A conversation with VP of Security, Stephen Heath & Director, Managed Security, Sahan Fernando – Intrinium
The Technical Deep Dive into the Darknets
Stephen Heath: We talked a bunch about darknet over the past two weeks and a question people ask all the time is how worried you should be about that and the network. How hard is it to take care of that kind of activity?
Sahan Fernando: Yeah, that’s definitely a problem that we’ve seen a lot of customers ask about, but in my experience it’s a really simple solution.
With any sort of next-generation firewall, people have that layer seven, the application control. It’s well built to identify Tor traffic, for instance. Everyone knows that’s the predominant player in the darknet space. You can block Tor with your next-gen firewall and monitor it so you know if someone’s trying to do something inappropriate.
You remember when WannaCry, those were all Tor nodes. Right? That was the communication vector. Not only are you blocking someone just trying to get around your controls, you might be identifying malware in its early stages.
Stephen Heath: Right, and that’s a good point. Now, the other thing I wanted to ask about is, if you look on a lot of those darknet guides and how to set up, one of the first things they talk about is running it through a hidden VPN service or something like that. Now, would you feel like Fortinet or other firewalls are able to identify that kind of stuff?
Sahan Fernando: I’ve seen it work very well. I’ve never come across a case where I’ve had an auditor or a pen tester, someone that wasn’t at least an extremely high degree of skill, anyone that’s not using just regular, commercial VPN, those will get identified.
The vendors seem to understand that it’s important to know what people are doing and be able to not only identify it, at the very minimum, but block it, give you that level of granularity, because there might be VPN services that you actually do need to allow.
That’s the beauty of the principle of least privilege. If you’re building your firewall policies right, you can allow certain hosts, certain people, however you want to build it. Design your rules so that authorized traffic goes out and everything else gets shut down and you know about it.
Stephen Heath: Right, as I recall, in things I’ve seen in FortiGuard and those kinds of things while playing around, you can do the web filters. There are filter by category. Don’t they have a category for VPN?
Sahan Fernando: I believe those fall under information technology. If you wanted to use the web filter out, you would have to probably block the domain specifically, and it depends on the service.
That’s something that you would want to check. Make sure that you know what’s being blocked. Make sure that you also have it configured correctly. We’ve seen where people put in web filtering but they don’t realize to use web filtering properly you need to have it in flow mode rather than proxy mode, because otherwise you’re missing certain traffic.
Understanding the technology you implement is huge. If someone just throws you a box and says, “Well, let’s turn in on,” is that actually sufficient?
Stephen Heath: Right, just plugging it in and hoping it works, never works out well. When you talk about proxy mode, that’s like when you talk about like SSL decrypt and stuff like that. Is that what you mean by that?
Sahan Fernando: Even just how is it inspected. It lets the few bits of the traffic go to perform that identification. When you’re talking about the web filter, it’s looking, generally, at the certificate, the SAN in that certificate, and making the determination off that, rather than the HTTP header and proxy nodes.
A lot of it comes down to also performance. Flow mode is much less stress on your environment, and from an availability standpoint, people seem to prefer it. Realistically, to do good application control, that’s where it’s headed.
Some next-gen firewalls, they only run in flow mode. Some give you the option, but they are starting to push you towards flow mode, because for you to do real application identification, you, unfortunately, do need to let some of those initial packets go to understand the bigger picture.
Stephen Heath: OK. That makes sense. As a last question, can you think of any reason, any legitimate reason at all, that Tor would be going on in a network?
Sahan Fernando: Only if you have a pen testing team and they’re actually doing a red-team engagement and they’re trying to do something like data exfiltration. Otherwise, I can’t think of a single legitimate purpose. The entire purpose of the darknet, I mean what all this has that your recent webinar. It’s not CNN. It’s not the New York Times. The only other thing is maybe some sort of whistle blower, but even then you wouldn’t.
Stephen Heath: You certainly wouldn’t want a whistle blower in your network.
Sahan Fernando: Yeah. Exactly that, right? Even then, Runa Sandvik at the New York Times, people like that, they use more legitimate means like Signal, some standard for secure communications like that. Tor, its intent is not friendly to business purposes in my firm belief.
Stephen Heath: Got you. All right. Well, thanks.
Sahan Fernando: Thank you.