The Firewall is DEAD… Long Live the Firewall!

I love firewalls!!! LOVE THEM!!!! I have this weird sense of power when I am setting one up, like I am standing at the gates protecting the village from the angry hoard of marauding thugs. I’m one of the good guys and you shall not pass!!! I know… super nerdy, but it is true. However, we need to talk about a reality affecting all security professionals. Next Gen Firewalls are becoming less helpful. (stay with me… I know you already want to yell at me). Over the years more and more of the traffic on the Internet has become encrypted, which I think we should all look upon positively. However, with encryption comes less visibility. Breaking TLS/SSL to inspect traffic is both computationally expensive and fraught with difficulty (and error prone). As a result, most organizations aren’t inspecting that traffic for malware or applying Intrusion Detection/Prevention (IPS). This report claims that 87% of all traffic is now encrypted. My home network analytics confirm this with my own traffic patterns. I am here to state that most of that encrypted traffic is not being inspected. So what does that mean???

I believe this means two things… 1/ Inspection at the point of decryption is more important than ever. 2/ Firewalls are still important, but mainly for their firewall functionality (stateful packet inspection, port blocking, protocol mismatching, etc.)

Let’s dive into the first one. Traffic is decrypted at two places, the source and the destination. Both of these locations are becoming more important when we can’t scan packets on the wire. This makes security tools implemented on these two locations even more important. Anti-malware, anomaly detection, behavioral analytics, and more are so very important.

On point number 2, firewalls still have their place, but they don’t need to be as advanced as they have become. They need to do some very basic tasks and do them very quickly (line rate speed). Maybe you don’t need that fancy IPS any longer???

So where do we go from here? Well, I think investing in technologies that provide protection for servers and endpoints is imperative. I think we will see better decryption and inspection on the server side, specifically with cloud based firewalls. I also believe that IPS, as an industry, is going to suffer. So if you are a provider of data (server side), look to invest in technologies that protect your workload and cloud based firewalls that are inspecting unencrypted traffic or that have access to the keys to do rapid decryption. If you are on the client side, harden those endpoints. This advice holds more true than ever as many endpoints don’t stay within the four walls of your enterprise… they grow legs and roam around the world. Finally, don’t kill your firewall they still provide a very needed first line of protection, but we need to acknowledge that they have lost some of their superpowers in this new(ish) world of encryption. 

For the record… more end to end encryption is better for us all!! SSL/TLS decryption/inspection through a client side firewall is breaking a core tenant of the modern Internet. I have a personal belief that this is wrong and we should not be doing it. End to end encryption is important and needs to be protected. 

Note: there is a lot of work being done in this space to identify malware without breaking encrypted packets. I am aware of some of the work, but I am sure there is much more being done out there. Keep watching this part of the industry. Using traffic patterns, destinations, and other markers is very promising in preventing malware even in encrypted packets. 

What do you think of my take? Am I wrong? Am I spot on?