3. Check Point for maximum. Content Awareness

Hello, Colleagues, welcome to the third lesson of the Check Point course to the maximum. This time I would like to discuss the Content Awareness blade. This is a relatively new feature, which appeared in R80.10 and many still do not use it, although it is in vain! Personally, I think this blade is a great addition to protect the perimeter of the network, but let's get everything in order.

Before starting to discuss this blade, I would like to get a little insight into the issue. Those. why can we this blade in principle come in handy. First, let's look at some statistics.
')

Check Point Report 2016

According to a 2016 Check Point report, we have the following figures:



I already cited these numbers earlier, in the course on Check Point SandBlast . Unfortunately, I do not yet have more new data (at least for 2017), but I suspect that the statistics have only worsened. What is the message of these numbers? The number of targeted attacks is growing! Those. when before the attack the malware is developed for a specific victim, well, or a company. Modern technology allows you to do this in seconds. No need to be a genius. Ready-made virus creation tools are downloaded and a malware is created literally in a couple of commands, which will not be detected by antivirus by signature. In the following lessons, I will definitely show this. Most antiviruses, of course, have different heuristic mechanisms, but again, this can be called just another type of signature, where patterned virus actions are tracked. Various methods of obfuscation allow you to bypass this level. As practice shows, modern malware has learned to behave like ordinary users. For example, when a twitter page is used as a command center, where an attacker places his commands (as text, or even as an image). In this case, try to distinguish the activity of a regular user from a virus that knocks on twitter in order to receive another instruction.

And if top-of-the-day vulnerabilities are constantly appearing, then for the antivirus the situation is generally sad. It is quite difficult to develop a signature for something you don’t know. As statistics show, recently 0-day appear more and more often. Moreover, some vulnerabilities have existed for years. Recall the same processor vulnerabilities - Meltdown and Specter. Yes, they were discovered only at the beginning of January, but for many years now. (Many believe that manufacturers have known about them for a long time). And there is no 100% guarantee that nobody used these vulnerabilities before.

So-called sandboxes are commonly used to solve the problem of 0-day malware. Check Point has this technology called SandBlast . Now we will not consider it in detail. We will devote a separate lesson to this.

So what about anti-virus and IPS th, which work with signatures? Are there no more sense from them? Of course have. The percentage of attacks that use long-known viruses are still high. And these attacks can be successfully repelled by signature analysis, without the use of a sandbox, which consumes significant system resources of the device. The sandbox, if you use it, turns on at the very last moment, when all other blades did not find anything. So say the last frontier. Once again, the main idea of ​​this slide - Anti - Virus and IPS is not enough for full protection. But of course you need to use them!

File categories and extensions

Just above, we mentioned that 28% of infected files are SWF. In addition to SWF, office documents, various archives, pictures, pdf, exe are often infected. Yes, i.e. it is not only exe and flash. In fact, of course, there are many more files:



Now ask yourself, is it worth it to download some of these files in principle? Do they need your users? I'm sure not. Especially all sorts of exe, dll, vbs scripts, archives and much more. Why allow downloading what your users think you don’t need to download! Each file is a load on the gateway, because it needs to be checked. And the more files pass, the more likely it is that one of the viruses will still slip through. The most interesting thing is that some files are downloaded without notifying the user (the same malware). I will show it in practice a little later.

Of course, everything depends entirely on your security policy, but it seems to me that, in general, downloading executable files from the Internet is not necessary for 95% of company users. In some cases, the same can be said about archives and flash (swf). But these files are often infected.

Imagine how much we simplify the work of the antivirus and IPS, if such files are blocked before them. As I said earlier, this will certainly have a positive effect on the performance of the device, since the load will naturally decrease. In addition, we will significantly reduce the risk of the passage of a previously unknown virus, since We will discard such files before checking. Why risk once again?

As you can see, the idea is quite simple, but it significantly increases the security of your network. That's exactly what the new Content Awareness blade does.

Check Point Content Awareness

And so, we got to the main subject of this lesson. Content Awareness is a blade that allows you to identify the type of files and the type of content in them content. All traffic going through the Check Point gateway is checked.



Out of the box more than 60 file types are supported. The full list can be viewed on sk114640 . How do you understand this and office documents (doc, excel, pdf) and executable files and much more. Actually, I reflected most of it on the previous slide.

In addition, Content Awareness allows you to identify exactly what is contained in these files. For example, an excel plate with credit card numbers, or a file containing data about health insurance, or a text file with MAC addresses, and much more. It is necessary to recognize that the majority of templates EXACTLY of content, are focused on the western markets.
Content Awareness can check such protocols as ftp, smtp, http / https (of course with ssl inspection enabled).

And most importantly, this blade allows not only to identify the file type, but also block its download (Download) and upload (Upload). From this we have the following profit:

1. You can prevent users from downloading a certain type of files that we have already discussed. This will significantly increase your security, and even the gateway will unload, which no longer needs to check everything.
2. You can prohibit uploading files to the Internet. For example, for work, your users need access to any cloud storage. But you are afraid that users will “merge” confidential information. With the help of Content Awareness you can ban them from any upload. This is closer to the functionality of the DLP, but do not be confused. Check Point has a separate DLP blade, whose functionality is much wider and more flexible. It supports integration with the Exchange server. But this is a separate topic, now we will not consider it. Content Awareness is unlikely to protect against targeted attempts to “merge” some information into the network, but it protects more than well from an accidental “drain”.

Those who are already familiar with Check Point may argue, saying that such an opportunity was before. It was possible to block various types of AntiVirus files. Yes, indeed, there is such an opportunity (a little later, I will definitely show it). Only in this case the file reaches the AntiVirus engine (besides passing through the IPS engine) and naturally eats away system resources, since security functionality is ALWAYS more energy consuming. Content Awareness allows you to block files almost at the network level with minimal cost. It is very convenient!

Disadvantages of Check Point Content Awareness

Unfortunately, Content Awareness has not only advantages. There are several significant drawbacks:

1. Files are grouped into categories (archives, documents, executable files, ...). For example, if you block all archives, then problems may begin with some sites that use archived data for display. Or, for example, if you need to block a separate file type (only .doc), then Content Awareness will not be able to do this. (in R80.20 this should be fixed). But here the same antivirus will come to our aid. We will talk about this in the next lesson.
2. It works only for http / https, ftp, smtp protocols. In 95% of cases this is enough
   but it happens when similar functionality is needed in other protocols.
3. If MTA is enabled, then Content Awareness does not work for smtp.
4. Works only for R80.10.

Demonstration of Check Point Content Awareness

In the presented video tutorial contains the practical part. The first half of the video duplicates the described theoretical part, so you can safely rewind.

Conclusion

To summarize, Content Awareness is a very interesting functionality and an additional level of protection for your network. Do not neglect them! If you have any questions, write them in the comments, or email us.

PS I would like to thank Alexey Beloglazov (Check Point company) for help in preparing this article.