Can Your Secure Web Gateway (SWG) Prevent SNI Fraud? –


Can Your Secure Web Gateway (SWG) Prevent SNI Fraud? We checked and some of the major gateways cannot. Preventing attempts to bypass SNI-based HTTPS filtering can mean the difference between a breach and security.

Is your SWG’s URL filter up to the challenge?

When it comes to securing Internet access and browsing, organizations apply URL filtering to outbound or outbound connections using secure web gateways (SWGs), firewalls, and FWaaS. Intended for remote users, SWG (pronounced “swags”) have become especially important as remote and hybrid users browse the web outside the confines of the corporate firewall.

But what happens when a sophisticated attack bypasses one of the most basic inspection methods used by these security tools, called SNI-based? URL filtering? With HTTPS connections rapidly becoming commonplace, this poses a problem for organizations that cannot detect the trick.

SNI header manipulation in encrypted traffic

Advanced cyberattacks require organizations to verify that their secure web gateway can inspect all encrypted traffic and overcome attempts to establish fraudulent connections using stealth or evasion techniques.

A popular technique used by attackers is manipulation of the SNI header in encrypted traffic. The SNI, or Server Name Indication, field is part of the TLS protocol that encrypts web traffic to keep your web traffic private and undecipherable to prying eyes.

The SNI is set and controlled by the client’s browser. It indicates which HTTPS web server the client is trying to reach. SWGs use this value to determine whether or not to inspect traffic, and then decide whether to accept or block that traffic.

In order to stay hidden from web gateways that try to inspect encrypted trafficattackers can manipulate the SNI value of a web request and in doing so bypass several inspection engines including URL filtering, data loss prevention (DLP) and malware protection engines.

We have checked. Not all SWGs are up to the task.

Not all SWGs or SASE/SSEs are able to protect their customers against such attacks.

Security vendors such as Zscaler, Netskope, and Palo Alto expose their customers to such HTTPS bypass methods, even when the recommended policy is applied for all of these engines to inspect and block suspicious web traffic.

Whether it’s a malicious insider trying to exfiltrate company data or sneaky malware establishing a clandestine connection, SASE’s three vendors were unable to detect manipulation. NIS. And their URL filtering, DLP, and malware protection engines were also bypassed.

Their solutions failed to validate the destination certificate and verify that the user has reached the correct destination. By relying on the SNI value to determine whether or not to inspect traffic, customers of these security vendors become vulnerable and exposed to malware, unauthorized site access, and exfiltration of data.

Additionally, security teams are blind to this traffic due to misleading logs that indicate the malicious traffic is benign.

Harmony Connect thwarts SNI fraud

As shown in video aboveHarmony Connect, Check Point’s SASE solution, prevents SNI fraud and protects against such circumvention techniques by validating both the SNI value and the destination certificate to properly secure encrypted traffic.

As an integrated cloud SWG and subsidiary FWaaS, Harmony Connect Internet Access guarantees users the same level of protection, with a full enterprise security stack in the cloud, whether they work indoors or outdoors. from the office.

Harmony Connect Internet Access blocks phishing sites in real time, prevents zero-day malware with advanced sandboxing, and protects against browser exploits with industry-leading cloud-delivered intrusion prevention (Cloud IPS) for deep packet inspection (virtual remediation).

Leveraging the power of ThreatCloud, which combines more than 30 artificial intelligence and machine learning engines with big data threat intelligence, the service ensures that every site visited and file downloaded is thoroughly inspected and checked, blocking threats. most evasive attacks before they can reach users.

Harmony Connect Internet Access’s comprehensive security includes data loss prevention (DLP), URL filtering, and granular application controls.


Comments are closed.