The Achilles heel of next-gen firewalls

To better understand the realities of network security today, Sophos commissioned leading research specialist Vanson Bourne to conduct an independent survey of 3,100 IT managers spanning 12 countries and six continents.

The results shed new light onto the practical reality of today’s network security and the challenges IT teams face. It also reveals the Achilles heel of next-gen firewalls: the struggle to balance performance, privacy and protection.

Expect to find a threat on your network

The first takeaway from the survey is that organizations should expect to be hit by a cyberthreat. Over two-thirds (68%) of respondents fell victim to a cyberattack in the last year.

This propensity to fall victim to a threat is not the result of a lack of protection: 91% of affected organizations were running up-to-date cybersecurity protection at the time of the attack. However, good intentions and good practices are clearly not enough: there are still holes in organizations’ defenses that are enabling threats to get through.

Firewall enhancement wish list

Better threat visibility topped the list of improvements that IT managers want from their firewall, with 36% including it in their top three desired enhancements.

The fact that visibility outranked a desire for better protection illustrates just how significant an issue lack of insight is for IT teams.

However, firewall security isn’t the only area in need of improvements, three in ten of the IT managers also wanted better performance.

Overall, a clear picture emerged: it’s no longer a question of one or the other, rather, today’s IT teams require both performance and protection from their firewalls.

The understated risk: encrypted traffic

Encryption keeps network traffic private, but it doesn’t mean the contents can be trusted. In fact, encrypted traffic is a huge security risk because it renders firewalls blind to what is flowing through the network and prevents them from identifying and blocking malicious content.

Hackers are actively exploiting encryption to enable their attacks to enter undetected. SophosLabs research has revealed that 32% of malware uses encryption.

The level of encrypted network traffic is rising rapidly. Data from the Google Transparency Report indicates that over 80% of web sessions are now encrypted across all platforms, up from 60% just two years ago. However, the IT managers surveyed believed that on average only 52% of their network traffic is encrypted.

The discrepancy between perceived and actual levels of encryption together with the widespread use of encryption in cyberattacks suggests that encrypted traffic is an underestimated security risk.

The Achilles heel of network security

While 82% of survey respondents agreed that TLS inspection is necessary, only 3.5% of organizations are decrypting their traffic to properly inspect it.

There are a number of reasons behind this: concerns about firewall performance; a lack of proper policy controls; poor user experience; and complexity.

The reality is that most organizations need to carefully balance performance, privacy and security. However, they lack the tools needed to do so effectively and efficiently. As a result, they are choosing to allow encrypted traffic to pass unchecked and putting themselves at risk from hidden network threats.

This inability to balance performance, privacy and protection is the Achilles heel, the hidden weakness, of many next-gen firewall and UTM solutions.

Sophos XG Firewall: Designed for the modern encrypted internet

The Xstream Architecture in XG Firewall v18 offers a ground-up solution to eliminating the network traffic blind spot without impacting performance.

It delivers:

  • High performance, a lightweight streaming engine with high connection capacity
  • Unmatched visibility into your encrypted traffic flows and any errors
  • Top security that supports TLS 1.3 and all modern cipher suites with robust certificate validation
  • Inspection of all traffic, being application and port agnostic
  • A great user experience with extensive interoperability to avoid breaking the internet
  • Powerful policy tools that offer the perfect balance of performance, privacy and protection

The new Xstream SSL Inspection engine will be available to all XG Firewall customers at no extra charge. Try it now as part of the early access program.

To learn more about Sophos XG Firewall and see it in action, visit the web page or start an instant online demo.

Download a PDF copy of the report to get the full survey results.

Latest Posts