With next-generation firewalls, there has been a lot of confusion in the market about what makes for a good solution. Organizations want a solution that will protect their gateway and business-critical applications. They also want something that will protect the perimeter, data centers and their cloud deployments — all under one central management interface. A good NGFW encompasses all this.
When asked, many IT people say they believe that their network firewalls and intrusion prevention systems do a good job at blocking exploits and malware. But the reality is quite different — and quite concerning. Cybercriminals can trivially mask their attacks with techniques called “evasions” that render their malicious payloads undetectable by even the most popular products in network security. Worse than zero-day vulnerabilities that put individual endpoint systems at risk, evasions can leave whole networks wide open to attack from anywhere on the internet.
A Constantly Evolving Enemy
How is this possible, after so many years of experience and development in addressing networks threats? On the surface, sending information over networks seems straightforward. However, there are many ways that protocols at all levels in the stack can be abused to make traffic unrecognizable.
From gerrymandered IP fragmentation and out-of-order transmission to TCP-level overlapping and retransmitting of packets — and even application-level obfuscation of data — attackers have a myriad of ways to send malware-laden exploits in (and steal data out) without being detected by traditional packet-based inspection. Simple techniques, such as trying to use signatures to recognize patterns, don’t work for evasions. This has led to a wide disparity in the levels of protection afforded by different brands of firewalls and intrusion prevention systems.
This evasion gap can be clearly seen in the results of NSS Labs’ recent tests of next-generation firewalls and intrusion prevention system (IPS) products. These industry-leading independent examinations of security products are placing more emphasis than ever before on evasions, reflecting the growing ease with which they can be incorporated into attacks using off-the-shelf toolkits like MetaSploit.
Researchers with internet-based honeypots are now reporting seeing evasions in the wild spanning all levels of the networking stack. With threats such as Bad Rabbit, WannaCry and Petya combining different techniques to penetrate networks and spread throughout organizations, network security systems are having to adapt quickly and leaving as little to chance as possible.
Getting the Right Tool for the Job
But what can network security professionals do to determine whether they are at risk? In addition to the testing done by NSS Labs, multiple tools are now available that can show in moments whether particular products and configurations can be penetrated, allowing enterprises a better understanding of their risk posture and allowing them to make better informed decisions.
I suggest you download the NSS Labs report to see how different firewalls and IPS systems stack up, and learn how to determine if your network is sitting naked on the internet.
Among the NGFWs listed in the NSS Labs report, we both have direct experience with Forcepoint‘s offering. The benefits of Forcepoint’s NGFW are its drag-and-drop VPN, CASB analytics and application control through proxy inspection. With simple deployment and the ability to push configurations from the cloud, large deployments become much easier. They also have a top-rated IPS solution, per NSS, and offer the ability to run in clusters, compared to pairs, which eliminates any downtime. Forcepoint’s advanced evasion prevention and application layer exfiltration protection are features that are driving conversations we have with customers.