Feature Request Sandbox.

[AlexV]

I was checking the new features of Fortinet firewalls, and I found a couple of things interesting the first is the integration with a sandbox, which allows you to analyze the behavior of suspicious files even with 0 day viruses.
and the second is the Intent based segmentation and ZERO Trust concept.

Check this   videos for more detail

https://www.youtube.com/watch?v=k6s6g3mTWW8

https://www.youtube.com/watch?v=J6217_AL4ps

https://www.youtube.com/watch?v=0dAx-44gC2I

[fabian]

There is no sandbox on OPNsense but with a custom ICAP server it should be possible to extract the files and send them to an open source sandbox:

https://cuckoosandbox.org/

Such an analysis is usually too slow to run inline so you need to isolate the host after a possible infection as well so you must move the downloaded file to an internal server or push it to the host who requested it. There is also no solution for other protocols like mail or FTP.

[AlexV]

Yes, I mean this.

Yes of course I am referring to an external sandbox, currently however it must be studied, because opnsense has several malware detection methodologies first of all suricata and suqid + clam AV
The files to be sent to the sandbox are obviously those that have passed the first checks of suricata and AV clam.

In addition, a client is required to be installed on the machines to be defended,  through which  if opensense realizes that it has sent a potentially infected file,  it is possible to disable the network card.

The SandBox fortigate works like this:
1) the files are examined by the ips

2) the files are analyzed by the antivirus.

3)if pass this two check the file is sent to the destination host, but a copy is sent to the sandbox that analyzes it.

4) as soon as the sandbox has finished analyzing the file, it gives the response to the firewall.

At this point, if the file is Ok, everything ends up like this, but if the sandbox believes it to be a dangerous file, it tells the firewall that disables the network connection of the host that downloaded it.
In addition, the firewall updates the antivirus and IPS signatures.

[mimugmail]

Suricata and ClamAV has nothig to do with Sandbox. Sandboxing means the file is executed on a sandboxed system and the system calls are checked against anomalies.

Nice idea combining it via ICAP. Maybe you can adapt this on your own ICAP implementation? :)

[AlexV]

"Suricata and ClamAV has nothig to do with Sandbox. Sandboxing means the file is executed on a sandboxed system and the system calls are checked against anomalies"

I agree, not least the integration between IPS, Antivirus and Sand Box is the best strategy to filter malicious traffic.
if a package is judged malicious based on well-known signatures from the Antivirus and the IPS, there is no need to forward it to SANDBOX to test its behavior.
While a package deemed safe by IPS and Antivirus could still be a 0 day malware.

In this case the sand box allows to detect it, create a new signature for ips and AV and add to the current  IPS and Firewall rules.

In this way you have a system that works proactively.

moreover, it is possible to limit the activity of the infected machine, for example, by switching the network card off (via a client installed on the machine) or even switching off the switch port to which the machine is connected, but generally this is done by the NAC.

[ekke]

THis type of integration os to complex for , requires too much resources for the OPNSense project.
Or Am I wrong ?

What can be done is to send files from suricata to cuckoo, with no bidirecitonal integration.

[spetrillo]

THis type of integration os to complex for , requires too much resources for the OPNSense project.
Or Am I wrong ?

What can be done is to send files from suricata to cuckoo, with no bidirecitonal integration.

Agreed...I would not want OPNsense to do this. Passing it to an open source sandbox is the best way. Its on my list of things to do but not there yet.