Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security //

Firewall

4/19/2018
12:10 PM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

Firewall Fail: IT Can't Identify All Network Traffic

With more and more traffic being encrypted, IT departments are having difficulty identifying the source of traffic coming into their network and past the firewall.

SAN FRANCISCO -- There's a dirty secret lying right behind the corporate firewall: The IT department can't identify the traffic coming into the enterprise network.

In fact, IT managers can't identify 45% of the network traffic hitting the firewall on any given day, according to a new report. Additionally, almost one in four IT managers cannot identify 70% of their enterprise's traffic.

Much of that is being caused by increased use of encryption, said Chester Wisniewski, the chief research scientist for Sophos, which sponsored the study, "The Dirty Secrets of Network Firewalls."

"Fifteen years ago, [IT admins] could go into their firewall and look at it from a productivity and a security standpoint and understand what was happening from a security standpoint because stuff was not encrypted," Wisniewski told Security Now.

"You knew this was Spotify and you know this was going to AOL and what was anomalous would stand out, and you could more easily make rules and policy decisions and even forensics," Wisniewski added. "Now, you don't know what was stolen because all the data is encrypted."

Part of that is related to Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols that have helped encrypt more and more traffic passing through the Internet. To help combat that, enterprises can use man-in-the-middle techniques, but that adds complexity to the whole process. Additionally, standards -- specifically TLS 1.3 -- will also change that and make it more difficult.

The result is that 84% of respondents told researchers that lack of application visibility is now a serious security concern.

"What the survey said to us is that these guys don't know what apps are on the network because everything is TLS and SSL," Wisniewski said, adding that in his estimation about 70% of network traffic is encrypted today and that number could reach nearly 100% in the coming years.

The report, which Sophos released this week to coincide with the 2018 RSA Conference here, is based on responses from 2,700 IT professionals in mid-sized enterprises from the US, Canada, Mexico, France, Germany, UK, Australia, Japan, India and South Africa.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

In the coming months, with the increased use in encryption coming, Wisniewski said the challenge for the industry, including vendors such as Sophos, is to get endpoint devices, which know what the traffic is before it's encrypted, to work with and communicate with the firewall to specify what traffic can go past and onto the network.

(For its part, Sophos offers this technology with two offerings: synchronized security technology and Sync App Control.)

Without that, IT admins are losing time to do maintenance. The study found that most enterprises spend an average of seven days each month to remediate and fix about 16 infected machines. Over half of those surveyed expressed concern about loss of productivity from unwanted and unnecessary apps that find their way onto the network.

In addition, nearly 100% of those surveyed want firewall activity that can automatically isolate infected machines.

"We know that you can't block everything, and that's why we have talked about layered security," Wisniewski said. "If someone is in there, within the network, can you at least stop them before they leave with the stolen goods."

Related posts:

— Scott Ferguson, is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4719
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
CVE-2020-15604
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-24560
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...