Blog‎ > ‎

The Death of Next Generation Firewalls

posted Jan 13, 2015, 10:37 AM by Jer Cox   [ updated Jan 13, 2015, 11:29 AM ]

In the last few months we have seen a major push to encrypt everything on the web.  Services like promise full TLS encryption for any Linux based web server on the internet.  These new services are fantastic for increasing the security of the net.  The argument could easily be made that several governments unintentionally forced this new direction by intercepting massive amounts of internet traffic.  The resulting concern for privacy from government dragnets has spurred an enormous amount of public concern and frustration.  Since that time, many companies have begun to encrypt traffic that previously was not.  This is a common reaction in the IT industry after a major security risk is identified and subsequently exploited.

With this major push to fully encrypt the web, also comes an unexpected challenge… 

For many years several companies have been building web filtering appliances.  Many of these appliances are used in K-12 education where filtering is mandated by federal and state laws.  These filters view and intercept traffic in real time as it passes across a network.  

In more recent years several security companies have invested enormous amounts of R&D into a new security product that combines the power of 3 mainstream security products:  Web filters, Antivirus, and Firewalls.  These products are called Next Generation Firewalls.  Next Generation Firewalls (NGFW) are able to detect more undesirable traffic on a network than any previous firewall, because of the depth at which they filter packets.  NGFWs operate on all layers of the OSI model and able to detect undesirable traffic with the use of signature based analysis.  Signature based analysis has been used for years in the detection of Viruses and Malware in Antivirus products.  The real power behind putting these processes in the firewall, is that the firewall can block a virus before it even reaches a computer on the network.  NGFWs can also use signature based traffic analysis to detect other undesirable hacking attempts and security risks before they become a problem.  

Most of the power in a NGFW is dependent on two key factors.  First, a NGFW needs to be able to see the traffic.  It needs to be able to see the actual unencrypted traffic as it passes from the client to the server.  Second, a NGFW needs to be able to compare that traffic with known signatures that can identify if that traffic is malicious.

In those two key factors, NGFWs have a real problem:  

We encrypt the web and the NGFW’s respond with a Man-in-the-middle (MITM) method of decrypting the data.  In response to MITM methods of decrypting data, companies deploy SSL/TLS Pinning.  Pinning blocks any encrypted traffic utilizing a unknown certificate, with no option to bypass.  Some may argue that adding your firewall certificate to the computer’s trusted certificates should solve that problem.  Pinning also effectively kills that technique, some browsers are ignoring system certificates for specific services, and the applications on mobile devices also tend to ignore any and all system certificates period.

For years, we in the security community have known that the Antivirus industry days are numbered.  Virus’s that mutate and encrypt themselves differently with every infection entirely defeat signature detection. These types of viruses would have a different signature with every infection, thereby eliminating the ability to detect it.  For this specific reason the industry has been moving towards ideas like Trusted Computing (TC).  Apple’s App Store, Google Play, and the Windows Store are all examples of this type of technology where the software available is controlled and distributed with care to avoid unwanted code.

Having outlined the issues, it is obvious that NGFWs are built on ideas that are quickly disappearing.  Once these things change, the capability of NGFWs will significantly diminish.  So the real question is: if Next Generation Firewall’s are on their way out, should we spend a half million to purchase a system and painfully implement a dying technology in our networks?