Encryption Firewalls
21 July 2024

An Image Problem II

By admin@labtinker.net

Cyberratings.org, a non-profit technical testing organisation, recently released a report on eight NGFW firewalls. Seven of the vendors’ products tested received a recommended rating and one, Cisco, received a caution for their Firepower Threat Defense product .

CyberRatings Announces Enterprise Firewall Test Results – CyberRatings

The full report is behind a paywall but more insight is provided here:

https://www.sdxcentral.com/articles/analysis/ciscos-enterprise-firewall-receives-caution-rating-from-cyberratings/2024/06

I happened on this through an excellent new podcast called Packet Protectors which targets the intersection of networking and security. Their latest episode includes an interview with the CEO of Cyberratings and I recommend a listen.

PP022: Inside an Equipment Test Lab

One of the key findings of the NGFW report was that the majority of the traffic through firewalls (80% plus) is encrypted and thus decryption matters. When deploying a new firewall (of any ilk) I always recommend decryption but am surprised by how often clients shy away from it. There is some work and planning involved: you have use a trusted sub CA certificate on the firewall and make sure your hosts trust this and also anticipate that decryption will break access to some websites which use certificate pinning (and there are other sites you shouldn’t decrypt – banking, medical etc). Also, despite specalised chipsets for hardware firewalls, it is computationally expensive. In one role I had for a very large financial organisation, a large part of my job seemed to involve trying to work out what we could get away with not decrypting to try and keep a fleet of proxies’ CPUs from maxing out. OK, thinking about it, I can understand some reservations around decryption but still think they’re worth addressing.

In other matters, I recently got tangentially involved with a HPC (high performance computing) project and the throughput requirements required were staggering – such that the firewalls required would be typically used by service providers and couldn’t be accommodated in the first year’s budget. It did give me an insight into a new (to me) way of networking with linux-based NOS’s in leaf and spine topologies. So I have been playing with the SONIC NOS in GNS3 and hope to blog on this soon.