Can your Secure Web Gateway (SWG) Prevent SNI Fraud?

Is Your SWG’s URL-Filter up to the Challenge?

When it comes to securing internet access and browsing, organizations apply URL filtering to outbound, or egress, connections using secure web gateways (SWGs), firewalls and FWaaS. Geared to remote users, SWGs (pronounced ‘swags’) have become especially important as remote and hybrid users browse the web outside the confines of the corporate firewall.

But what happens when a sophisticated attack circumvents one of the most basic inspection methods used by these security tools, called SNI-based URL filtering? With HTTPS connections fast becoming mainstream—this spells trouble for organizations who can’t spot the ruse.

Manipulating the SNI Header in Encrypted Traffic

Advanced cyber attacks require organizations to verify that their secure web gateway can inspect all encrypted traffic and overcome attempts to establish fraudulent connections using stealth or bypass techniques.

One popular technique used by attackers is manipulation of the SNI header in encrypted traffic. The SNI, or Server Name Indication field, is part of the TLS protocol which encrypts web traffic to keep your web traffic private and render it undecipherable to prying eyes.

The SNI is defined and controlled by the client’s browser. It indicates which HTTPS web server the client is trying to reach. SWGs, rely on this value to determine if they need to inspect the traffic or not, and subsequently decide whether to accept or block that traffic.

In order to stay hidden from web gateways that attempt to inspect the encrypted traffic, attackers can manipulate the SNI value of a web request, and by doing so, bypass multiple inspection engines—including URL filtering, data loss prevention (DLP) and malware protection engines.

We checked. Not all SWGs are up to the task.

Not all SWGs or SASE/SSE vendors can protect their customers from such attacks.

Security vendors such as the Zscaler, Netskope and Palo Alto leave their customers exposed to such HTTPS bypass methods, even when the recommended policy is applied for all these engines in order to inspect and block suspicious web traffic.

Whether it’s from a malicious insider trying to exfiltrate company data, or sneaky malware that establishes a clandestine connection—all three SASE vendors were unable to detect the SNI manipulation. And their URL filtering, DLP and malware protection engines were circumvented, as well.

Their solutions failed to validate the destination certificate and verify that the user reached the correct destination. By relying on the SNI value to determine whether to inspect the traffic or not, customers of these security vendors become vulnerable and exposed to malware, unauthorized sites access and data exfiltration.

In addition, security teams are blind to this traffic due to misleading logs that show malicious traffic as benign.

Harmony Connect foils SNI Fraud

As shown in the video above, Harmony Connect, Check Point’s SASE solution, prevents SNI fraud and protects against such circumvention techniques by validating both the SNI value and destination certificate to properly secure encrypted traffic.

As an integrated cloud SWG and branch FWaaS, Harmony Connect Internet Access ensures users enjoy the same level of protection—with a full cloud-delivered enterprise security stack—whether working inside or outside the office.

Harmony Connect Internet Access blocks phishing sites in real time, prevents zero day malware through advanced sandboxing and protects against browser exploits with a cutting edge cloud-delivered intrusion prevention system (cloud IPS) for deep packet inspection (virtual patching).

Leveraging the power of ThreatCloud, which combines 30+ AI and machine learning engines with big data threat intelligence, the service ensures that every site visited and file downloaded is thoroughly inspected and vetted, blocking the most evasive attacks before they can reach users.

Harmony Connect Internet Access’s comprehensive security includes data loss prevention (DLP), URL filtering and granular application controls.