A lot of useful features of the next-generation firewalls are not utilized because the IT people doesn’t configure them rightfully. According to one of the security company which deploys software that focuses network security, it has found on their testing that many users of so called next-generation firewalls(NGFWs) are not getting the full benefit of the packages because of poor executed configurations, legacy security methods and many more.
NGFWs features a multitude of security technologies from intrusion-detection and deep packet inspection to SSL, HTTP, or TLS examination capabilities. Many vendors are already selling this NGFWs including Palo Alto Networks,Cisco,CheckPoint, Fortinet,Huawei,Sophos,Juniper Networks,Barracuda Networks,WatchGuard, Sangfor,Hillstone and Sonicwall.
The power of next-generation firewalls comes from the product’s abilty to implement rich security policies based on applications and users,instead of ports and protocols. A security company said, “These policies should be easier to define than legacy firewalls. However, mistakes may occur due to human error. Additionally, errors may occur when security teams use auto-migration tools provided by vendors to migrate their existing firewall policies. Breach and attack simulation enables security exposure, and verify that changes are effective and don’t introduce unintended consequences,”
A configuration errors are one of the most frequent occuring issues with NGFWs, they added. Most vendors provide auto-migration tools to help new customers migrate from their legacy firewalls to NGFWs but errors may still occur during the process, as vendor features and architectures can vary.
One of the security company said it has discovered breach scenarios due to these policy gaps and errors resulting from assumptions about new NGFW vendor default policies and auto-migration challenges. The list of issues includes:
Many users don’t decrpyt encrypted traffic like SSL,TLS,and SSH, which can become a major blind spot for customers.
It is a common attacker tactic to hide malware in this traffic. NGFWs can terminate and inspect encrypted traffic to stop these threats, but unfortunately this capability isn’t fully utilized s often as it should be. In addition to this issue, Cisco said that 50 percent of global web traffic was encrypted as of October 2017. Factors that contributes is the availability of low-cost or free SSL certificates.
Overlooked coverage of network segmentation.
Next-generation firewalls are deployed to segment internal networks. Continuously validating the segmentation is important, as segmentation is a great security best practice to break the kill chain and stop attackers from moving deeper into the network. The security company discovered internal servers were actually communicating out to command and control servers. Attacks can come from anywhere,customers can’t just focus security on the edge any more, they added.
Getting a handle on Internet of Things(loT) traffic.
NGFWs are an excellent way to corral loT traffic but customers need to set new policies and validate others to truly make it work effectively. According to Cisco, adversaries are already exploiting security weaknesses in loT devices to gain access to systems-including industrial control systems that support critical infrastructure. LoT botnets are also growing in both size and power and are increasingly capable of unleashing powerful attacks that could severely disrupt the internet.”
“Attackers’ shift toward greater exploitation of the application layer indicates that this is their aim. But many security professionals aren’t aware of, or they dismiss, the threat that IoT botnets pose. Organizations keep adding IoT devices to their IT environments with little or no thought about security, or worse, [they] take no time to assess how many IoT devices are touching their networks. In these ways, they’re making it easy for adversaries to take command of the IoT.”