Blog: Next Generation Firewall (NGFW) in the World of HTTPS

By Prashant Kumar |

On December 17, 2015 Google announced it would be prioritizing HTTPS (encrypted HTTP) pages in search results. This means that websites with HTTPS enabled will show up first on a page of Google search results. Given Google’s market dominance in web search, companies around the world rushed to move their websites and web applications from HTTP to HTTPS.

While a move to HTTPS may have resulted in increased security (and for some, improved Google page rankings), many enterprises saw negative effects with regard to network performance.  This has to do with how Next Generation Firewalls (NGFW) treat HTTPS traffic, and the prevalence of NGFWs across the internet.

As the name implies, NGFWs offer capabilities above and beyond Stateful firewalling – including intrusion prevention (IPS), antivirus/malware protection, and deep packet inspection (DPI).  In order to do this, a NGFW has to look deep into a clear-text (HTTP) packet to perform packet analysis. The main downside of deep packet analysis is the network delay/latency it can introduce.

With HTTPS, the latency issue can be greatly exacerbated.  In performing deep packet analysis on a clear-text HTTPS packet, a NGFW has to first terminate the HTTPS (TLS) connection, perform deep packet analysis, and re-originate a new HTTPS connection to destination, effectively acting as a man-in-the-middle. This termination and re-origination of HTTPS connections require a NGFW to generate a significant amount of extra packets and handle expensive encryption/decryption operations. At massive scale, this can introduce significant additional packet processing delay in the network. If ever wondered why your home network (which doesn’t typically rely on NGFWs) is much faster than your work network, this should explain it!

As the number of network locations and packets requiring deep packet analysis and HTTPS termination and re-origination increases, this increases the delay caused by the NGFW. Because of this, NGFW are rarely introduced into the network core, and are typically deployed near the edges of a network.

This means it is very difficult to create networks with built-in Zero Trust Security (ZTS) using a NGFW – because the Zero Trust Network model requires the network to be segmented and have a routing/firewall device at the boundary of every segment.  Imagine the expense and operational burden of doing that!

NGFW DO have utility however, and can be part of a ZTS model.  However, since the NGFW functionality usually requires an expensive custom build hardware, their use as the sole network security device is typically limited to the edge.  Still, because end-to-end encryption is enabled by default with HTTPS, the value of NGFW and other middleboxes which rely on cleartext layer 5-7 is going to come with latency caveats.

Alternatively, 128 Technology’s session based router provides Secure Vector Routing (SVR) technology.  SVR allows 128T session based routers to treat every TCP/UDP session as a segment and apply custom firewall policy and access control at the session level, without requiring termination/re-origination of the HTTPS traffic. This allows an enterprise to build a true ZTS enabled network.

 

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Start typing and press Enter to search