Getting the most out of your next-generation firewall

Next-generation firewalls have a lot of useful features, but they work only if IT pros use them, configure them properly and keep them updated.

Getting the most out of your next-generation firewall

Are you getting the most out of your next-generation firewall? Probably not if you take to heart recent research from SafeBreach.

SafeBreach, a relative newcomer to the security arena — it was founded in 2014 — sells premise and service packages that continually run network breach simulations that help customers locate and remediate security problems.


Specifically the company deploys software probes distributed throughout customers’ networks, and attempts to establish connections among devices and network segments just as a hacker would do in attacking your data. These breach attempts are defined by SafeBreach’s Hacker’s Playbook, a library of known attack methods that uncover network security weaknesses and how these vulnerabilities might be exploited.

The company recently discussed some of the chief issues it has found in customer  test results that show many users of so-called next-generation firewalls (NGFWs) are perhaps not getting the full benefit of those packages because of bad configurations, legacy security methods and more.

Typically NGFWs feature a multitude of security technologies from intrusion-detection and deep packet inspection to SSL, HTTP or TLS  examination capabilities. A wide variety of  vendors sell these powerful and sometimes complex NGFW packages including Cisco, Palo Alto Networks, Fortinet, Check Point, Huawei, Sophos, Juniper Networks, Barracuda Networks, WatchGuard, Sangfor, Hillstone and SonicWall.

According to SafeBreach, the power of NGFWs comes from the product’s ability to implement rich security policies based on applications and users, instead of ports and protocols.

“These policies should be easier to define than legacy firewalls. However, mistakes may occur due to human error. Additionally, errors may occur when security teams use auto-migration tools provided by vendors to migrate their existing firewall policies. Breach and attack simulation enables security teams to both optimize policies to minimize security exposure, and verify that changes are effective and don’t introduce unintended consequences,” the company said.  

Chris Webber, a security strategist with SafeBreach, says configuration errors are one of the most frequently occurring issues with NGFWs.

“Many users get tripped up if they only rely on vendor-supplied defaults,” Webber said. “A next-generation firewall can be like having a Swiss army knife on your network, but many times its features aren’t turned on, which lets attackers gain access.”

Webber also noted that most vendors provide auto-migration tools to help new customers migrate from their legacy firewalls to NGFWs but that errors may occur during this process, as vendor features and architecture can vary.

SafeBreach said it has discovered breach scenarios due to these policy gaps and errors resulting from assumptions about new NGFW vendor default policies and auto-migration challenges.

Another issue is that many users don’t decrypt encrypted traffic like SSL, TLS, and SSH, which can become a major blind spot for customers, Webber said. It is a common attacker tactic to hide malware, etc., in this traffic. NGFWs can terminate and inspect encrypted traffic to stop these threats, but unfortunately this capability isn’t utilized as often as it should be, he said.

Indeed, Cisco defined the issue in its 2018 Cybersecurity Report, saying 50 percent of global web traffic was encrypted as of October 2017.

“That is a 12-point increase in volume from November 2016. One factor driving that increase is the availability of low-cost or free SSL certificates. Another is Google Chrome’s stepped-up practice of flag

To continue reading this article register now

SD-WAN buyers guide: Key questions to ask vendors (and yourself)