3

The infrastructure team in our medium enterprise has requested blocking of all executables at the firewall. We have a firewall which is capable of DLP, so therefore this can be set up fairly easily. I'm not sure if this is a good idea or not. My questions are:

  • Is this common practice in enterprises?
  • What are the advantages and disadvantages of doing this?
  • What are some other options that may be preferred?

The reason they want this is to protect the network, and specifically users PC's. One obvious disadvantage is that we may end up blocking a valid business exe. Another option is to use some sort of application whitelisting, but this only addresses part of the problem. Anything else I am missing?

Thanks for your help.

Mark
  • 33
  • 2
  • 3
    One obvious disadvantage is that we may end up blocking a valid business exe. - Good point. Go to meeting installer jumps right to the top of my head. What you need is a good White-list blocker. I'm not sure the firewall makes any sense, though. Active Directory policies is the normal place to start, augmented by software that can lock down PCs using a white list approach to apps. (don't allow unless administrator approved...) – David Stratton Jan 07 '13 at 03:29
  • 2
    I'd rather apply a whitelist at the clients. To work on network traffic you need to do weird stuff like SSL interception. – CodesInChaos Jan 07 '13 at 15:11

2 Answers2

5

It is common to block (and then whitelist) executables however this has the burden of upset users and then overworked support staff who need to maintain the whitelists.

What we're seeing nowadays is slightly more sophisticated tools that introspectively look at the EXE to see if it "looks" like malware. One of my clients uses wildfire which will poke around with the executable in a sand boxed environment to see if it triggers any standard behaviours of malware. Like a lot of these solutions, the vendor will use standard heuristics as well as have connected systems back to a NOC that will investigate new malware and send out new patterns to each firewall straight away.

These types of tools also come with consoles with visualation and the goods ones can integrate with your SIEM.

Callum Wilson
  • 2,533
  • 10
  • 15
  • Thanks for your response. I had not heard of wildfire so will look into this further. Sounds like an interesting technology. I agree with you about the burden of upset users and on support staff. – Mark Jan 09 '13 at 01:37
  • wildfire is an optional add on with palo alto firewalls - however, most of the big name firewalls have something similar nowadays. – Callum Wilson Jan 09 '13 at 09:25
2

Quarantine, don't block. Pull the executable out and store it in a protected area. If it matches the hash of an authorized executable, then provide the recipient the authorized executable.

If it doesn't match a whitelist, then provide the recipient with a link to a workflow that prioritizes the executable for release and whitelisting.

Carefully examine your technology to assess the probability of bypass. The more cumbersome it is for the legitimate worker to get work done, the more likely that you'll have a Potemkin implementation - pretty but ineffectual. I don't know your firewall, but I have worked in environments where people regularly renamed the executable from foo.exe to foo.xex and circumvented the whole security implementation. Or simply encrypted the email with PKI.

If I were going to do this, I'd publish the statistics on my de-quarantine workflow (Speed, effectiveness, % of malware captured), and commit a goal of increasing the efficiency of the de-quarantine process by N%/year, measured monthly.

MCW
  • 2,572
  • 1
  • 15
  • 26
  • Thanks for your reponse. I agree with you about users working to get around the blocking. Hopefully with the implementation of DLP on Fortigate this shouldn't be easy. – Mark Jan 09 '13 at 01:41