Advanced Network Protection Mcafee Generation Firewall 35250

Interested in learning
more about security?

SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.

Advanced Network Protection with McAfee Next
Generation Firewall

Copyright SANS Institute
Author Retains Full Rights

Advanced Network Protection with
McAfee Next Generation Firewall

A SANS Product Review
Written by Dave Shackleford
June 2014

Sponsored by
McAfee, part of Intel Security
©2014 SANS™ Institute

Introduction
Attacks today incorporate increasingly sophisticated methods of social engineering and
client-side software manipulation to exfiltrate data without detection. Some attackers
leverage so-called spearphishing to entice employees to give up access information and
spread their attacks to other enterprise systems; others use password crackers against
compromised applications in order to gain further access rights to the network. The
attackers might also set up channels for command and control communications with the
compromised systems, as in the case of the Zeus or SpyEye bot infections.
New types of network detection and prevention—with the ability to inspect complex
network traffic and correlate its results with additional information, such as user IDs
Advanced Features:
McAfee Next Generation Firewall
In this review, McAfee Next Generation Firewall (McAfee NGFW) met
the demands for next-generation firewall features, including:

and system names—must replace traditional firewalls. Such
technologies enable deeper investigation of network attacks
and help analysts distinguish those from benign anomalies.
These enhanced or “next-generation” firewalls may be able to

t


&BTF
PG
VTF
BOE
DFOUSBMJ[FE
NBOBHFNFOU It was simple to
add a new firewall node and remotely push policies to the devices.

completely replace other network protection systems such as IPS

t


*OUFHSBUFE
71/
The integrated VPN features let us easily
examine rules, such as a client-to-site VPN rule, test the
connectivity and evaluate a site-to-site VPN connection.

feature consideration for such systems is application inspection

t


)JHI
BWBJMBCJMJUZ
BOE
SFEVOEBODZ We evaluated these
critical features for advanced, high-capacity firewalls by looking
at McAfee NGFW’s clustering configuration options. We tested
the functionality of a firewall cluster and then built a simulated
WAN connection with redundant ISP links to test a larger-scale
deployment with multiple sites and distributed WAN connectivity;
in both cases, failover happened seamlessly.
t


"CJMJUZ
UP
TUPQ
TPQIJTUJDBUFE
BUUBDLT Most importantly, when
we evaluated the platform’s Advanced Evasion Technique (AET)
protection, it was able to stop sophisticated attacks even when we
modified traffic and attack payloads to mimic their attempts to
avoid detection.

or traditional firewalls, although not in every case. The first major
and identification. Conventional firewalls focus primarily on
Layer 4 ports (e.g., ICMP, TCP and UDP), with some additional
inspection of Layer 7 (applications), but next-generation firewalls
go further, performing deeper analysis of traffic and looking for
unusual protocol specifications and behavior.
Another core feature for any next-generation firewall is the
ability to track application traffic (particularly traffic identified as
being potentially malicious or suspicious in nature) to specific
users and systems within the environment. In order to do this,
a next-generation firewall needs to integrate natively with
user directory services such as Microsoft Active Directory or
Lightweight Directory Access Protocol (LDAP).

We had the opportunity to review McAfee Next Generation Firewall (McAfee NGFW) to
see if it stands up to advanced threats and meets these requirements. We found McAfee
NGFW’s interface easy to access and use and its policies simple to create and push to
devices. The VPN capabilities worked as advertised, and the ability to create simple rules
that automatically create VPN tunnels can help organizations protect data in transit. Its
availability and redundancy features were easy to configure and functioned properly, and
McAfee NGFW caught the advanced evasion techniques we threw at it, demonstrating
a sophisticated application and protocol assembly and interpretation engine that will
certainly help organizations defend against advanced attacks in their networks.
SANS ANALYST PROGRAM

1

Advanced Network Protection with McAfee Next Generation Firewall

Ease of Use and Policy Management
The first use cases we evaluated with McAfee NGFW focused on basic functionality and
operational simplicity.

Adding New Firewalls to Manage
To see how easy it was to use, we started with McAfee Security Management Center
(SMC), which runs on Linux or Windows clients and provides a “single pane of glass” view
that reduces the amount of resources needed to configure and manage firewalls. Once
in the GUI, we simply right-clicked the firewall category, and added a “single firewall”
object as shown in Figure 1.

Figure 1. Adding a Firewall Object in Security Management Center
A new window opened, in which we were able to enter information about the new
device. As shown in Figure 2, we used SANS-Test as its host name.

Figure 2. Initial Device Configuration
Simplicity such as this provides real advantages to IT security teams who are strapped for
resources and need a better way to add, change and configure firewalls from a central
location.

SANS ANALYST PROGRAM

2

Advanced Network Protection with McAfee Next Generation Firewall

Ease of Use and Policy Management

(CONTINUED)

Network Interface Configuration
Adding network interface configuration details to our firewall object was also simple. We
configured two interfaces (Interface 0 for unprotected WAN traffic and secure, in-band
management traffic and Interface 1 for protected LAN traffic), as shown in Figure 3.

McAfee’s “plug and play”
configuration option uses
a secure cloud service to
configure and set up the
device without any hands-on
interaction required.

Figure 3. McAfee NGFW Network Interface Configuration
We then configured the device’s basic functions via its command line interface (CLI),
which we accessed via Telnet. Other options involve a direct connection through the
device’s serial interface, booting from a USB drive or using an innovative “plug and play”
option. The latter uses a secure cloud service operated by McAfee to download and
install the device’s initial configuration and enables secure communication between the
McAfee NGFW and SMC. McAfee NGFW receives its final configuration and associated
policies without any hands-on interaction required. This process can reduce setup time
to a few minutes of a non-expert user’s day.

SANS ANALYST PROGRAM

3

Advanced Network Protection with McAfee Next Generation Firewall

Ease of Use and Policy Management

(CONTINUED)

A simple menu-driven CLI wizard enabled us to configure the local device settings and
then link the device to the placeholder object in SMC. One of the CLI wizard screens, for
a single-device firewall with the host name SANS-SingleNode, is shown in Figure 4.

Figure 4. CLI Wizard for New Device Setup
Once we had linked a device to the corresponding object in SMC, we did all further work
through the GUI.

Adding Firewall Policies
Through SMC, security analysts can create and reuse firewall policy templates for
efficiency and simplicity. After completing the wizard and adding the new firewall into
SMC, we uploaded a policy to the new device to block users from going to specific
websites. In this case, we configured the rule to drop all traffic destined for Amazon.com,
Box.net and Facebook. McAfee had already created a default policy template for our
testbed, called NGFW_SingleNode. We pushed that policy, shown in Figure 5 with the ID
of 15.1, to the device.

Figure 5. Initial Policy Blocking Specific Site Access
SANS ANALYST PROGRAM

4

Advanced Network Protection with McAfee Next Generation Firewall

Ease of Use and Policy Management

(CONTINUED)

Once the rule was applied, we did a simple test to see if it was working. We logged in to
a test client workstation via Remote Desktop Protocol (RDP) and used its web browser to
access a number of sites such as Amazon, Google and MSN; the last two were allowed,
but access to Amazon was blocked. We confirmed this in the real-time logs in SMC.
Figure 6 illustrates that the Amazon service and all other sites appearing in the red rows
are blocked traffic.

Figure 6. Blocked Access to Amazon.com
In the next use case, we wanted to explicitly block access to a certain internal subnet
from user bsmith (predefined in Active Directory by McAfee during the testbed setup).
Using the SMC policy editor shown in Figure 7, we easily added the rule to the policy.

Figure 7. Adding a Policy Rule

SANS ANALYST PROGRAM

5

Advanced Network Protection with McAfee Next Generation Firewall

Ease of Use and Policy Management

(CONTINUED)

The rule we created had the ID of 15.2 and blocked any HTTP traffic from user bsmith and
with a destination of a specified network subnet. The final rule set is shown in Figure 8.

Figure 8. New NGFW Policy Rule in Place
Testing this use case was simple: We used RDP to log in to a test workstation as several
different users. First, we logged in as user Lisa Dataleak (ldataleak) and successfully
accessed a website at IP address 70.100.100.150. We then logged out, logged back in as
user bsmith and attempted to access the same IIS site; this failed. The log from SMC is
shown in Figure 9.

Figure 9. User bsmith Blocked

SANS ANALYST PROGRAM

6

Advanced Network Protection with McAfee Next Generation Firewall

Ease of Use and Policy Management

(CONTINUED)

Investigating a New Firewall Event
We found troubleshooting easy to accomplish with the help of SMC’s view of log events,
which enables drill down into events to obtain detailed information such as the rule
triggering the event. To begin our investigation of the firewall event, we drilled into the
details of the event, which provided a simple visual representation of what happened,
along with all the different fields in the generated event (shown in Figure 10).

Figure 10. Detailed Event View
We found it simple to add the McAfee NGFW to SMC. Creating some basic rules was
fast and easy, as well. The rules worked perfectly, blocking traffic based on user IDs, IP
addresses and URLs.

SANS ANALYST PROGRAM

7

Advanced Network Protection with McAfee Next Generation Firewall

VPN Policies and Access Management
The next use cases we reviewed focused on VPN policies and access control. McAfee’s
VPN capabilities are part of McAfee NGFW’s included feature set and include the ability
to have an augmented VPN—which combines multiple VPNs into one logical VPN—with
IPsec. Configuring the VPN is a simple process; one first creates a gateway in SMC, drags
and drops remote sites (e.g., a branch office) to add to the configuration and, finally,
deploys the updated configuration.
In the first example, we established a client VPN connection to the firewall. We entered
credentials into the VPN client for user bsmith. Figure 11 shows the status of the VPN
authentication process.

Figure 11. Starting the VPN Client Authentication Process

SANS ANALYST PROGRAM

8

Advanced Network Protection with McAfee Next Generation Firewall

VPN Policies and Access Management

(CONTINUED)

Simultaneously, we monitored the McAfee NGFW logs in SMC to see the IPSec
authentication process, shown in Figure 12 by the white rows of the table.

Figure 12. VPN IPSec Authentication
The policy rule in place for this use case explicitly forbids the use of RDP to a specific
network zone by user bsmith while on a VPN connection, as shown in Figure 13.

Figure 13. RDP Discard Rule
We tested this rule by logging into a client workstation as user bsmith, and then
attempting to RDP to 30.100.3.110. The connection failed, as demonstrated in NGFW
logs (see Figure 14).

Figure 14. RDP Connection Discarded for bsmith
We then disconnected the VPN client as bsmith, logged in again as user ldataleak and
successfully initiated an RDP connection to 30.100.3.110.
For the second VPN scenario, we tested a site-to-site VPN connection with NGFW rules
in place to allow file transfers with FTP. First, we logged in to a desktop system as the
user bsmith, then used WinSCP to log in to the host 30.100.3.110 using the FTP protocol.
While the connection was occurring, we viewed the logs in SMC, as shown in Figure 15.
Figure 15. FTP Events for bsmith

SANS ANALYST PROGRAM

9

Advanced Network Protection with McAfee Next Generation Firewall

VPN Policies and Access Management

(CONTINUED)

We right-clicked on the events shown and selected View Rule; this displayed a rule
enforcing a site-to-site VPN connection between the internal network and the “branch”
range (defined elsewhere in SMC), as shown in Figure 16.

Figure 16. Site-to-Site VPN Rule
This rule allowed any services between the specified source and destination, as long as a
site-to-site VPN was in place. More detail on the events generated with the FTP transfer
are shown in Figure 17.

Figure 17. Site-to-Site VPN Connection Event Details
We found the process of setting up both client-to-site and site-to-site VPN connections
to be quick and simple, while generating rules in the McAfee NGFW platform that
leveraged VPN connectivity (or behaved in specific fashions depending on connection
state) was also easy. Such rules are invaluable for organizations looking to ensure
connection security before certain types of communication are allowed.

SANS ANALYST PROGRAM

10

Advanced Network Protection with McAfee Next Generation Firewall

Availability and Redundancy Settings and Options
The next category of configuration options we tested centered on availability. Given that
the McAfee NGFW may replace existing firewall and network platforms, it must be highly
available and operate seamlessly in a load-balanced and clustered configuration. The
native clustering features of McAfee NGFW replace external load balancers, simplifying
network design and making troubleshooting simpler than before.
A McAfee NGFW cluster supports up to 16 physical devices and provides native, onthe-box load balancing of the network traffic. Another convenient feature of McAfee’s
clustering technology is its ability to support a mixed physical and code environment,
which enables an organization to perform upgrades in either sphere without taking
down the cluster.
The first use case we walked through was adding a new node to an existing cluster, a
straightforward process in SMC. First, we right-clicked on the icon for our firewall cluster
(which McAfee had set up for our testing with two nodes) and selected Add Node; in the

McAfee NGFW’s native

pop-up window, we noted the new node’s “One Time Generated Password,” outlined in

clustering features simplify

red in Figure 18.

network design and make
troubleshooting simple.

Figure 18. New Cluster Node with One-Time Password

SANS ANALYST PROGRAM

11

Advanced Network Protection with McAfee Next Generation Firewall

Availability and Redundancy Settings and Options

(CONTINUED)

Then we used the CLI wizard to connect the new node to SMC; the step where we
finalized the connection and entered the one-time password is shown in Figure 19.

Figure 19. Finalizing Connectivity to SMC
After refreshing the new node’s policy in SMC, the third cluster node connected
successfully, as denoted by its green icon in Figure 20.

Figure 20. Completed Firewall Cluster

SANS ANALYST PROGRAM

12

Advanced Network Protection with McAfee Next Generation Firewall

Availability and Redundancy Settings and Options

(CONTINUED)

To test the availability aspects of the cluster, we took one of the nodes offline (in this
case, node 2) as a simulated node failure or maintenance outage. This process is shown
in Figure 21.

Figure 21. Taking a Cluster Node Offline
Using the bsmith account, we browsed to several YouTube videos and started them from
a workstation. The traffic continued in this configuration (nodes 1 and 3 online, and node
2 offline) without fail. We then took node 1 offline and the traffic continued through
node 3 (the remaining node), as shown by the HTTP events in Figure 22.

Figure 22. Cluster Node 3 Passing YouTube Traffic

SANS ANALYST PROGRAM

13

Advanced Network Protection with McAfee Next Generation Firewall

Availability and Redundancy Settings and Options

(CONTINUED)

Our second use case for availability focused on McAfee NGFW’s “Multi-Link” feature,
which adds redundancy and provides quality of service (QoS) and bandwidth
aggregation capabilities for more efficient traffic management.
We created a simple Multi-Link using two ISP connections defined by McAfee in the test
environment, as shown in Figure 23.

Figure 23. New Multi-Link Connection
We then added a network address translation (NAT) rule to our firewall cluster, directing
it to use the Multi-Link, as shown in Figure 24.

Figure 24. New Multi-Link NAT Rule

SANS ANALYST PROGRAM

14

Advanced Network Protection with McAfee Next Generation Firewall

Availability and Redundancy Settings and Options

(CONTINUED)

Once the Multi-Link was established and online, we took one of its ISP connections
down manually, as shown in Figure 25.

Figure 25. Disabling One ISP Connection in a Multi-Link
With the same bsmith account, we verified that YouTube videos continued playing
seamlessly when the link was disabled, verifying the immediate failover condition, as we
did earlier when we took two out of three firewall nodes offline.
Redundancy and availability is a critical aspect to any firewall deployment, and ensuring
uninterrupted connectivity for users and systems is paramount. McAfee NGFW makes
the creation of redundant clusters and multi-links for ISP connectivity very easy and
manageable. We also verified that all traffic flowed without interruption, even when
cluster nodes and links were forced offline.

SANS ANALYST PROGRAM

15

Advanced Network Protection with McAfee Next Generation Firewall

Packet Inspection and Reassembly with AET
McAfee NGFW’s AET (Advanced Evasion Technique) protection includes a number of
built-in packet reassembly and inspection techniques that can detect and prevent
attacks that disguise their traffic via multiple techniques such as these:
t


&YQMPJUJOH
UIF
1"84
1SPUFDUJPO
"HBJOTU
8SBQQFE
4FRVFODF
OVNCFST


FYUFOTJPOT
UP
5$1
UP
DIBOHF
UIF
UJNFTUBNQ
PG
UIF
IFBEFS
UP
EFMBZ
UIF
QBDLFU


DPOGVTJOH
TFDVSJUZ
UPPMT
JOUP
BMMPXJOH
JU
UP
QBTT1 In addition, attackers can
randomize the payload data with tools that leverage these extensions. The NGFW
platform can easily reverse this process, taking advantage of the same tcp_paws
libraries that attackers use.
t


'SBHNFOUJOH
*1W
QBDLFUT
JOUP
TNBMMFS
POFT
UP
TQMJU
VQ
B
NBMJDJPVT
QBZMPBE

This technique bypasses the signature matching used by most IPS and firewall
platforms, but McAfee NGFW can reconstruct unusual, nonstandard fragmented
packets for analysis with the same ipv4_frag libraries that attackers use.
t


3FBSSBOHJOH
QBDLFU
EBUB
XJUI
iCJHFOEJBOw
FODPEJOH This places the highest
(most significant) byte of a packet first, instead of last (the normal order), confusing
the firewall or IPS into thinking the packets are benign because they don’t match
any entries in the signature database for malicious programs. McAfee NGFW uses
the Microsoft RPC big-endian libraries to analyze this type of traffic and foil this
attack.
For our test, we used the publicly available McAfee Evader attack simulator, which
can generate well-known exploits (similar to those from Metasploit and other attack
frameworks) to attack systems and test the efficacy of defense systems.2

SANS ANALYST PROGRAM

1

PAWS is described in IETF RFC 1323, www.ietf.org/rfc/rfc1323.txt

2

http://evader.mcafee.com
16

Advanced Network Protection with McAfee Next Generation Firewall

Packet Inspection and Reassembly with AET

(CONTINUED)

We tested a number of well-known attacks that modern defense systems should always
catch, such as exploits attacking unpatched Windows systems missing the MS08-067
patch. The Evader system configuration is shown in Figure 26.

Figure 26. Evader Target Configuration
The tool was targeting a Windows XP SP2 desktop system in our test environment, one
that we knew to be susceptible to all the attacks preloaded into Evader. All attacks were
going through a single-device firewall; the Windows Calculator application would open
upon successful exploit of the XP desktop’s vulnerability.

SANS ANALYST PROGRAM

17

Advanced Network Protection with McAfee Next Generation Firewall

Packet Inspection and Reassembly with AET

(CONTINUED)

For this test, we attempted three different exploits with IPv4 fragmentation, big-endian
encoding, TCP timestamp and other evasions. When we ran these through the firewall
cluster, McAfee NGFW decoded and normalized the traffic, performing a horizontal data
stream analysis that examined all the protocol layers and detected all of the exploits
hidden in the protocol layers; meanwhile, our target remained untouched. Logs of the
attempts displayed in SMC are shown in Figure 27.

Figure 27. Evasion Techniques Successfully Detected
In this screenshot, all the red events are blocked attack traffic that correspond to the
attacks we generated using the Evader tool. The green events are unrelated. McAfee
NGFW handled all the protocol anomaly detection and packet inspection automatically
in software—so we did not need to spend any time configuring protocol handlers to see
accurate detection and prevention actions successfully taken.

SANS ANALYST PROGRAM

18

Advanced Network Protection with McAfee Next Generation Firewall

Conclusion
After testing the various configuration options and features of McAfee Next Generation
Firewall, we declared that the system works as advertised in all categories. Through
McAfee Security Management Center, all functions were readily available and easy to
find. We successfully added a new node to a firewall cluster, pushed a policy to the
device and tested that the policy was functioning properly. Then, we created a new
policy that restricted traffic from a specific user and tested this successfully as well.
McAfee NGFW’s VPN capabilities were simple to configure and evaluate. We created
and tested client-based and site-to-site VPN policies. Both successfully enforced policies
based on a variety of conditions over a VPN connection.
Availability features such as clustering and multiple WAN links were easy to configure.
When tested, both worked with various components disabled, and we never
experienced a disruption in traffic passing through the devices.
Finally, McAfee NGFW’s advanced evasion detection capabilities worked as expected. We
sent a number of well-known exploits through the firewall cluster, using several different
protocol and application evasion tactics, and it caught all of them.
In short, McAfee NGFW was simple to configure and offered powerful firewalling
and threat detection capabilities, while providing highly available and redundant
connectivity and sophisticated, policy-based connection security.

SANS ANALYST PROGRAM

19

Advanced Network Protection with McAfee Next Generation Firewall

About the Author
%BWF
4IBDLMFGPSE is the founder and principal consultant with Voodoo Security, a SANS analyst,
instructor and course author, and a GIAC technical director. He has consulted with hundreds
of organizations in the areas of security, regulatory compliance, and network architecture and
engineering. He is a VMware vExpert and has extensive experience designing and configuring secure
virtualized infrastructures. He has previously worked as CSO for Configuresoft and CTO for the Center
for Internet Security. Dave is the author of the Sybex book Virtualization Security. Recently, Dave coauthored the first published course on virtualization security for the SANS Institute. Dave currently
serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of
the Cloud Security Alliance.

Sponsor
SANS would like to thank this paper’s sponsor:

SANS ANALYST PROGRAM

20

Advanced Network Protection with McAfee Next Generation Firewall

Last Updated: December 29th, 2014

Upcoming SANS Training
Click Here for a full list of all Upcoming SANS Events by Location
SANS Brussels 2015

Brussels, BE

Jan 26, 2015 - Jan 31, 2015

Live Event

SANS Dubai 2015

Dubai, AE

Jan 31, 2015 - Feb 05, 2015

Live Event

Cyber Threat Intelligence Summit & Training

Washington, DCUS

Feb 02, 2015 - Feb 09, 2015

Live Event

SANS Scottsdale 2015

Scottsdale, AZUS

Feb 16, 2015 - Feb 21, 2015

Live Event

10th Annual ICS Security Summit

Orlando, FLUS

Feb 22, 2015 - Mar 02, 2015

Live Event

SANS Munich 2015

Munich, DE

Feb 23, 2015 - Mar 07, 2015

Live Event

SANS Secure India 2015

Bangalore, IN

Feb 23, 2015 - Mar 07, 2015

Live Event

SANS DFIR Monterey 2015

Monterey, CAUS

Feb 23, 2015 - Feb 28, 2015

Live Event

SANS Cyber Guardian 2015

Baltimore, MDUS

Mar 02, 2015 - Mar 07, 2015

Live Event

SANS Secure Singapore 2015

Singapore, SG

Mar 09, 2015 - Mar 21, 2015

Live Event

SANS Northern Virginia 2015

Reston, VAUS

Mar 09, 2015 - Mar 14, 2015

Live Event

SANS Abu Dhabi 2015

Abu Dhabi, AE

Mar 14, 2015 - Mar 19, 2015

Live Event

SANS Secure Canberra 2015

Canberra, AU

Mar 16, 2015 - Mar 28, 2015

Live Event

SANS Stockholm 2015

Stockholm, SE

Mar 23, 2015 - Mar 28, 2015

Live Event

SANS Oslo 2015

Oslo, NO

Mar 23, 2015 - Mar 28, 2015

Live Event

SANS Houston 2015

Houston, TXUS

Mar 23, 2015 - Mar 28, 2015

Live Event

SANS Security East 2015

OnlineLAUS

Jan 16, 2015 - Jan 21, 2015

Live Event

SANS OnDemand

Books & MP3s OnlyUS

Anytime

Self Paced