling – targeted attack on high profile executives or individuals such as CEOs, government officials etc. to get personal information or money transfer.
• Zishing – Video conferencing platforms such as MS-Teams, zoom etc. users are targeted here. The users have been sent a fake meeting invite requesting to join the link. They mimic actual meeting platform sites and trick users into sharing their personal information or downloading malware. 

Phishing Prevention for Remote Workers 

• Careful About emails – always check sender email address before clicking any links or open any emails that come from unknown sources. If the message seems suspicious, always check the official website or call them.
• Remain Educated and Updated – keep yourself updated about the latest information on phishing techniques. Undertake refresher courses on cybersecurity provided by organizations. 
• Use Multi-factor Authentication – for work and banking etc. enable MFA to add an additional layer of security to your sensitive accounts. 
• Implement Zero Trust Network Access (ZTNA) – each and every user and device are verified regardless of its location before being granted access to the corporate network. Remote workers can access organization resources in a secure manner without the risk of compromise.
• Report Suspicious Activities – report all phishing attempts to your IT and cybersecurity team immediately. So that they can investigate and take the required action as needed. 

Related FAQs

Q.1 How can I recognize a phishing attempt?

Look for these warning signs:

• Suspicious sender address: Email domains that don’t match the official domain (e.g., “support@paypal-secure.com” instead of “support@paypal.com”).
• Urgent or threatening language: Messages claiming your account will be suspended unless you act immediately.
• Poor grammar and spelling: Legitimate companies rarely send emails with typos or awkward phrasing.
• Unexpected attachments or links: Be cautious of unsolicited files or URLs.

Q.2 What should I do if I suspect I’ve been phished?

• Stop engaging: Avoid clicking any further links or downloading attachments.
• Change passwords immediately: Use a strong, unique password for the compromised account.
• Notify relevant parties: Inform your IT department, bank, or other affected organizations.
• Monitor accounts: Check for unauthorized transactions or activity.
• Report the phishing attempt: Forward phishing emails to organizations like reportphishing@apwg.org or the company being impersonated.

Q.3 Are there tools to help protect against phishing?

• Email filtering tools: Identify and block suspicious emails before they reach your inbox.
• Browser extensions: Many browsers have phishing protection settings to warn you about fraudulent websites.
• Anti-phishing software: Comprehensive solutions that detect and prevent phishing attempts.
• Password managers: Generate and store unique passwords, preventing reuse across sites.
• DNS-based security tools: Block access to known malicious sites.

In today’s topic we will learn about cybersecurity compliance, what is cybersecurity compliance and why it is needed?

What is Cybersecurity Compliance?

Cybersecurity compliance is adherence to a set of regulations and standards which provide protection against cyber threats. Implementation of various security tools and controls such as firewalls, intrusion detection and prevention systems, Anti-malware, encryption and patching and updates combined together is a cybersecurity compliance discipline. 

Prevention of data breaches and maintaining customer trust is crucial for business and they need to continuously evaluate their security posture and implement a risk governance approach to meet regulatory requirements. Regular monitoring and assessment ensure better risk appetite. 

Cybersecurity Compliance Significance 

Cybersecurity compliance ensures organization commitment to protect confidentiality, Integrity and availability of data in their possession. Safeguarding personal and sensitive data require alignment to regulatory bodies with stringent requirements related to data security such as PCI-DSS (For banking industry), General data protection regulation (GDPR), National institute of standards and technology (NIST), Health portability and accountability act (HIPAA). 

All organizations have a digital attack surface which is consistently increasing due to expansion of the IT landscape beyond four walls of the organization. Access to critical information, personal in nature such as email address, bank accounts, cardholder data etc. make organizations vulnerable to cyber-attacks. Cybersecurity compliance ensures organizations operate legally with protection of its resources. Lack of compliance to cybersecurity standards lead to fines which hit the company’s bottom line. 

Types of Data Subjects Require Cybersecurity Compliance

• Personal Identifiable Information (PII) – A piece of information which could help in identifying a data subject uniquely. PII may include first name, last name, address, PAN card number, social security number etc.
• Personal Health Information (PHI) – is related to individual health and its corresponding records. This may include insurance number, claim number , health care tests / records.
• Financial Information – bank accounts, credit and debit card numbers , funds , investments etc.

Benefits of Having Cybersecurity Compliance 

All organizations require to have a cybersecurity governance program to adhere to regulations and comply with industry specific information. 

• Protecting reputation and trust – Most valuable asset of any organization is its reputation and brand value. Adherence to regulatory frameworks and compliances help businesses to attract and retain customers
• Smooth business operations and bottom line – if data is safe business will operate smoothly with solid bottom line
• Keeping away from fines – regulatory non-compliances are costly and come at a hefty price. For example, GDPR fines are as large as 4% of your annual turnover or more depending on the violation.

Cybersecurity Program

To setup cybersecurity compliance organizations required to undergo a set of steps as under:

• Type of data and its requirements – the very first step here is to identify what all types of data is handled by organization, locations it operates from, and what regulations are applicable in those geographies. 
• Define cybersecurity team and compliance team – setup a cybersecurity and compliance team led by CISO and expert from other teams as well such as operations, product , security etc
• Perform risk assessment – once type of data is identified , the next step is to identify the vulnerabilities and cyber risks. Risk tolerance, BCP and DR requirements 
• Implement technical security controls  – once you have determined your risk tolerance level in the business next step is to implement technical controls. Such as firewall, encryption etc
• Create and deploy security policies – document policies and guidelines and get them evaluated with regular audits (Internal and external).
• Monitor and respond – cybersecurity compliance is a continuous process as threats are evolving so our infrastructure needs to grow in the same manner. Good monitoring and response management systems ensure proactive management of cyberthreats.

In today’s topic we will learn about the ransomware resilience approach and how to achieve it. 

What is Ransomware Resilience?

Ransomware attacks target data and usually encrypt data and demand ransom from the victim to release it. It is a form of Advanced Persistent Threat (APT) where hackers or hacking groups run an attack campaign against an organization network. This is a multi-dollar industry and in 2024, 33% of organizations that paid ransom could not recover their data. ‘Ransomware resilience’ is an approach towards cybersecurity which is focused on proactive protection of systems and data from ransomware attacks.

It is about being vigilant, prepared with robust security infrastructure to combat ransomware threats. The ultimate goal is to ‘never pay cybercriminals’. Let’s look at ways to establish a resilient ransomware defense for your IT landscape.

Ways to Establish a Resilient Ransomware Defense

• Comprehensive Security Measures – Robust combination of several layers of defense comprising endpoints, perimeter firewalls, intrusion detection and prevention systems, anti-malware along with regular security updates and patching establish a strong wall of defense against cybercriminals and minimizes vulnerabilities that can be exploited. 
• Ongoing Employee Training and Awareness – Humans are considered the weakest link in the security chain so it is important to focus on the human aspect of security. Educating employees in recognizing phishing attacks , avoidance of malicious downloads and safe web browsing practices help to build the first line of defense. 
• Data Backup and Recovery – For ransomware resilience it is very crucial to ensure a strong backup and restore strategy should be implemented. Backups are required to be encrypted both at REST and in TRANSIT with limited personnel having access to it. Periodic restorations ensure that when you need a clean and working backup copy it is available to business. 
• Incident Response Plan – A well architected and defined incident response plan crucial to handle ransomware situations. In the event of ransomware what steps required to be taken immediately are outlined in this plan which include isolation of affected systems and informing the concerned authorities.
• Patch Management – Often poorly patched systems are easy targets to exploit vulnerabilities in operating systems and applications. Regular patching and upgrades ensure that security vulnerabilities are taken care of, making it harder for cybercriminals to find an easy entry into your IT landscape.
• Network Segmentation – Segmentation helps in restricting lateral movement of cyber attackers into your infrastructure. This strategy can help to ensure isolation of infection and its prevention of being spread to critical systems. 
• Threat Detection and Endpoint Response – Invest in a good endpoint threat detection and response software. They are quite effective in detecting and blocking ransomware before malicious payload execution. 

Related: 20 Types of Malware

Why Paying Ransomware is Never a Choice 

Making ransomware payment is similar to paying a blackmailer. Do you think the blackmailer will stop once he gets what he wants from you? Instead of paying a hefty ransomware it is wiser to strengthen your ransomware resilience and invest in that. Paying ransomware makes you an easy target for future attacks. Also, ransomware payments do not guarantee data security. 

Continue Reading:

6 Types of Hackers

How to make a career in Cybersecurity or Ethical hacking?

Identifying weaker controls in systems via attack simulation help organizations to gather information about the different ways hackers can gain unauthorised access of systems and sensitive data and information or may get engaged in some other kind of malicious activities such as data stealing, data destruction, ransom demands etc.

There are many different types of penetration testing tools are available in the market. Today we will explore more about them and understand their usage and benefits.

Top Penetration Testing Tools & Software             

There are wide range of Penetration testing tools to facilitate tasks automation and improve the efficiency of tests which otherwise would be difficult to discover manually. The penetration testing tools are divided into two categories dynamic analysis tools and static analysis tools. Static analysis performs test in a rest state whereas dynamic analysis tools analyse behaviour during run state.

Some famous and widely user penetration testing tools are listed here: 

Netsparker –

Netsparker is one of the most popular security scanners for web applications. It can identify attacks ranging from Cross scripting to SQL injection and can be used by developers on websites, web services and web applications. It can scan 500 to 1000 web programs at the same time and can be used to customize security scan with attack preferences such as authentication, URL rewrite rules. Exploitation proof is documented.

Wireshark –

It  is also known as Ethereal 0.2.0 and analyses network with 600 authors. Network packets can be captured quickly and easily intercepted. This is an open source software and available on variety of systems such as Windows, Linux, Sun Solaris, FreeBSD etc. It supports online / offline analysis, colouring rules can be added for performing intuitive analysis.

Metasploit –

It is the most widely used testing automation framework in the world. An open source software and allows network adminstrator to break in and identify weak points. It is easier to use GUI based interface and command line both, it can collect test data for 1500 exploits, Network segmentation tests are performed using MetaModules, supported platforms are Mac OS X, Windows, and Linux.

BeEF –

BeEF stands for ‘Browser Exploitation Framework’. This tool is meant to check web browser, it is best suited for mobile users as it is adapted to combat web borne attacks and uses GitHub to identify issues. It explorers weaknesses way beyond client and network perimeter. It is used for client-side attack vectors and connects with more than one web browsers.

John the Ripper –

Passwords are the entry gates to systems and attackers use passwords to steal credentials and gain access to sensitive systems. It is an open source software. It identifies many types of passwords hashes, discovers password databases weaknesses, it has customized cracker, it allows users to explore online documentation which includes summary of changes between different versions.

Aircrack –

It is used to test wireless connections by capturing data packets and exporting it into a text file. This tool is supported on many flavours of operating systems such as Linux, Windows, FreeBSD, OpenBSD, Sun Solaris etc. and support for WEP directory attacks. On capturing the WPA handshake suite uses password dictionary and statistical techniques for break in into WEP.  It offers testing by creating fake access points for various areas of security such as attacking, monitoring, testing, and cracking.

Acunetix Scanner –

It is an automated testing tool which is capable of auditing complicated management reports and handles issues in compliance. It handles a wide range of network vulnerabilities (including out of band vulnerabilities) also. It covers about 4500 weaknesses including cross scripting, SQL injection , XSS etc., it has built in black and white box testing, it can run locally thru a cloud solution.

Burp Suite Pen Tester –

There are two versions of the Burp suite for developers. The free version provides tools for scanning activities. For advanced penetration capabilities one can use second version. This tool is meant for checking web-based applications and can map the attack surface to analyse traffic between browser and destination servers. It uses web penetration testing on Java platform, and it is capable to perform automatic crawling on web-based applications, and available on Windows, Linux, OS X etc.

Ettercap –

This tool is designed to handle Man in the middle attacks. This software can send invalid frames and build packets to perform specific tasks. This tool is best suited for deep packet sniffing, monitoring, and testing LAN, it supports active /passive dissection of protections, content filtering capabilities, can perform both host and network analysis.

W3af –

It is a web-based application attack and audit framework focused on identifying and exploiting vulnerabilities in web applications. Attack, audit, and discovery are three types of Plugins supported, it can configure to run as MITM proxy, it can handle raw HTTP requests and automated HTTP request generation.

One solution that deserves mention is the ManageEngine Netflow Analyzer. This particular tool can analyze real time network traffic with graphs, using NetFlow, sFlow, IPFIX, Netstream, J-Flow, and  also provides metrics of the network bandwidth for different users, devices or applications and helps to allocate resources. You may download a free trial of ManageEngine Netflow Analyzer Now!

Key features of Penetration Testing Tools

Some of the key features of Penetration Testing Tools can be summarized as below:

Continue Reading:

What is Penetration Testing or Pen Test?

What is Packet Capture?

WEP vs TKIP vs CCMP

Various forms of cyber attacks are prevailing these days and method of attack sophistication has reached new levels where now attackers are not limited only to fake websites, messages or emails but also focus is on theft of data from social media platforms and failure of security systems. Social engineering attacks are on rise which trick victims into disclosing confidential, personal or sensitive information and then use it for financial gains or to bother cybercrimes. 

Today we look more in detail about two cyber attack techniques: phishing and spam, how these attacks are carried out, how to identify such attacks, steps that can be taken to avoid not being a victim of such attacks and so on.

What is Phishing?

Cybercriminal’s cheat and obtain confidential information in deceiving ways such as passwords, or information about credit cards or other banking details, which could lead to financial loss. Social engineering techniques such as obtaining necessary information by manipulating legitimate users is on the rise. Cybercriminal or attacker poses as a person or business of trust in an official communication usually via an email or instant message, social networks, or even using phone calls. 

Related: Spear Phishing vs Phishing

Such emails usually contain a malicious link which when clicked lead to false web pages letting users believe that they are at a trusted website and provide requested information which goes into spammer hand.

• The SMS based phishing attack which is also known as smishing is the one in which a user receives a text message to visit a malicious link or 
• A vishing kind of phishing attack is the one where user receives a call from a bank or some other financial institution asking for verification of personal details which attacker could use to steal money. 

What is Spam?

Spam is nothing but a flooding of mailboxes or systems with unwanted messages sent by unknown senders, which you have not requested or desired are sent in large numbers. The nature of most of the spam mail is to advertise a product or service. Spammers buy databases which include thousands of email addresses and often mask the origin of message or sender information with the intent to damage or choke systems. 

Spams are also used by hackers to create problems for network administrators but flooding systems, taxed bandwidth, unwanted use of storage space etc. 

How to protect from Phishing and Spam?

• Don’t click on unsolicited emails or links 
• Don’t enter your personal sensitive information on unsecured sites if the site URL not starting with HTTPS and a padlock symbol don’t enter any sensitive information or download any files from such sites
• Rotate your passwords regularly and enablement of multi factor authentication is a good strategy to secure passwords
• Make sure your system has latest security patches and updates are installed 

Comparison Table: Phishing vs Spam

Below table summarizes the differences between the two cyber attack technologies:

Download the comparison table here: Phishing vs Spam

Continue Reading:

What is Spoofing? Detailed Explanation

Top 10 Cybersecurity trends

**STAY TUNED**

Short Interview Questions:

Que 13 What are False Positives and False Negatives in IDS/IPS?

**STAY TUNED**

Short Interview Questions:

Que 12 What is NAT Masquerading?

Cisco FTD design and deployment implementation involves setting up firewall, SSL inspection, NAT, IPS and active/standby HA. Deployment model determines placement of FirePower into the network as Firewall/IPS device or as an IPS only device. In Firewall/IPS mode you have the option to choose between routed and transparent mode and in IPS only devices you can choose between inline and passive mode.

In today’s blog we will cover in detail about FTD deployment modes, differences between each of the modes, and use cases.

Cisco FTD Deployment 

Cisco FTD interface could be deployed in

• Regular firewall mode and
• IPS only mode

We can include both firewall and IPS only interfaces on the same device. 

FTD Deployment Modes: Regular Firewall Mode

Regular firewall mode interface subject traffic to firewall functions such as maintain flows, track flow states at IP and TCP layer, IP defragmentation, TCP normalization. IPS functions can be configured optionally for traffic according to security policy. The type of firewall interfaces one can configure based on firewall mode set for the device: routed or transparent mode. 

FTD Routed Mode Deployment

Routed mode interfaces routed firewall mode only, each interface that you want to route between is on a different subnet.

FTD Transparent Mode Deployment 

In transparent mode the firewall is configured as a switch and no IP address is assigned to any interface except to the firewall itself.

Limitations of FTD transparent mode (Firewalls)

• No unicast/ multicast routing
• No DHCP relay
• No VPN termination
• LAN cannot be used as an enterprise gateway

However, NAT feature can be enabled in transparent mode 

To configure a transparent firewall, we have to configure the bridge group and add interfaces to that bridge group.  In transparent mode each bridge group is separate and not communicate with each other. FirePower threat defence (FTD) system use bridging technique to pass traffic between interfaces. Each bridge group includes Bridge virtual interface (BVI) to which IP address is assigned on network. In routed mode FTD routes between BVI and regular routed interfaces. 

Access rules in transparent firewall mode 

• ARP is allowed by default and can be controlled with ARP inspection
• IPv6 neighbour discovery is not allowed by default
• Multicast and broadcast (RIP/OSPF/EIGRP) traffic not allowed by default
• STP BPDU is allowed by default to prevent loop 

FTD Deployment Modes: IPS Only Mode

IPS only mode can be deployed in three ways. Let us understand each one of them more in detail. 

Inline Mode

Inline Mode (without tap) – When it comes to inline mode, only two interfaces can be connected for each pair. Whatever is received on either of the interfaces will be checked and then transmitted to the other interface without any MAC switching or IP routing. It functions similarly to a wire with an inspection module in the middle.

When compared to transparent mode, inline mode has a different function as multiple interfaces may be incorporated into each bridge group, making each bridge group behave like a separate switch.

Inline with Tap Mode

In tap mode however, traffic itself is not inspected but its copy is inspected. So, it is not possible to drop intrusions in this mode but only alerts can be received. FTD will make a copy of each packet so it can analyse it. This is ideal where you want to fine tune your intrusion policy and add drop rules which best protect your network without hampering its efficiency. Once you are ready to deploy FTD online you can disable tap mode. 

Passive Mode

In this mode FTD will not sit physically inserted into the path. Copy of traffic will be sent to IPS with the help of SPAN/RSPAN/ERSPAN technology.

Passive Span Mode

Passive interface monitors traffic flow across the network using a switch SPAN or mirror port. The SPAN or mirror port allows for traffic to be copied from other ports on switch. FTD cannot take actions such as blocking or shaping traffic in passive mode.

Passive ERSPAN Mode

Encapsulated remote switched port analyzer (ERSPAN) interfaces allow monitoring traffic from source ports and uses GRE to encapsulate traffic. In routed firewall mode only ERSPAN interfaces are allowed. 

Continue Reading:

Palo Alto Interface Types & Deployment Modes Explained

Understanding Checkpoint 3-Tier Architecture: Components & Deployment

Today we look more in detail about their features, use cases and comparison Cisco ASA vs Cisco FTD, i.e. how they are different from each other. 

What is  Cisco ASA? 

Cisco ASA is a network security appliance which gives firewall, VPN, and Intrusion prevention functionality. It has extra layers of security feature by application of advanced threat protection and behaviour analysis. It can detect threats in real time and block them before they cause damage to the network. Well suite for small and large enterprises as well as wired and wireless networks both. It has high throughput and low latency. 

Cisco ASA firewalls were designed to prevent all external traffic from entering into the network. ASA allows stateful inspection by saving session information so that when a valid response comes back, it can recognize and permit traffic. In addition, they provide network address translation or port address translation for network protection. 

Features of Cisco ASA

• Cisco ASA provides stateful tracking of packet if it is generated from higher security level to low security level
• It can perform static routing, default routing and dynamic routing using EIGRP, OSPF and RIP protocols
• It can operate in routed mode where it acts like a layer 3 device and need to have 2 different IP addresses on its interface and in transparent mode where it operates at layer 2 and need only single IP address
• It supports AAA services using local database or using an external server like ACS 
• VPN support is also given by Cisco ASA firewall like Point to Point, IPSec VPN and SSL based VPNs
• It new version supports IPv6 protocol routing (Static and dynamic)
• It provides high availability for pair of ASA firewalls 
• Advanced Malware protection 
• Modular policy framework supports policy definitions at traffic flow levels 

Use cases of Cisco ASA

• VPN logging
• Startup and running configuration change
• TCP port scanning
• Permitted / denied blacklisted source management 
• Permitted/ denied blacklisted destination management 

What is Cisco FTD?

Cisco FTD is a high end firewall appliance which is used to protect networks from intrusion attacks. It offers an extra layer of security to data centers and enterprises. Cisco FTD enables service level agreements (SLAs) to support real time in service monitoring, analysis and control of the network for optimization of performance on mobile applications. 

Features of Cisco FTD

• Continuous visibility across attack landscape 
• Maintains data integrity and confidentiality of enterprise network with out of band segmentation
• Includes advanced threat prevention from malware, ransomware, phishing attacks, and other exploits. 
• Architecture to support multi-tenant deployments
• Network protection from insider attack using Cisco Identity services engine (ISE). 

Use cases of Cisco FTD

• Logging security events
• Intrusion detection and prevention 
• URL filtering
• Malware protection 

Comparison: Cisco ASA and Cisco FTD

Below table summarizes the differences between the two types of Network Security Appliances:

Download the comparison table: Cisco ASA vs Cisco FTD

Final Words

The primary dissimilarity between Cisco FTD and ASA is that while ASA allows users to access VPN, IDS, IPS, anti-malware, and anti-virus facilities, these amenities are absent in Cisco FTD. However, when it comes to performance, FTD is capable of replacing ASA with ease.

Continue Reading:

Cisco PIX vs Cisco ASA Firewall

Intro to Cisco FTD Firewall (Firepower Threat Defense)

Are you preparing for your next interview?

Please check our e-store for e-book on Cisco ASA Interview Q&A. All the e-books are in easy to understand PDF Format, explained with relevant Diagrams (where required) for better ease of understanding.

• IPSec
• IKE
• Site to Site VPN between two FortiGate Sites
• Phase I and Phase II Parameters
• Tunnel Configuration
• Troubleshooting Commands

IPSec VPN Configuration: Fortigate Firewall

IPsec: It is a vendor neutral security protocol which is used to link two different networks over a secure tunnel. IPsec supports Encryption, data Integrity, confidentiality.

IPsec contains suits of protocols which includes IKE.

IKE is used to authenticate both remote parties, exchange keys, negotiate the encryption and checksum that is used in VPN Tunnel. IKE uses port 500 and USP 4500 when crossing NAT device.

IKE allows two remote parties involved in a transaction to set up Security Association.

Security Association are basis for building security functions into IPsec. IPsec parameters like encryption algorithm, authentication methods, Hash value, pre-shared keys must be identical to build a security association between two remote parties.

Site To Site VPN Between FortiGate FWs

Phase I and Phase II Parameters are:

Firewall -1, check internal interface IP addresses and External IP addresses

IPSec VPN Configuration Site-I

Follow below steps to Create VPN Tunnel -> SITE-I

1. Go to VPN > IPSec WiZard

2. Select VPN Setup, set Template type Site to Site

3. Name – Specify VPN Tunnel Name (Firewall-1)

4. Set address of remote gateway public Interface (10.30.1.20)

5. Egress Interface (Port 5)

6. Enter Pre-shared Key, Pre-shared key is used to authenticate the integrity of both parties. It must be same on both sides.

7. Select IKE version to communicate over Phase I and Phase II

8. Mode of VPN – Main mode/Aggressive Mode. Main mode is the suggested key-exchange method because it hides the identities of the peer sites during the key exchange.

9. Encryption Method, it must be identical with remote parties. Encryption method provides end-to-end confidentiality to the VPN traffic.

10. Authentication method – it must be identical with remote site. Authentication methods verify the identity of peer user which means traffic is coming from correct user and there is no man-in-middle attack.

11. DH Group- Must be identical with remote peer (DH-5). Diffie-Helliman is a key exchange protocol and creates a secure channel by exchanging public key /master key.

12. Key Lifetime – it defines when re-negotiation of tunnels is required. Key lifetime should be identical. However, if the lifetime of key mismatched then it may lead to tunnel fluctuations.

VPN Phase-II

13. Add Phase II proposals

14. Select Encrytpion method AES256

15. Select Authentication method SH-I

16. Enable Anti-Replay Detection è Anti-replay is an IPSec security method at a packet level which helps to avoid intruder from capturing and modifying an ESP packet.

17. PFS (Enable Perfect Forward Secrecy)-Must be enabled at both peers end,

18. DH Group- Select 5

19. Key lifetime for Phase II

Phase II Selector

20. Share Local LAN subnet which will communicate once VPN is established

21. Share remote end LAN subnet

Create Static Route towards VPN Tunnel Interface

22. Static Route

23. Local LAN subnet going via Tunnel Interface To-FG-2

24. Allocate Tunnel Interface

25. Assign Administrative distance 10 (static Routes)

Create VPN- Policy for interesting traffic & allow ports according to requirement

26. Assign name to the policy in IPV4 Policy Tab

27. Traffic incoming from Inside Zone/Interface and Outgoing Interface will be Tunnel Interface

28. Source address which will be 80.25.0/24

29. Destination address will be remote site Local LAN subnet 10.100.25.0/24

30. Services/protocol – select all or you can select specific servuces like FTP/HTTP/HTTPS

31. Accept the action.

32. NAT is OFF and Protocol Options are Default

33. Basic Anti-Virus has been enabled and Basic Application Control is enabled

34. SSL Certificate is enabled to authenticate over SSL Inspection/ Its completely optional

35. Enable ALL session logs

36. Add Policy Comment and Enable the Policy

37. Select OK

**If requires,  create a reverse clone policy for the connection to enable bi-direction action.

From Step 1 to Step 37, VPN configuration has been completed for Firewall -1/Site-1.

Let’s move to Firewall -2/Site II

• Check Internal and External Interface IP address and Ports

IPSec VPN Configuration Site-II

Start following step-1 to step-22 to complete the VPN configuration in Firewall-2.

• Monitor VPN traffic status in IPSec Monitor TAB for further Troubleshooting.

Troubleshooting Commands

Run debug and basic troubleshooting commands if tunnel status in not showing or visible in IPSec Monitor TAB,

Debug commands:

Initiate the connection and try to bring up the tunnel from GUI

Disable the Debug to stop packets

Continue Reading:

Routing Configuration in FortiGate Firewall: Static, Dynamic & Policy Based

Types of Firewall: Network Security

UTM (Unified Threat Management) is a feature of a firewall in which multiple security profiles combine and provide protection from threats and attacks. These features are antivirus, web filtering, IPS, anti-spam etc.

UTM is the consolidated solution for an organisation against attacks and malicious traffic. In other words, UTM is a capsule of multiple security features.

FortiGate UTM Profiles

Let’s discuss FortiGate UTM profiles one by one.

Anti-Virus Profile

Antivirus Scanning Modes

FortiGate Antivirus is used to detect viruses in the traffic or files. FortiGate uses many techniques to detect viruses. This detection technique includes:

1. Anti-Virus Scan: This is the simplest and fastest way to detect malware. It detects viruses that are an exact match for a signature in the anti-virus database.
2. Grayware Scan: This scan detects unsolicited program known as Grayware that have been installed without the knowledge of user or consent. Grayware is not technically a virus, it is a bundle of a software which produces unwanted side-effects in the network or system.  
3. Machine Learning AI Scan: It tests the possibility of attack like Zero-Day Attacks. Zero-Day Attacks are the malwares that are new and known hence have no existing associated signatures. If your network has a frequent target, enabling an AI scan may be worth it for performance cause because it helps you to detect performance issues and attack in the network. 

Anti-virus can operate by using flow-based or Proxy-based inspection mode. Both inspection modes use a full AV database.

Flow-based Scanning Mode

In this mode anti-virus engines reaches to the payload of packet and caches the real packet. Further it forwards the packet to the receiver. It consumes more CPU than other modes. 

If a virus is detected in a TCP session, some packets are already forwarded to the receiver, FortiGate resets the connection and does not send the last piece of file. However, the receiver has received almost part of the file, but the file is truncated and not able to open.

If an attacker tries to re-send the file to user, FortiGate firewall blocks the connection.

Proxy-based Inspection Mode

In this mode each protocol proxy picks up a connection and buffers the entire file first. Clients must wait for the scanning to be finished.

If a virus is detected, a block replacement page will be displayed. Because FortiGate must buffer the whole file, the firewall does the scanning which takes a long time to scan the data. Using a proxy-based scan process allows you to stream-based scanning which is enabled by default. Stream-based scanning scans large archive files by decompressing the files and scanning and extracting the files at the same time. This process optimises the memory process. Viruses can be detected in the middle of scan or at the end of scan.

Configuring Anti-Virus Profile and Policy

• Create Anti-virus Profile

• 1. Got to Security Profile TAB
  2. Select Antivirus Profile
  3. Create new Profile, name as ANTIVIRUS
  4. Select Scan Mode (proxy/Full or flow/Quick)
  5. Selection action if virus detected, Block—block the file. Monitor—generate alert of virus file.
  6. Select OK

• Apply Anti-Virus Profile to Security Policy

• 1. Create Internet Policy, Go to IPV4 Policy TAB
  2. Add Policy NAME- Antivirus Policy
  3. Go to the Security Profile section in Internet Policy and add ANTIVIRUS profile which is created above.
  4. Select OK.

Now traffic going to the internet will parse every file from anti-virus engine and take necessary action accordingly.

Web-Filter Profile

Web-filtering is the feature in FortiGate to control web traffic of firewalls by using block or allow action.

It uses two types of inspection mode for URL traffic

1. Flow Based: Default inspection mode and faster than other modes. 
2. Proxy Based: FortiGate buffers the traffic and examine it whole. It works as a mediator between client and web server.

Further NGFW modes are also used in Web-filtering configuration. These modes are:

Profile-based Mode: 

It requires application control and web-filter profiles and applies them to firewall policy. It uses flow-based OR proxy-based inspection. 

Policy-based Mode: 

Application control and web-filtering can directly apply to the firewall policy. It does not require profiles to be Application Control OR Web Filtering profiles.

Web-filtering has to control and manage the sites which people visited. It includes preserving employee productivity. It prevents network congestion by blocking malicious and un-authorised URLs. It prevents exposure of confidential data by scanning the web-URLs.

Configure Web-Filtering Profile 

1. Go to Security Profile
2. Select Web Filter
3. Create new Web Filter with name Web-Filter-Profile-1
4. Create a FortiGuard category-based filter and select customer categories.
5. Select any category which you wish to block/allow/monitor. Here the Potentially Liable category is blocked manually.
6. Select ok

Apply Web-Filter Profile in Security Policy

1. Create Security policy to apply web-filtering. Go to IPV4 Policy.
2. Create New policy name Internet-Policy-With-Webfilter
3. Assign incoming and outgoing interfaces.
4. Add source address
5. Add destination address
6. Add services
7. Select action as Accept
8. Go to Security Profiles and select Web Filter TAB. Select the web filtering profile which we have created above. And select OK. That’s it

IPS – Intrusion Prevention System Profile

We should implement IPS in our network to protect it from intrusion. IPS in FortiGate uses signature databases to detect anomalies and attacks. The purpose of the IPS filter is to protect the inside network from outside threats. Protocol decoders can also detect network errors and protocol anomalies. IPS engine can cover 

• Antivirus 
• Web Filter
• Email Filter
• Application Control

IPS Signature Updates

FortiGuard updates the IPS signatures and decoders with new signatures. That way IPS engines become effective against the new exploits. Regular updates or customised updates are configured in the FortiGate to fetch IPS signatures periodically. 

The default setting of updates is Automatic. Please refer to the image below to check the settings of IPS updates in FortiGate firewall.

After FortiGate downloads the FortiGuard package, new signatures will appear in the signature list. When configuring FortiGate you can change the action setting for each signature. However, the default action setting is often correct except in a few cases. We can create custom signatures with the help of the FortiGate DevOps team to parse custom applications. Sometimes false/positive alert triggers in the FortiGate IPS, you can enable/disable it as per the requirement. Moreover, FortiGate Support team can modify the false positive signature once you report the error on the support portal.

IPS Sensors

IPS Sensors contain a list of signatures in the profile which will later call-in security policy. There are two ways to configure IPS sensors 

1. Select the signatures individually, once you select sensors in the list, it automatically calls into the sensors database.
2.  You can add a sensor in IPS Profile by applying a filter in it. FortiGate adds all the sensors in profile which match the filters.

Configure IPS Profile in FortiGate Firewall

1. Go to Security Profiles
2. Select Intrusion Prevention
3. Create a new profile. Here we have created IPS Profile-1
4. Add Signature based IPS profile. Signature base means we can select signature from database of FortiGate IPS and add it into a single profile
5. Add filters in the profile and select a list of signatures from database.
6. Add signatures in the profile and apply it to the newly created Profile.

Apply IPS-Profile in Firewall Policy

      7. Now it’s turn to apply the IPS profile in firewall Policy. Go to IPV4 Firewall policy TAB. Add policy parameters            to which IPS profile is enabled, like source IP address, destination IP address and services or port.

      8. Go to Security Profiles section in Firewall policy and add IPS Profile-1

      9. Select OK to apply the parameters in policy.

DOS Policy Configuration in FortiGate

DOS- Denial of Service is a packet-based attack which consumes resources of infrastructure and makes it unavailable to legitimate traffic/users.

To block DOS attacks we can apply DOS-Policy on FortiGate that is located between the attacker and all the resources that you want to protect. DOS filtering is done early in the packet handling process which is handled by the kernel.

Let’s discuss type of DOS attack before implementing DOS policy in FortiGate firewall:

1. TCP SYN Flood: Incomplete TCP/IP connections are flooded to the victim which occupy the connection table of device and make it unavailable for legitimated users.
2. ICMP Sweep: ICMP traffic flood sent to the target device. Victim’s all sources become busy in responding to ICMP traffic which makes it unavailable for genuine users.
3. TCP Port Scan: Attacker sends TCP/IP connection to identify open ports in the network. Further the attacker exploits those ports and hampers network services.

Apply DOS Policy in FortiGate

1. Go to IPV4 DoS Policy
2. Create new policy, here we have named it DOS-Protection-1
3. Specify source and destination address and incoming interface
4. Specify service or port
5. Block/disable L3 anomalies
6. Select the source/destination session
7. Enable or disable DoS sessions and apply it to the incoming interface.

Application Control in FortiGate

• Application control detects applications that transfer over the network by using any port. Application control takes appropriate action on the application traffic to stop any malicious attack.
• Application controls detect application traffic like google talk, Facebook chat, Gmail hangout etc.
• This application works on port 443 or Web-browsing port. So, a firewall as a L4 device is not able to check if traffic is legitimated or there is any malicious content in the traffic.
• As we all know that port 443 carries normal browsing traffic and it also transfers application traffic like BitTorrent etc. Application control can differentiate the traffic based on the application used by it and block the site as per the policy configured in the firewall.
• Application control can be configured flow-based or Policy-based in the firewall. It performs a traffic scan which compares traffic to the known application patterns.
• It detects Peer-to-Peer applications. P2P traffic uses distributed architecture to forward traffic in the network.
• Traditional Client to Server Architecture uses client to server communication by using a simple port number which can easily be blocked by firewall policy.
• Peer to Peer download divides each file among the multiple peers and uses dynamic ports to transfer the data. Hence it is very difficult to identify the traffic and block it from firewall level based on port only. 

Application Control Signatures

FortiGuard subscription is required to download and enable application control signatures in the firewall. These signatures parse the traffic and scan dynamic application ports in the content.

Configure Application Control Policy

1. Go to Application Control
2. Create new Application control profile
3. Select category or application which you want to block, for example Proxy and P2P application is blocked in below image.
4. Select ok

You can add application signature by selecting Add Signatures Tab in Application Overrides

Apply Application Control Profile in the Policy

1. Go to IPV4 Policy
2. Enable Application Control and select the above created profile.

Continue Reading:

Fundamentals of FortiGate Firewall: Essential Guide

NGFW vs UTM

Fortinet covers many technologies within a single umbrella such as VPN, UTM, Security Profiles, FortiManager, FortiAnalyzer and many more.

Here, we will discuss all important features and technologies covered by Fortinet. Let’s start then…

Fundamentals of FortiGate Firewall

Below is the list of components supported by FortiGate. However, we have covered important components in this document.

FortiGate Firewall Dashboard

FortiOS Dashboard consists of graphical view and stats of alerts. Widgets are static views of the FortiGate properties. It consists of:

• System Information contains hostname, IP address, Serial Number Firmware
• Licenses shows list of licences installed on the system and respective expiry date
• ForitCloud represents statistics of FortiCloud data
• Security Fabric shows summary of devices who have using Security Fabric feature
• Administrator all connected admin and their logged in time along with IP address 
• CPU utilisation of device 
• Memory, live utilisation of device 
• Sessions shows number of sessions firewall is processing per second or minute

Other Widgets present in Dashboard

• HA status 
• Log rate
• Interface Bandwidth
• Botnet Activity
• Advanced threat Protection 

FortiGate Security Fabric

Fortinet Security Fabric involves different components that work together to secure the network.

Combination of below devices are required to create Security Fabric.

FortiGate Firewall

Firewall acts as a security component between ISP and downstream LAN devices. It secures networks from outside unknown attackers.

FortiAnalyzer

As its name defines, FortiAnalyzer can scan, monitor, collect logs of live traffic and create reports accordingly. It shows historical logs and events of any network which parse through the firewall.

FortiAnalyzer has below tabs available in the device to check logs:

• FortiView
• Threats
• Traffic
• Applications and Websites
• VPN
• System
• Security, Application Control, Web Filter, DNS
• Custom View
• Log Browse
• Log Group

LogView from FortiAnlyzer device:

FortiManager

FortiManager provides remote management to FortiGate Firewall. It uses port TCP 541 to communicate with the firewall.

FortiManager pushes Anti-virus, IPS and latest UTM updates from ForitManager to all connected devices.

FortiManager contains below tabs:

• Add Device
• Device Group
• Firmware
• License

FortiSandbox

It is a cloud-based technology which generates the latest signatures based on malicious attacks.  A FortiSandbox is a device that runs a sample in an isolated VM or cloud environment. 

Copy of threat logs forward to FortiSandbox where it can check if the traffic has malicious content in it. 

FortiSandbox has performed 3 types of scanning when receives any file from FortiGate

• Pre-Scan Group– it is the initial place where initial scan is performed by FortiSanbox. Several filtering is applied to the new file like pattern matching, checksum code sequence and TCP/IP attributes along with behavioural analysis of file/traffic pattern.
• Static Scan – Mainly deal with anti-virus and static AI scan. Antivirus is a traditional pattern matching feature however static AI scan uses machine learning to detect malware based on collected malware attributes from millions of samples.
• Dynamic Scan- It uses VM scan where the submitted file is processed in an isolated environment. Dynamic Scan also uses PEXBOX(code emulator) in which  window files are parsed.

FortiSandbox Dashboard

FortiADC

Application Delivery Controller is used to improve scalability of firewalls. It uses advanced server load balancer which routes traffic to available destination server based on the availability of backend server.

It helps to manage applications reliably, responsible and easy to manage.

ForiADC performs below task:

• Security
• Server Load Balancing 
• Link Load Balancing 
• Global Load Balancing 

FortiADC benefits:

• Scale application with server load balancing feature
• Apply persistence with servers to maintain connection
• Reduce bandwidth needs and improve user QoE 
• Provide redundancy and WAN optimization for applications
• We can apply traffic prioritization by applying QoS (Quality of Services)
• Improves SSL offloading win firewall for fast processing

Dashboard of FortiADC

FortiAP

FortiAP units are thin wireless access points supporting the latest Wi-Fi technologies and easy deployment. For larger deployment FortiAP controllers can carry a dedicated wireless network and FortiAP models support a dedicated monitor to check radio signals.

FortiAP, FortiAP-C, FortiAP-S, FortiAP-W2, and FortiAP-U units are offered in a diversity of models to address particular use cases and management modes.

Wireless access points can be added in any network to provide wireless connection to users. 

FortiClient 

FortiClient is a VPN (IPSec and SSL) client just like Cisco AnyConnect. It can be used as an Anti-virus client and a host vulnerability scanners. Moreover it supports Web Filtering as well.  In FortiGate you get at least 10 free licenses if you want to use those clients.

FortiClients helps to protect all the endpoints of your network including laptops, desktops and other devices.

These devices are either directly connected to your FortiGate devices or remotely connected through VPN.

• After admin set-up endpoint security on FortiGate , first time user with unregistered endpoints attempts to internet
• Captive portal will be displayed to download and install FortiCLient on the system.
• Once Installed FortiClient registered system to FortiGate 
• Endpoint security profiles will be applient through FortiClient to local user system
• After successful registration windows PC will become a compliant endpoint.

FortiMail

FortiMail is a secure email solution which can provide a protection against inbound attacks , outbound attack , data loss issues in the network. As it captures email related threats like phishing, spamming, malware, zero-day attacks.

It protects emails from: 

• Known and unknown threats
• Whaling Attack
• Spams
• Malicious link in email

4 types of modes used in FortiMail to protect emails from attack.

1. Gateway Mode – FortiMail acts as an email gateway or a device which is used for Mail Transfer Agent. It fetches emails, scans the content and transfers it to the email server. Change in network topology will be required to implement FortiMail in the existing network.
2. Transparent Mode – As the name specifies Fortimail acts as a Transparent proxy/device. It fetches the email, scans them and directly transfers it to the email server. No topology changes are required.
3. Server Mode—It acts as a Local email server to the emails. It receives emails, scans it, and directly forwards them to users. Yes, topology change is required in the implementation of this mode.

FortiGate VPN

FortiGate supports IPSec VPN and SSL VPN.

• SSL VPN – It is used for remote users to access applications from remote sites.

1. 1. Tunnel Mode- FortiClient VPN is required to install on users system to user system.
   2. Web Mode- Services are accessible via web-browser. But some applications and services are not supported.

• IPSec VPN – Site to Site tunnel needs to be created in the network  to transfer data in an encrypted format.

1. 1. Site to site VPN initiated between to end points or physical devices
   2. IPSec Remote VPN also used in organizations to provide remote access to the Network by using remote VPN.

Security Profiles

Profiles which contain security features are known as Fortinet Security Profiles.

It includes below information about configuration.

• Anti-Virus: It identifies and block virus after scanning network traffic. FortiGate has offered two types of anti-virus features.

1. Proxy-based: useful to mitigate suspicious malicious code.
2. Flow-based: high performance based

• Web Filter: This feature takes action on internet URLs based on allow/block category in firewall. You can customize the URL Category in the firewall as well.
• Intrusion Prevention: It detects  threat in network  and mitigate malicious traffic in the network by applying signatures. We can create custom signatures as well.

Log and Report

Logging and reporting are useful to check and understand any network logs. It covers event logs, system logs, VPN logs, threat logs, UTM logs and customized reports. 

FortiGate supports several other log  devices like FortiAnalyzer , Cloud, and syslog server.

Moreover, the log severity level is defined in every traffic log.

We can filter logs by using below options:

Conclusion

Fortinet brings high-performance network infrastructure security that ensures protection of any network, associated users, and components of traffic. FortiGate provides top rated solutions and centralized management systems to handle end to end security of an organisation.

Continue Reading:

FortiGate Firewall Policy: Rules, Types & Configuration

Palo Alto vs Fortinet Firewall: Detailed Comparison

In today’s topic we will learn about different types of malware software, their key characteristics, how to protect systems from malware etc.  

What is Malware 

Malware comes in diverse forms, and each is meant for a specific purpose. Broadly all malware can be divided into two categories namely – functional malware which executes specific actions on infected devices and other one is installable malware which focuses on installing itself on the target system.

Types of Malware

Let’s look at each type of malware and understand its working. 

1. Viruses (network infiltrators) – are a form of malware, which infiltrate systems and force them to perform unwanted actions. Usually viruses are transmitted via Emails, social media, file sharing platforms. They enter the device while visiting a compromised website or download virus infected files. They require human intervention or application infiltration to get into the system. 
2. Worm (Network propagator) – is a type of computer worm which can self-replicate and transmit from one system to another exploiting vulnerabilities of the operating system on the target machine. This is designed to exploit specific weaknesses, they spread rapidly and are usually deployed for stealing personal data or for service disruption. It does not require human intervention to initiate. 
3. Trojan horse (Disguised data stealer) – is disguised as a legitimate program and installed without user knowledge, trojans pilfer sensitive personal information such as credit card details, credentials. They corrupt or destroy system data. 
4. Rootkits (Stealthy malware threats) – is a sneaky category malware which conceal presence of other malware in the system. This is employed to access systems and install malware programs. These can infiltrate systems using emails, harmful websites or contaminated USB drives. 
5. Ransomware (Holding data hostage) is a type of malicious software which encrypts user data and demands payment for data decryption. Cybercriminals request cryptocurrency payments like Bitcoin to have an anonymous identity. 
6. Grayware (Annoying malware) is less harmful but causes user inconvenience and nuisance. This malware steals user information, monitors its activities, and causes damage to systems. 
7. Keyloggers (Stealthy monitoring tools) is a type of malware which captures user keystrokes. Frequently used by cyber criminals to swipe passwords and sensitive data. 
8. File-less Malware (Elusive threats) is a malware which operates without leaving its trace, utilizes computer memory and executes code from there. Cyber criminals use this malware to bypass antivirus software. 
9. Adware (Intrusive and unwanted advertising) – malware bombard users with unwarranted ads on their devices. This is usually installed without user consent or downloads from compromised websites. Adware disrupt users’ browsing experience with product promotion ads and redirect them to harmful websites. 
10. Malvertising (Unleash Malware Through Online Ads) – is a form of malware wherein online advertising is used to infiltrate systems by distribution of malware through ads on creditable or hacked websites. 
11. Spyware (Stealthy Surveillance Software) is a type of malware which infiltrates a system without the consent of the user and enables remote monitoring and control. 
12. Backdoor (Another Way In) – this malware enables hackers to bypass system security features. Installed on systems or mobile devices by exploitation of existing vulnerabilities. 
13. Browser Hijacker (Your Details are at Risk) – this is a specific type of malware that alters browser web settings without taking user consent. It modifies homepage, search engine, and new tab preferences. 
14. Crimeware (Used for Crimes) – malware is meant for criminal activities. Used to pilfer information, fraud, physical damage. Usually used to steal credit card information, impersonate victims to access personal data, identity theft or computer-based scams.
15. Mobile Malware (Unknown Applications) – malicious mobile apps downloaded from third-party app stores or downloaded through infected ads on official app stores are harmful and spread via phishing mails and SMS messages.
16. RAM Scraper (RAM Data Stealers) – infiltrate systems and steal data from their RAM. Installed via phishing mail or by exploiting system vulnerabilities 
17. Rogue Security Software (Fake Antivirus) – masquerade as legit security program, rough s/w lure users into purchase of fake protection against malware. 
18. Logic Bomb (Triggers on a Logic) is hidden within a system code and executes harmful actions after a specific event or time frame. 
19. Crypto Jacking Malware (Unveiling the Hidden Threat) – harnesses the processing power of a device for mining cryptocurrency.
20.  Hybrid Malware (The Evolving Cyber Threat) is a latest category of sophisticated malware which can infect a user system and steal sensitive data simultaneously. 

Today we look more in detail about comparison 2FA vs MFA, key differences between the two, which is more secure and why?  

What is 2FA or Two-factor Authentication

2FA provides an additional layer of security for online accounts. Users need a username, a password, and additional information to establish their identity. Some examples of 2FA are fingerprint scans, OTP, security questions etc. users can access their account or private information only after the verification process is complete.

3 Aspects of 2FA

2FA works on three aspects – knowledge, possession, and biology. 

• Knowledge – users will provide information such as security questions, a PIN or a pattern, specific keystroke, apart from login credentials to gain access to their account.
• Possession – to prove identity, the user must have access to physical devices used in authentication such as USB, card, mobile phone. 
• Biology – users add biological features such as fingerprint or voice in authentication factor. Post approval users can access their account.

2FA could be based on hardware tokens, SMS and voice, software tokens, push notifications, biometrics, location etc.

What is MFA or Multi-factor Authentication

MFA has a number of authentication layers. In MFA users need to go through several authentication steps to access their account. Only after passing all layers of authentication can a user access a web service or account such as Netflix, bank accounts, social media accounts etc. Integration of account login with security devices such as emails or mobile to ramp up security.

How MFA works

MFA works in four steps as under:

• Registration – in MFA user link items such as mobile phone or any other device connected to the system to gain account access.
• Login – user enter credentials such as username and password to gain access to secure system
• Verification – The system verifies the registered item (in this case mobile phone) 
• Reaction – User will complete registration process with the help of key registration 

How the system is integrated with MFA authentication might differ. Some systems are integrated with login while some maintain the history of devices used to access the account. Any deviation from pre-set parameters will trigger an alert and hold the process until the user validates the login attempt. 

MFA could be based on SMS tokens, mail tokens, hardware tokens, software tokens, time-based OTP, social logins, biometric tokens.

Related: How to Prevent Against MFA Fatigue Attacks?

Comparison: 2FA vs MFA

Download the comparison table: 2FA vs MFA

Why MFA is Generally More Secure

• Increased Complexity for Attackers: With MFA, attackers need to compromise multiple factors from different categories (knowledge, possession, inherence), making it substantially more challenging.
  Flexibility: MFA allows for a combination of multiple factors, enhancing security. For instance, an attacker who has stolen a password and a phone might still be thwarted by a fingerprint requirement.
  Customization: MFA systems can be tailored to include more rigorous or diverse authentication methods, depending on the security requirements.

In summary, MFA is generally more secure than 2FA due to the added layers of security and complexity it offers, making it more difficult for unauthorized users to gain access.

In today’s topic we will learn about DLL (Dynamic link library) DLL hijacking cyber-attacks, we will understand about DLL files, how DLL hijacking works and how we can identify and prevent DLL hijacking attack?

About DLL files

DLL file is a dynamic link library having reusable code and data which multiple programs can use at the same time to perform different functions to improve efficiency and bring in modularity in software programming. They are more like a set of resources which can be used by software applications. When software requires some specific functionality, it can search in the DLL. It is a Microsoft concept of shared library in Windows operating system.

DLLs are created by programmers by writing custom code to perform a specific function such as draw image, compute, connect to Internet etc. DLLs can be written in any programming language such as C++, C# and then compiled into a special file having both code and data. 

How DLL hijacking works

DLL hijacking works when hackers replace legit dynamic link libraries (DLL) files with their own files having malicious contents. 

A hacker can mislead software to load harmful code instead of legit DLL by insertion of malicious DLLs at the spot where the program looks for DLLs. The attacker can perform escalation of privileges and gain access to the system. At times missing DLLs provide a great opportunity to hackers to insert their own malicious DLLs. 

Types of DLL Attacks

DLL attacks can be of several types as under:

• DLL search order attack looks for a definite pattern for DLL in Windows operating system
• DLL side loading attack targets WinSxS directory
• Phantom DLL hijacking attack uses old DLL to gain access to system. DLL names used in search to execute new harmful and malicious code on systems

DLL hijacking involves dynamic link libraries with injecting malicious code into the software application. 

• The user unknowingly loads malicious file in system while application loads
• The malicious file in dynamic link library (DLL) places attack within application boundary
• Users are unaware of launching malicious file while loading the application 
• Malicious and infected file is directly injected into the system
• Cyber hacker gets unauthorised access to system and perform undesirable activities such as stealing, destroying, deleting user / organization information 

Related: Spear Phishing vs Whaling: Cyber Attacks

Techniques to Prevent DLL Hijacking

DLL hijacking can be prevented by a variety of preventive measures such as:

• Use of third-party advanced tools – special advanced tools are available which are designed to prevent cyber attacks where attackers can inject malicious content into the system via DLLs.
• Keep your antivirus updated – maintain your anti-virus software and update it with latest virus signatures at regular intervals
• Regular scan of system vulnerabilities – A well-established process of systems scan for vulnerabilities help to prevent them in timely manner 
• Enable MFA – MFA or multi factor authentication is a powerful technique and help in reduction of DLL cyber attacks 
• Phishing mails handling – phishing mails need to be handled carefully as they can contribute to DLL attacks. Users must be careful not to open mails or click on links coming from unknown / suspicious sources. 
• Maintaining system patches – Regular Updation of system, application and security patches help fix vulnerabilities 
• Whitelisting applications – whitelisting technique helps in lowering the threat of malicious DLLs being gaining system access 

In today’s topic we will look more in detail about next generation firewalls, its internal architecture, its features and types. 

Introduction to Next Generation Firewalls (NGFW)

These firewalls are third generation advanced security systems and operate on layer 2 to layer 7 of the OSI reference model. It has blended features of a traditional firewall along with advanced features . These firewalls utilize advanced deep inspection technology, including an integrated intrusion prevention system (IPS), as well as application intelligence and controls. This combination allows for the visualization and monitoring of the content of accessed and processed data. 

Organization networks have expanded far more than earlier times and now they include real time collaboration tools like web 2.0 applications, instant messaging (IM), peer-to-peer applications, VOIP, streaming media and teleconferencing applications have open new venues for attacks. NGFW firewalls deliver application intelligence and controls, malware protection, SSL inspection and high number of simultaneous files or network streams do not limit high end NGFWs. 

Features of NGFW

Some of the key features of Next generation firewalls are as under:

• It includes intrusion prevention.
• It has software attention and control to see and block volatile applications.
• Improvement in paths to encompass destiny record feeds.
• Has strategies to address ever evolving threats.
• Prevention to stop attacks before they actually happen.
• URL filtering to enforce filtering policies on millions of URLs.
• Deployment flexibility – on premises, cloud or as a virtual firewall.

Benefits of NGFW

Key benefits of Next generation firewalls are as under:

• Standard capabilities of first-generation firewalls such as packet filtering, stateful inspection, NAT, VPN etc.
• Integrated intrusion detection systems to support vulnerability management and suggest action based on IPS activity.
• Full stack visibility & application identification to enforce policy at Application layer or layer 7, independent of the protocol and port.
• Ability to create blacklists or whitelists and able to map traffic to users and groups using active directory.
• SSL decryption to enable identification of undesirable encrypted applications.

Types of Next Generation Firewalls (NGFW)

There are three types of next generation firewalls (NGFW) based on method of delivery and security controls capabilities as under:

• Software based NGFW – do not require a dedicated part of network physical resources, instead they run like any other application in the network using CPU and memory resources as needed. These types of firewalls are installed and configured for each network device either in a collective manner or individually. 
• Hardware based NGFW – Hardware firewalls are physical devices or appliances which monitor and scan all incoming and outgoing traffic routed through them. They are not housed directly on network infrastructure and rely on its physical resources and do not bring down network flows.
• Cloud based NGFW – are also hosted firewalls as they are called. It is a software-based firewall which is deployed off premises cloud to limit pressure on network resources or management requirements. The hosted cloud is owned by network owner or rented for computing resources. These are also sometimes referred to as Firewall-as-a-service (FWaaS) which is managed by cloud provider. 

Some of the popular Next generation firewalls (NGFW) are: Juniper networks SRX series , Sonicwall next generation firewall TZ series, Barracuda CloudGen firewall series, Cisco FirePOWER , Sophos XG series 

Quick facts! 

Next generation firewall market constitutes 20% of sales of total network security market.

Continue Reading:

6 Types of Firewall

Physical Firewall vs Virtual Firewall

In today’s article, we would look more in detail about Machine learning (ML) enabled NGFW, their advantages, use cases etc. 

ML Powered NGFW 

Attackers use different methods of existing ones and modify them to get into traditional signature-based protection systems. NGFW uses heuristics for detection of modified malware, Victim zero (o) is first person or enterprise to experience attacks. Signature modifications do not help security systems to solve problems, alternative methods of analysing every bit of traffic or every file is slow and cumbersome.

NGFW enabled ML algorithms directly into firewalls core and enforce results in real time. NGFW’s inspect files which are getting downloaded and block anything which looks malicious before the download gets over. Single pass inspection as it is called with inline prevention. NGFW prevents infections without the need for cloud or offline analysis, avoids false positives and reduces potential infection to zero. 

NGFWs leverage inline ML based prevention to prevent threats such as file less attacks, malicious scripts, phishing attempts, and portable executables.

Advantages of ML Powered NGFW

• Provides protection against sophisticated and complex threats which require detection mechanism which relies on accurate and timely signatures
• Zero delay signatures enabled every ML powered NGFW in seconds 
• ML powered NGFW can classify all IoT and OT devices in network 
• ML powered NGFWs can use cloud scale for protection and management of devices

Limitations of ML Powered NGFW

• ML powered NGFWs analyse large amounts of telemetry data and can recommend security policies based on organizational network analysis
• ML based firewalls do not cover every file format so it alone could not be sufficient to provide complete protection and there is a need for cloud-based analysis to support threat detection

Security services by ML NGFWs 

Advanced threat protection is there with intrusion prevention systems (IPS) having offline and online security analysis using cloud compute for AI and deep learning techniques without compromising the performance. It can detect unknown and targeted command and control (C2) attacks as well as evasive attacks from tools like Cobalt Strike

• ALOps – uses machine learning to predict up to 51% of disruptions to NGFW before impacting firewalls with telemetry of over 6000 deployments. 
• DNS security – extends protection for latest DNS based attack techniques inclusive of strategically aged domains with 40% coverage of DNS based threat coverage
• Advanced URL filtering – Prevention of new and highly evasive phishing attacks, ransomware and web-based attacks via deep learning powered analysis of web traffic including live web content in real time 
• IoT Security – IoT devices visibility and policy creation automation across seen and unseen devices using machine learning capabilities

Quick tips!

The Next-Generation Firewall Market expected to grow from $2.39 billion in 2017 to $4.27 billion by 2023.

Continue Reading:

Artificial Intelligence vs Machine Learning

Firewall Serving as Egress Gateway: Networking Scenario

Firewall technologies have evolved at a very rapid pace since its inception and from initial packet filtering firewalls which use to inspect packet traffic and took decision to allow or reject packets, which is then replaced with stateful packet inspection files which were designed to protect network layer threats by analyzing ports and protocols. Then Next generation firewalls came which were deep packet inspection firewalls to scan the entire packet payload in order to provide advanced threat protection. 

In today’s topic we will look at Sonicwall firewalls which are Next Generation firewalls (NGFW), their architecture and features. 

What is a Sonicwall Firewall?

Sonic firewall which was earlier called by name ‘Interpol’ in the late 1990s rebranded as Sonic firewall a dedicated hardware appliance with firewall and VPN software intended for the small business segment. Sonic firewalls enable to identify and control all applications which are running in the network.

It identified applications based on their unique signatures instead of protocols or ports. It visualizes application traffic to determine usage patterns and develop granular policies for applications, users, or user groups and other parameters such as time of the day etc. 

Working of Sonicwall Firewall

Sonicwall application recognition is based on their ‘DNA’ instead of less unique attributes such as source port, destination port, protocol type based on an extensive, automatically updated database of application signatures. SSL encrypted traffic-based controls analyze the encrypted traffic the same way as unencrypted traffic.  

Sonicwall firewall controls to track and manage and enforce specific versions of applications being used. There is no need for a physical check on every system to determine the version of application but simply set a Sonicwall application intelligence and control policy to achieve this. 

You can create a policy to prioritize bandwidth for live meeting applications, the deep packet inspection engine will search for application signature or name and increase the bandwidth on priority for live meeting application. 

Peer-to-peer applications like BitTorrent, often utilized for downloading unauthorized copies of copyrighted content, not only take up bandwidth but also pose a significant risk for transmitting malware. New P2P applications are constantly being created and it makes it difficult to manually block any single P2P application. The Sonicwall application intelligence and regulated databases receive regular updates to incorporate newly emerging P2P applications.

Social networking sites such as Facebook, Instagram, and YouTube can be blocked or restricted only to specific users at the workplace.

Sonicwall capture enhances firewall threat prevention capabilities by detection and prevention of unknown and zero day attacks via cloud.

Data leakage can be prevented with outbound traffic routed through a firewall and it can detect and prevent ‘data-inmotion’.

Features of Sonicwall Firewall

• Single configuration for management of all threats 
• Single UI interface to view and manage all threat events so there is no need to separately look at log entries on multiple devices such as firewalls, Antivirus, web content filtering, Intrusion prevention systems and data leakage prevention systems
• Improved control over applications by category, bandwidth management, user access, destination control etc.
• Gives a single view of network security 
• Easy to manage and secure VPN systems for secure remote access

How to set up a Sonicwall firewall?

• Connect a system to Sonicwall LAN (X0) interface or a network switch connected to LAN interface. It will automatically receive an IP address from Sonicwall appliance. 
• Open a web browser to https://192.168.168.168 to access firewall
• While accessing first time it gives option to use a setup wizard or go directly to management interface 
• At sonic wall management interface login page, the default admin and password is: admin/password
• The default password is to be changed 
• Select a timezone from ‘time zone’ drop down and click ok.
• At WAN network mode page select the option cable/mode-based connections for DHCP assigned IP addresses 
• Select option Router-based connections for static IP address and netmask 
• At LAN setting page accept the LAN settings default or enter IP address and netmask and click next 
• At Sonic wall configuration summary page review the configuration and click Apply 
• In SonicOS click Monitor and then current status | system status 
• To register click on register links which takes you to license page
• Enter your MySonicwall username, password at this page and click on submit 

Quick fact!

Market share: Sonic firewall (0.4%) in network security space.

Continue Reading:

Perimeter Firewall vs Internal Firewall: Detailed Comparison

What is an ML Powered NGFW?

In today’s topic we will learn about authentication, why it is required, how authentication works and major authentication types. 

What is Authentication?

Authentication is the process of identifying users which request system access, network, servers, applications, websites and devices etc. the main goal of authentication is to ensure the user who is asking access his identity is verified one and legit user is only asking access. Unauthorized users are prohibited to get inside the system and gain access to sensitive information or data. Authentication improvises the security and allows only organization administrators to manage user identity and its access permissions. The authentication is used for access control verification using username and password along with other identification tools. 

Why is user Authentication Important?

• Authentication verifies and validates an individual identity who is trying to access systems, applications and resources.
• Authentication is required to ensure only legit users who they claim to be are granted access on systems, applications and devices as per their authenticated identity. This ensures that unauthorized users cannot get into the system illegally and gain access to critical resources.
• It is a fundamental security mechanism for protection of sensitive information, unauthorized access prevention, and integrity maintenance and data confidentiality.
• It is crucial to establish trust, mitigation of security risks, and safeguarding user accounts and resources to prevent malicious activities and unauthorized usage. 

Related: 8 Common Web Application Vulnerabilities

Authentication Types

Authentication types can be classified into 4 major categories:

Password Based Authentication

Password-based authentication is the most widely used type of authentication mechanism. It is a composition of alphabets, numbers, string of special characters which are supposed to be known to the authentic person who is getting authenticated. The simplest technique is clear text technique wherein the user id and password are provided to the user.

The user changes the password periodically for its security and is stored in a database against user ID. During authentication application prompts for user ID and password. The authentication happens at the backend with the server for this particular user and success and failure is based on the result. 

Certificate Based Authentication

The digital certificate is the next level of security, it has a key, owner and digital signature of a third-party entity which verifies the digital certificate. Based on certificate validity, the software verifies the certificate trusting the issuer and a key is used to communicate securely. The certificates are provided by certificate authority such as VeriSign, Geotrust, and DigiCert. The public key certificates defined by X.509 which act as trust documents. 

Biometric Authentication

It is one of the most popular authentication mechanisms nowadays. We are using biometric authentication at several places such as unlocking phone, face recognition in the office attendance system. User samples such as fingerprint, face, retina scan, voice etc. are stored in the user database and at the time of authentication the user provides a sample of its biometric information similar to what was given at the time of creation.

This information is sent in an encrypted session to the server. At the server end the user’s latest sample is decrypted and matched with a sample stored on the server. If both matches then the user will be considered valid.

Token Based Authentication

Alternatives to password are token asked authentication. It is a small device or application which generates a random value for a short span of time. This randomized value is used for authentication. The hardware devices could be key chains, calculators or credit cards. Authentication token has features such as battery, liquid crystal displays, processor, a small keyboard to provide information. Real time clock could be there as optional feature.

The pre programmed authentication token has a unique number called seed which ensures every random value generated by authenticator is unique. Such token-based authentications are of two types – challenge/response tokens where seed is secret and unique. In time-based token server needs to send random challenge to user, time is a variable input here in place of random challenge during authentication.

Comparison

Below table highlights the major points of differences between Password-based Authentication, Certificate-based Authentication, Biometric Authentication, and Token-based Authentication:

Download: Comparison of Authentication Types Table

In today’s topic we will learn about the WatchGuard network security firewall, how it works, its architecture, key features etc. 

WatchGuard Network Security Firewall   

WatchGuard network security firewall is a next generation firewall (NGFW). WatchGuard has two firewall series known as:

Tabletop Firebox Appliances (T-series) 

It is ideal for small, home and branch office setups. These firewalls are built in PoE having optional Wi-Fi. These firewalls have SD-WAN inbuilt and provide a cheaper alternative to expensive MPLS and 4G/LTE for improved network resiliency with enhanced security features. Logging and reporting with over 100+ dashboards to support regulatory framework requirements such as HIPAA and PCI-DSS. 

Routing is supported with IPv6, DHCP, LDAP, NAT and RADIUS. Based on RapidDeploy cloud technology to create and store Firebox configuration data over cloud and appliance is ready to ship and just a simple plugin at user end. This series had four models as under: 

• Firebox T-15 – is cost effective to deliver VPN services, enabling flexible remote access for branch office connectivity. Secure and encrypted connections with Gigabit Ethernet port support high speed LAN backbone and WAN connections. Supports up to 10 VLANs with authenticated user limit of 200. 
• Firebox T-20 – brings full UTM protection for small sites and remote workers. It supports 150 Mbps throughput, 10 VLANs, branch office VPN tunnels 10 no’s, high availability with Active/passive and active/active mode. 
• Firebox T-40 – enterprise level networks to small branch offices. Support for total security suite, AI-powered malware protection, threat correlation and DNS filtering. Includes a special Power over Ethernet (PoE) port to power peripheral devices such as cloud managed wireless access points from WatchGuard. It supports 50 VLANs with firewall throughput of 1 Gbps. VPN tunnels 30 No’s. 
• Firebox T-80 – high end firewall with optional port expansion module (Fibre connectivity). Support with total security suite and advanced features like sandboxing on cloud, AI-powered malware protection, and DNS filtering. Includes a special Power over Ethernet (PoE) port to power peripheral devices such as cloud managed wireless access points from WatchGuard. 1 Gbps SFP or 10 Gbps SFP+extension module is also available. It supports 75 VLANs with firewall throughput of 1.32 Gbps. VPN tunnels 60 No’s. 

Rackmount Firebox Appliances (M-series) 

It is meant for midsize and distributed enterprise level organizations. Can be mounted as 1U rackmount. This series had three models as under:

• Firebox M270/M370 – are meant for small and medium networks having 150 users. It provides 4.9 Gbps throughput (M270 series) and 8 Gbps throughput (M370 series), supports 100 VLANs (M270 series) and 200 VLANs (M370 series). VPN tunnels 50 No’s and 100 No’s.
• Firebox M470/M570 & M670 – Supports up to 850 users. Firewall throughput 19.6 Gbps (M470 series), 26.6 Gbps (M570 series), 34 Gbps (M670 series). 300 VLANs (M470 series), 500 VLANs (M570 series) and 750 VLANs (670 series). VPN tunnels 250 No’s, 500 No’s and 750 No’s. 
• Firebox M4600/ M5600 – ideal for centralized data centers for large distributed enterprises. They usually serve as hub appliances and management and security of all communications between headquarters and remote sites is taken care of by them. Firewall throughput of 40 Gbps (M4600 series), 60 Gbps (M5600 series). 100 VLANs (M4600 series) and unlimited VLANs (M5600 series). VPN tunnels 5000 No’s and unlimited. 

Architecture & Features: WatchGuard Firewalls

WatchGuard firewalls are designed with a robust and scalable architecture to provide comprehensive security for various network environments. Here is an overview of the key components and architecture of WatchGuard firewalls:

Core Components

1. Hardware and Virtual Appliances:
   • Firebox Hardware Appliances: Physical devices ranging from small desktop units for SMBs to high-performance rack-mounted units for large enterprises.
   • Virtual Firebox Appliances: Software-based firewalls that can be deployed in virtual environments such as VMware, Hyper-V, and cloud platforms like AWS and Azure.
2. Operating System:
   • Fireware OS: WatchGuard’s proprietary operating system that powers all Firebox appliances, providing a consistent and high-performance platform for security services.
3. Security Engines:
   • Packet Filtering Engine: Analyzes and filters network traffic based on rules and policies.
   • Deep Packet Inspection (DPI) Engine: Inspects the contents of packets for malicious activity, including encrypted traffic through SSL/TLS decryption.
   • Intrusion Prevention System (IPS): Detects and prevents network intrusions by comparing traffic against a database of threat signatures.
   • Antivirus and Anti-Malware Engines: Scans for viruses, malware, and other threats in real-time.
   • Application Control Engine: Identifies and controls applications based on policies, allowing or blocking them as necessary.

Security Services Integration

WatchGuard firewalls integrate multiple security services, which can be managed and configured through a unified interface. These services include:

• Threat Detection and Response (TDR): Correlates network and endpoint threat data to detect and respond to advanced threats.
• Network Discovery: Provides visibility into all devices connected to the network.
• DNSWatch: Protects against phishing and other web-based threats by filtering DNS requests.
• APT Blocker: Uses sandboxing to detect and block advanced persistent threats (APTs).
• Data Loss Prevention (DLP): Prevents sensitive data from leaving the network unauthorized.
• SpamBlocker: Filters out spam and malicious emails.

Management and Control

1. WatchGuard System Manager (WSM):
   • A centralized management console for configuring, monitoring, and managing multiple WatchGuard firewalls.
   • Provides a graphical interface for policy management, real-time monitoring, and detailed reporting.
2. WatchGuard Cloud:
   • A cloud-based management platform that offers centralized control, monitoring, and reporting for all WatchGuard devices.
   • Enables easy deployment and management of firewall policies across multiple sites.
3. Web UI:
   • A web-based interface that allows for local management of individual firewalls.
   • Provides access to all configuration settings, logs, and diagnostic tools.
4. Command Line Interface (CLI):
   • Allows advanced users to configure and manage the firewall using text-based commands.
   • Useful for scripting and automation.

High Availability and Scalability

1. High Availability (HA):
   • Supports active/passive and active/active HA configurations to ensure continuous network availability.
   • Enables failover to a backup firewall in case the primary firewall fails.
2. Clustering:
   • Allows multiple firewalls to be grouped together to increase throughput and provide load balancing.
   • Ensures that traffic is distributed across multiple devices for better performance and reliability.

Connectivity Options

1. VPN Support:
   • Supports various VPN technologies, including SSL/TLS VPN, IPsec VPN, and mobile VPNs, to provide secure remote access.
   • Enables site-to-site VPN connections for secure communication between multiple locations.
2. Network Interfaces:
   • Multiple network interface options, including Gigabit Ethernet, fiber, and wireless, to connect to different types of networks.
   • Supports VLANs for network segmentation and improved security.

Threat Intelligence and Automation

1. WatchGuard Threat Intelligence:
   • Leverages threat intelligence feeds to enhance security capabilities.
   • Provides real-time updates to security signatures and threat databases.
2. Automation:
   • Automates routine tasks such as firmware updates, threat signature updates, and policy enforcement.
   • Uses scripting and APIs to integrate with other security tools and platforms.

Deployment Models

1. Perimeter Firewall:
   • Deployed at the network edge to protect against external threats and control inbound and outbound traffic.
2. Internal Segmentation Firewall (ISFW):
   • Deployed within the internal network to segment different network zones and provide granular security controls.
3. Cloud and Virtual Deployments:
   • Deployed in virtual environments to protect cloud-based workloads and hybrid network infrastructures.

By combining these components and features, WatchGuard firewalls provide a comprehensive security solution that can adapt to the needs of different network environments, ensuring robust protection against a wide range of cyber threats.

Continue Reading:

Introduction to Juniper SRX Firewall

Introduction to Sonicwall Firewall

Today we look more in detail about the NET:ERR_CERT_AUTHORITY_INVALID error, what does this mean, how to fix this error?

What is the “NET:ERR_CERT_AUTHORITY_INVALID” error?

NET:ERR_CERT_AUTHORITY_INVALID error comes up when web browser can’t validate SSL certificate. SSL related errors can trigger this code such as: 

• • Use of self-signed certificates – could be cost saver but do not provide trust and authority required to ensure the site is secure.
  • Non-trusted certificate authority – when a website is accessed, background check verifies if SSL is there, if certificate authority is not trusted one this error will pop up by browser.
  • Certificate is not installed properly – sometimes recent switching from HTTP to HTTPS might throw this error
  • SSL certificate is expired – if SSL certificate is expired, usually they require annual renewals and if not done on time the certificate might be expired 

But sometimes SSL certificate is not the only reason for this error, the issue could be caused on client-side such as:

• Network connection is not secure – Public Wi-Fis do not perform traffic routing in a secure manner. Due to which using public Internet access could result browser to throw this error
• Operating system is not latest – out of date operating systems could also be possible cause of this error where browser will not load certain pages due to security concerns
• Browser cache is expired – Brower expired cache and cookies prevent validation of SSL certificates hence this error 
• Third party Applications – some third-party programs such as virtual private network (VPN) , antivirus software, and web browser extensions also cause connectivity related issues 

Most of the time, issues can be resolved after modifying settings on the system and web browser. In the next section we will look at them.

Related: Common SSL Certificate Errors and How to Fix Them

How to fix the “NET:ERR_CERT_AUTHORITY_INVALID” error?

We will look at possible solutions both for server side and client side. 

Server Side (SSL Errors) 

Execute SSL test – perform an SSL test for preliminary analysis using free tools such as SSL Shopper. Enter the domain name and let the tool analyse it. 

SSL shopper provides a report of website SSL and will give green check marks to indicate there is no issue and certificate is valid, not expired, accepted by major sites, domain correctly listed. If the certificate is self-signed it will show that information also.

SSL certificate from legitimate source – if results indicate certificate is not valid then obtain one from trust authority. Certain websites need a higher level of protection and purchasing a premium SSL certificate is more relevant 

State of SSL certificate to be cleared – computer stores a copy of SSL certificate when you visit a website sometimes out of date or incorrect certificate storage could lead to error. Remove all cached certificates from the browser.

1.Goto Search box

2.Type Internet options

3.Goto content

4.Click clear SSL state

Renewal of SSL certificate – SSL certificates require renewal to keep them valid and encryption functional. Check SSL certificate expiry date and check with the website hosting provider the process of renewal. 

Client Side (Brower Side)

If the SSL certificate is fine and there is no issue. Then we need to look at client-side issues. 

Adjustment of date and time settings on your system – web browsers use system date and time to check and verify SSL certificate validity. If date and time are not set correctly then certificate expiry date will not reflect rightly. 

1. Check system date from Start menu
2. Type Adjust date / time 
3. Under synchronize your clock click sync now
4. Turn on set time automatically so as to ensure system time is always right 

Browser update – older versions of browsers could also be the cause of this error sometimes. Check your browser version from settings🡪 About <browser name> tab. 

Clear cache of browser and cookies –  sometimes incorrectly updating and corrupted files also cause this error. Access the browser in incognito mode and check if cache is the issue. If you are able to access a website in incognito mode that means it is storing expired cache. To fix issue clear browser cache and cookies using ‘More tools’ 🡪 clear browsing data option. 

Disabling browser extensions – extensions are used to enhance browsing experience but at times they cause errors.

To deactivate browser extension goto ‘More tools’ 🡪 extensions 

Disable VPN/ Firewall or Antivirus – Added layer of security by VPN, Firewall or antivirus could prevent and block some SSL certificates. Try to temporarily disable firewall, antivirus software and turn off.