Firewalls—they’re pretty boring, right? How many times have you yawned at the mention of these essential but unexciting devices? That might have been true in the past. But, did you know that even next-gen firewalls are subject to hype and might be on the road to extinction?
Hackers, Firewalls and AI
For many IT admins and developers, a traditional firewall is a thing of the past—it’s vulnerable, inefficient and downright clunky. After all, more than 80% of US enterprises already use next-generation firewalls (NGFW) somewhere in their IT infrastructure. Doesn’t that mean that traditional firewalls have already gone the way of the dodo?
After all, even NGFW are mature assets well established in the IT product mainstream. For more than five years, NGFWs have given enterprise IT teams a leg up in protecting company data. Problem is, they’re not cutting-edge technology any more.
Now, hackers are making “insider attacks,” some of which use AI to endanger data within network perimeters. To understand the changes in hacker and firewall technology, it helps to review scenarios that traditional, next-generation and advanced firewalls make possible.
By the way, the hype referred to in the introduction is exactly that. All enterprise firewalls available currently on the market are “next generation.” So, we’ll refer to them as what they are—enterprise firewalls.
Invade. Barricade. Repeat (with More Sophisticated Tech).
IT security has been a constant exchange of attack and response between system designers and hackers. Hackers snoop where they’re not welcome, designers use more sophisticated ways to create obstacles to barricade access to sensitive information.
Will these cycles of attack and response deliver real value to organizations? To answer this question, it helps to review traditional firewalls to see the technological back-and-forth between hackers and businesses.
Baseline Reality Check: Traditional Firewalls
Traditional firewalls are relatively simple. They control data moving in and out of a network by monitoring its operating state and connections via protocols and ports. That includes these functions:
- Protecting network perimeter
- Following web protocols
- Controlling protocols and ports
- Restricting traffic to and from specific IP addresses.
- Filtering packet contents
- Translating network addresses
- Supporting VPN operation
These simple functions were no match for hackers of the time (about 5 years ago). They included several serious vulnerabilities:
- Lacked intelligence to distinguish different kinds of web traffic.
- Couldn’t accept or reject specific bits of web traffic in a selective way.
- Operation was limited to Data Link and Transport layers of network operation. As a result, firewall software could identify and control traffic (moving data) but not analyze it,
These shortcomings opened the way to the next level of threats: at the application level.
HACKER ATTACK #1: Application-Level Attacks
Hackers developed and delivered a new wave of web-based malware and intrusion attacks, which:
- Targeted applications, which identified specific apps and applied controls at app layer of the network model.
- Bypassed perimeter protections, which made users susceptible to malicious emails or phishing
- Concealed threats within the content itself.
- Delivered infected content over the network, undetected.
RESPONSE #1: Enterprise Firewalls
A new generation of more capable firewalls included:
- A more effective form of security, which wasn't just tied to the IP addresses.
- Newer rules for controlling websites and managing applications.
- Improved decision makingsuch as using reputation s or identity services such as Microsoft® Active Directory®.
- Simplified management of many different security products.
These new firewall designs were designed to inspect traffic at a much more detailed level than previously. Their advanced technologies enable security ops teams to inspect traffic more deeply and better control individual applications in a network.
Specific firewall capabilities included:
- Inspecting and blocking traffic through ports and protocols.
- Preventing intrusions by inspecting network packet signatures and using advanced anomaly detection features.
- Performing deep-packet inspections by searching for and blocking known threats inside traffic packets (not just packet headers).
- Inspecting and stopping known threats, even if the traffic is encrypted.
So, what makes traditional and enterprise firewalls different? Their capabilities.
From Data Traffic Cop to Data Analyst
Stateful firewalls are data traffic cops. They use a set of relatively simple rules to accept, reject or route data traffic through the perimeter of a network. Advanced security threats challenged and stimulated development of more sophisticated firewalls, which extend control of data to the application level.
These firewalls have gotten “smarter,” that is, better able to analyze data traffic and defend against the next wave of security threat challenges.
More Intelligent Data Handling Capabilities
Enterprise firewalls combine intrusion detection and protection systems that analyze traffic behavior, threat signatures or other atypical activity. By filtering content up to the network application layer, they inspect data traffic in greater detail than traditional firewalls.
When we say “next-generation” firewalls, we mean firewalls that are application-aware.
Traditional firewalls block common network application ports or services to control application access and monitor specific known threats. In more complex, modern networks, it’s extremely difficult to identify which port is targeted by a threat.
To solve this problem, new firewall appliances monitor network traffic from network layers 2 through 7 of the protocol stack, up to the application level. These firewalls are intelligent enough to determine exactly which packet is being sent or received and which application is targeted.
Sophisticated Policy Rules
Traditional firewalls use a simple “accept or reject” policy rule. If the content satisfies policy rules, it is sent on. Otherwise, it's blocked. Application awareness also enables companies to set conditional policies depending on the user’s role and the application. For example, it’s possible to permit users to access Facebook but block Facebook Chats.
Automatic Threat Updates
Maintaining and updating malware and antivirus software manually is time-consuming and expensive. Enterprise firewalls include antivirus and malware protection that's upgraded automatically whenever new threats are discovered.
These devices. also minimize likelihood of attack by:
- Limiting the number and variety of approved applications that run on a network.
- Scanning approved applications for any hidden vulnerabilities or confidential data leaks.
- Reducing risks from any unknown applications.
First Line of Defense Against AI-Based Mayhem
Although enterprise firewalls are huge improvements to earlier models, they still have trouble stopping the next wave of threats. Hackers, who are now using artificial intelligence and machine learning, are not slowed down by an enterprise firewall alone. [
Faster, Cheaper Path to Building Cybercrime Platforms
More and more hackers are building and using sophisticated, AI-based platforms. Why? It’s becoming easier and less expensive.
Start with stolen compute cycles from compromised computers or fraudulent cloud accounts. Add open source software such as TensorFlow or OpenAI. Voila! With a bit of computing experience, you have a customized hacking platform. PhD-level expertise and significant capital are not required.
Cybercriminals are using AI to reduce the days or weeks of manual probing and analysis it used to take to execute attacks on the application layer. Previously complex and time-consuming attacks now take hours.
Next-Generation Firewalls: Down but Not Out
Hackers have responded to more than five years of enterprise firewall deployments by developing even more elaborate exploits. Their focus is on application-layer attacks and using TLS protocol to hide the connections. Hackers already use application security scanners to find vulnerabilities such as those that appear the OWASP Top 10 list.
Does this mean that modern firewalls are dead? Despite occasional alarmist headlines, no. Perimeter protection will continue to be a critical component in business security solutions. However, expect the old-fashioned notion of firewalls as a configure-it-and forget-it appliance to be over soon.
Facing Off with Hackers: Five Approaches to Enterprise Security
Endless tit-for-tat responses between hackers and security specialists. Hackers using more and more sophisticated tools. Redistribution of firewall functions to other tools. This is the dizzying, fast-paced world of enterprise security.
This reality puts heavy demands on security pros and IT managers. Here are five ways that organizations can respond to modern security threats:
- Get back to security basics.
One approach to avoiding high-profile security breaches: practicing basic security hygiene. This is not a no0-brainer. Most organizations don’t patch or replace their vulnerable devices consistently.
Configuring and coordinating policies eat up a lot of IT resources, especially with the advent of IoT devices. This complexity puts out the welcome mat for cybercriminals, who need only one compromised device to get into a domain.
This is a useful response, but only if it’s used with another approach.
- Follow firewall tradition.
Go into denial. Keep using traditional firewalls. It’s true, 80% of enterprises use NGFW, but that still leaves a lot of territory for hackers preying on enterprises and SMBs.
Plainly, this approach is not recommended. Instead, plan for the most advanced firewall that your circumstances allow.
- Protect yourself at the application layer.
That is, keep using enterprise firewall models that have been deployed for the past 5 to 10 years. You’ll do better than security traditionalists, but every year, your domain (inside your security perimeter) is becoming easier and easier to hack.
- Look beyond the firewall-based security model.
When you hear claims that the firewall is dead, don’t believe it. Instead, expect to see separate firewall functions to become part of highly intelligent—and highly encrypted—security systems.
- Fight AI with AI. AI-enabled hackers are today’s most advanced security threat. That means that security pros must become AI-enabled, too. And they are. Forward-looking security teams are looking at and adding AI capabilities to their perimeter and intranet infrastructure.
For example, some enterprises are looking at an AI-powered security operations and analytics platform architecture (SOAPA) as an evolutionary replacement for SIEMs. This alternative combines AI machine learning with end-to-end encryption.
Whether you vote for enterprise firewalls or their AI-based descendants, you’ll get the greatest value if you focus on the vendor, throughput and capabilities that are right for your organization.
Going Down Your Firewall Shopping List
New and varied access methods and more sophisticated hacking tools make for more potent attacks. Security operations teams have the job of picking the right tools for their organization’s IT infrastructure and business goals. What are the important decision points for buying or upgrading a firewall?
Choosing a Firewall Vendor in a Crowded Market
Gartner describes the enterprise firewall market as saturated. Firewall solutions have gone mainstream and replaced most stateful firewalls in enterprises.
If you're replacing or upgrading a legacy stateful firewall at your network perimeter, an enterprise firewall is a good pick. That’s because it tightly integrates the capabilities of traditional firewalls with network intrusion prevention and many other stand-alone services.
After the requisite planning stage that targets high-level business and IT goals, consider vendors who offer firewalls that meet your cost and throughput requirements.
Initial capital expense of firewall hardware is not the only expense your enterprise firewall installation requires. That’s because firewalls run complex software systems that are bundled with the hardware. As a result, capital and ongoing costs can include any combination of the following:
- One or more pieces of hardware
- A central management software that controls the hardware
- Additional software programs
- Installation costs
- Ongoing maintenance costs
- Support costs
- Update costs
Firewall costs are proportional to system performance, as measured by throughput. This can range from about $6 per to $1.50 per megabit.
How big a firewall appliance will you need? This important decision depends on your network’s structure, configuration and throughout requirements.
However, using throughput as a measure of performance and cost creates a very big problem. Vendors offer appliances with different levels of network throughput. There’s no way to standardize the algorithms or methods vendors use to calculate it. As a result:
- Vendors offer wildly different levels of network throughput—and costs.
The initial purchase price of a system that includes five firewalls and a central management system can range from $30,000 to $715,000, with the average being about $200,000.
- The difference between maximum throughput as advertised and as tested is also huge.
When prospective customers run firewall products through a real-life test, maximum throughput figures can plummet by up to a third. That’s why pre-purchase testing that mimics the traffic of a real-life data center is a good idea.
Security Protection for Your Organization
We’ve delivered a lot of information, which we hope is helpful. Here are our bottom-line suggestions, which we hope you consider:
- Create a security plan for your organization.
- As part of your plan, decide whether:
- Security protection or performance is more important.
- Whether you can upgrade your legacy enterprise firewall to a more advanced application-aware firewall.
- Whether you have the budget, security team skills and stakeholder support to move up to SOAPA or other hybrid security solutions that include end-to-end encryption and artificial intelligence.
- Determine your network’s maximum throughout requirements.
- Use throughput requirements and cost limits to guide your firewall purchase.
- Add up the other items in your total cost of firewall ownership calculation. Example: If you’re taking the back to the basics approach, identify and consider IT labor costs of patching and replacing security software.