A network sandbox is an isolated testing environment that enables security teams to observe, analyze, detect, and block suspicious artifacts traversing the network. A network sandbox provides an additional layer of defense against previously unknown attack vectors.
With a network sandbox, security teams can carry out advanced malware analysis by allowing suspicious files to run in a segregated environment that emulates an actual end-user operating environment.
Network Sandboxing for VMware NSX Service-defined Firewall
Network sandboxes provide a crucial tool to unmask malicious code that other security tools may not recognize. The best network sandboxes provide the following benefits:
- Comprehensive Analysis: Certain network sandboxes detect even the latest malware engineered to defeat advanced or next-generation enterprise security tools — firewalls, intrusion prevention systems, and even less sophisticated sandboxes.
- Complete Visibility: Security teams can thoroughly examine suspicious traffic with full visibility into every behavior engineered into a file or URL, and all instructions that a program executes, all memory content, and all operating system activity.
- Faster Responses: By unmasking malicious code before it gets into the network, network sandboxes enable incident response teams to provide very fast responses to attacks.
Leading the industry in network sandboxing, VMware NSX Advanced Threat Analyzer™ provides unrivaled visibility into unknown threats. NSX Advanced Threat Analyzer’s capabilities go far beyond traditional sandboxes, which typically only have visibility down to the operating system level, returning significantly lower detection rates and higher false positives, and are easily identified and evaded by advanced malware. NSX Advanced Threat Analyzer features unique isolation and inspection environment that simulates an entire host (including the CPU, system memory and all devices) and is able to interact with potential malware to elicit and track every malicious behavior.
NSX Advanced Threat Analyzer is offered alongside Advanced Threat Prevention in the NSX Service-defined Firewall, a distributed, scale-out internal firewall that secures data center traffic across all workloads.
A network sandbox provides a way to evaluate unfamiliar artifacts that may hide malicious content. As advanced malware has increasingly adopted sophisticated obfuscation techniques to evade more common endpoint and network security defenses, organizations have responded with advanced threat protection analysis solutions and network sandboxes. A network sandbox gives organizations a vital tool to protect critical infrastructure by identifying and blocking novel threats.
A network sandbox intercepts artifacts entering and traversing the network.. The sandbox appears to the potential malware to be a fully-functioning end-user environment, and it coaxes suspicious files into running their routines — executing, downloading other files, connecting to URLs, etc. The sandbox analyzes a suspect file’s and network behavior, and either allows the file to continue into the network, blocks it, or quarantines it for further investigation.
Network sandboxes are ideally combined with an advanced threat protection solution to round out detection and response capabilities.
The simplest way to set up a sandbox is by provisioning a virtual machine. The VM’s virtualized hardware resources will be segregated from other resources on your network, providing a protected space in which to test software.
Bear in mind that malicious actors will often try to detect and evade a sandbox — or find and exploit vulnerabilities in that sandbox — as part of their attack.
Among the other sandbox options, there are two types:
- Complete Environment Emulation:This type of sandbox replicates all of a system’s physical hardware, which provides the greatest visibility into a malware’s behavior.
- Operating System Only: Here the sandbox simply simulates an end user’s operating system, but not actual hardware.