Legacy Firewalls Vulnerable to Encrypted Threats

Security analysts say encrypted threats have nearly quadrupled since January and may now represent more than two-thirds of all malware. The unfortunate truth is that your company may be powerless to stop these threats if your firewalls are more than a few years old.

The vast majority of organizations now use cryptographic protocols such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to create secure tunnels for web communications, but hackers have gotten wise to this practice. For the past several years, malicious actors have increasingly used the same methods to conceal malware, ransomware, zero-day attacks and more.

Cybercriminals leverage encryption in various ways, such as creating duplicate SSL certificates, launching malware inside an encrypted tunnel, and inserting malicious code into servers to force them into revealing private information. They also execute man-in-the-middle attacks to intercept emails or steal credentials, transaction data and other private information.

Next-Gen Solutions

The best way to uncover these threats is by decrypting and inspecting encrypted data packets, but that is a compute-intensive process that traditional firewalls weren’t built to handle. Tests from NSS Labs find that the process of inspecting encrypted traffic degrades firewall performance by up to 95 percent — an intolerable performance impact. As a result, organizations commonly configure legacy firewalls to let all encrypted traffic pass through without inspection.

The latest next-generation firewalls (NGFWs) make it easier to manage encryption and decryption workloads with increased processing power and support for the latest encryption standards. Dedicated system-on-a-chip processors dramatically accelerate encryption and decryption operations, delivering 600 percent improvements in firewall throughput compared to the industry average.

In addition, firewalls that support the latest version of the TLS protocol can substantially reduce the computational processes required to decrypt and inspect data packets. TLS version 1.3 achieves significant performance gains through stronger cryptographic ciphers and an improved handshake process for establishing encrypted communication sessions.

Once traffic has been decrypted, NGFWs can apply deep packet inspection (DPI) to seek out encrypted threats. Unlike traditional stateful packet inspections that only examine packet headers, DPI looks at the content of data packets — making it far more effective at finding hidden threats within a data stream.

Skip Decryption?

Even with faster processing, streamlined decryption and deeper inspections, the whole process can be a drag on network performance. An emerging technique known as network traffic analysis (NTA) shows promise for improving visibility into encrypted traffic without the need for decryption.

NTA solutions use machine learning algorithms, behavior modeling and rule-based detection to continuously analyze packet data and network flow records. With that data, the NTA solution creates a baseline model of network behavior, which it can use to identify unusual activities or anomalies. For example, it might flag out-of-date security certificates, policy violations, weak encryption and other faults or vulnerabilities.

Encryption has become essential for data privacy, but it has also become a very efficient delivery mechanism for malware. Give us a call to learn more about using next-generation firewalls, deep packet inspection and network traffic analysis to detect and stop encrypted attacks without compromising network performance.