The SANDBOX | IT NETWORKS

-

A sandbox for computer security confines the actions of code to the sandbox device and in isolation of the rest of the network.

 So if something unexpected or wanton happens, it effects only the sandbox and not the other computers and devices on the network. In the grand scheme of things, sandboxing is relatively new, and it can be used for different situations.

For example, prudence would dictate that we should isolate new or modified code from the rest of the network because the code may act in ways we haven't predicted. Why Sandbox? The reasons for adopting sandboxing for security purposes are obviously different. First, let us do a brief foray into the development of network security.

 The history of cyberthreats and network security is a story of thrust and counter-thrust.


no copyright photo pexels


The bad actors would develop a new technique or exploit some code deficiency, and the network security folks would eract a new defense against that thread or a write a patch to correct the code. In this type of arms race of one-upmanship, the weapons and the measures to defeat them are becoming increasingly complex. Exploiting an unknown deficiency in code is what is known as a "zero-day attack" and before sandboxing, there was no effective means to stop it.

 Firewalls and anti-virus software could stop known threats, but they were helpless against the unknown.



The unknown threat, embodied in a zero-Day Attack is why sandboxing was added to the network security arsenal.
Any unidentified and suspicious code could be quarantined in a sandbox that mimicked a real end-user system.

 And then the sandbox would let the code run to see what it did. Note that the evaluation of the potential threat was based on activity, rather than attributes of the code.
 If the code was deemed benign, then the code could be released. However, if the sandbox detected malignant intent, then the code would be expunged.

 When working in a piecemeal fashion, this countermeasure saw only partial success in the context of network security as a whole. Earlier on, network security was built upon point solutions to defeat specific threats. The security products stood as silos and did not communicate with other security devices on the network.

This also meant that the Security Operations Center, or SOC, required a management console for each product, which made aggregating intelligence data a nightmare. And while security products were often effective at defeating the threat that they had been designed to defeat, when faced with a coordinated attack using different threat vectors and methods, they were easily uprooted.

 A sandbox working as a silo could not share valuable threat intelligence to the security devices on its network, or to other networks for that matter.

Other problems alerted security experts to weaknesses in first-generation sandboxing and to network security in general. If the processing power was inadequate to meet demand, then network performance suffered egregiously. And if a business had to choose between security and performance, it would choose the latter.

 To choose security would be like the cure that defeated the disease only to kill the patient. Also, malware could be designed to exploit a specific weakness in an OS or application. If the sandbox is not testing all supported operating systems and applications, then malignant code could pass through the sandbox undetected.


Last, bad actors are cognizant of the methods used by sandbox technology, and they've taken extra measures to ensure that the sinister intent of the malware is not prematurely exposed. One such method is for the code to act benignly if it detects it is being executed in a sandbox environment. Or not decrypt and run the exploit code if it is opened directly or in an incorrect context. These evasion techniques mean the challenge now is for sandboxes to reflect a user's environment as accurately as possible, and induce the attacker's code to reveal or execute it's malicious payload.

 In response to these shortcomings, some contemporary sandboxes have dedicated processing units to ensure that performance is not degraded by security operations. Sandboxes must have comprehensive testing of all supported operating systems and applications.

 In addition, the emulator must see each and every instruction from the code that executes on the CPU, and it must emulate the end-user environment accurately.

And to round off this list, the sandbox must be integrated with all other network security devices, all of which are managed from a single pane of glass. In this regime, the sandbox can share threat intelligence with all other security network devices. And ostensively, to the threat intelligence center in the cloud.

 The function of this center is to pull intelligence from the field and to push the intelligence to other networks. By doing so, all networks receive the latest intelligence of cyber threats and can adopt the appropriate posture.


 For example Fortinet's sandbox product is named FortiSandbox.

Comments

Post a Comment

Popular Posts

Network Access Control NAC | IT NETWORKS

-
Image
Network Access Control NAC It's something that controls access to the network. And at its simplest level, this is what NAC does.  But if that's all that it was, then it wouldn't be fundamentally different from a network authentication and authorization server. Traditional authentication to the network follows the IEEE 802.1X standard that provided an authentication method to devices wishing to join a Local Area Network (LAN) or wireless LAN. 802.1X Wireless/Wired Authentication The mechanism was a port-based network access control which used agents, the software running on client devices that provide credentials to the authenticator to control access to the network. Another means to control access to a public network such as one serving a coffee shop or in a hotel, is a captive portal. If you've ever connected to a network in an airport, hotel, or coffee shop, you might recall interacting with a web page, sometimes agreeing t
Read more

CISCO : Dynamic Multipoint Virtual Private Network (DMVPN) | ITNETWORKS

-
Image
1- Definition   DMVPN is a technology that's used in secure networks exchanging data between them without needing to redirect traffic through a  headquarter  server  or router . Dynamic Multipoint VPN ( DMVPN ) is a Cisco IOS Software solution for building reliable IPsec Virtual Private Networks (VPN). DMVPN basically is a centralized architecture that provides easier management and implementation for deployments that need very specific access controls, authorizations and restrictions for diverse branches, users, applications and partners. DMVPN + IPSEC 2- Benefits DMVPN provides the ability to create dynamic VPNs without configuring static tunnels between remote peers, including Internet Protocol (IP), IPSEC and Key Management Protocol (ISAKMP peers).   DMVPN is designed  to make HUB-AND-SPOKE   topology  by statically configuring the hub IP address on the spokes, no other changes are needed  in the configuration ns of the hub to accept ne
Read more

Issues with CISCO WIRELESS Controller (And resolution) | IT NETWORKS

-
Image
On Cisco Wireless controller 5520, The Access POINTS try to join the Controller by bringing up a connection through the CAPWAP Tunnel, you can see these attempts through the AP log itself. The problem is that the DHCP server when trying to serve IP Addresses it shows the error BAD_ADDRESS in front of each IP assigned. So I Took a single access point, started debugging it, after that, I noticed that the CAPWAP connection was empty of errors BUT!! it was trying to resolve this name  CISCO-CAPWAP-CONTROLLER This resolution is made with DNS protocol, of course, I honestly wasn't so sure of what I was doing, so I added a new entry in my DNS server and it's corresponding IP was the Controller's after that magically all the Access Points where UP and showed UP on my controller. The controller I'm working with is the CISCO WIRELESS CONTROLLER 5520 Model:  AIR-CT5520-K9 Software Version:  8.3.150.0 Image of the controller Learn
Read more