In this edition of News That Makes the Channel Cringe, a new Sophos report reveals IT pros can’t identify almost half (45%) of the traffic flowing through their networks.

The Dirty Secrets of Network Firewalls study, which included the responses of 2,700 mid-size business IT leaders, goes on to say 25% can’t identify over 70% of total network traffic. That’s a massive blind spot, especially with mounting concerns over cybersecurity.

The network is what keeps your clients connected. Not only is it challenging to support the network if you don’t know what’s on there, but unknown traffic can serve clients a blow that devastates their business. And if you’re responsible for your clients’ security, that blow could devastate you too.

Why is this network traffic blindspot a thing?

When people use the word firewall, they’re referring to a general category of device without distinguishing between old generation and new generation devices.

The traditional firewall is an early 1990s technology, and it really focuses on Layer 3 and 4 of the OSI stack. It was built before the internet as we know it today existed. Back then, you could pretty much rely on the well-known ports to carry the protocols they were assigned to. For example, port 80 was for HTTP web traffic only.

The belief that a traditional stateful inspection firewall is the be all and end all of security is outdated.

Network gear and configurations have evolved over the past 20 years. Traditional firewalls don’t provide good insight into how traffic flows today through complex networks formed by advanced network devices. When analyzing traffic, they say, ‘This is where you’re from, and this is where you’re going. Should I let you through?’ There’s no context to the actual content within the packets.

The next level up is adding signature-based tools to the traditional firewall. These firewalls say, ‘Let’s actually look at the content of that traffic. Does it contain a pattern that’s known to be bad?’

We’ve now taken a giant leap into looking at the traffic itself. The problem is the firewall must have seen a malicious pattern before to recognize that it’s bad.

As the Sophos report says, “Network firewalls with signature-based detection are unable to provide adequate visibility into application traffic due to a variety of factors such as the increasing use of encryption, browser emulation, and advanced evasion techniques.”

Unsurprisingly, uncatalogued patterns were one of the biggest risks identified in the Sophos report, in which 48% of respondents said the number-one firewall enhancement they’d like is better protection.

Erase the blind spot with a next-gen firewall

Enter the next level up: a next-gen firewall. You might know it as a UTM (unified threat management) device or another name. There are a ton of different marketing terms, but in short, what I mean is devices that look at Layer 7 traffic and do deeper inspection into the packets by using behavior-based data.

Some behavior-based firewalls also offer sandboxing, which can live in the cloud to reduce bandwidth consumption. In this case, the firewall would say, ‘Here’s the traffic. I’m just going to play that traffic back and see what happens, then analyze the result and either allow or disallow the traffic.’

The problem is, as functionality increases beyond the basics, so do complexity and price. That’s why many smaller businesses don’t use next-gen firewalls—they can’t always afford them.

In the past, it may also have seemed like overkill to use UTM functions on a small client. But it’s the only way to get the best protection. Small and mid-sized companies are increasingly being targeted for attack, and are also suffering collateral damage in broader attacks.

If your smaller clients can’t afford to upgrade their firewalls, you can still help them increase their protection by adding UTM software licences on existing boxes. Then at least they’ve got a base level of behavior-based protection that’s a giant leap from 1990s tech.

Justifying the investment in a firewall upgrade

The Sophos report found that, on average, technicians spend seven working days per month fixing 16 infected machines—which is an inefficient use of time.

Investing in behavior-based firewalls reduces the amount of billable time you need to use to remediate network traffic issues and security concerns. And, since behavior-based firewalls provide event-based alerts, you won’t need to spend hours monitoring and analyzing the traffic yourself.

To persuade clients to purchase those UTM software licences or new firewalls, you could explain that every hour you spend doing traffic monitoring, traffic analysis, and remediation tasks takes time away from other services.

Another way to position the investment in behavior-based detection is that it’s like an insurance policy. It reduces risk and decreases the number of infections for your client. Just be careful—even behavior-based firewalls aren’t a guarantee against a breach. So make sure your service contracts are structured to minimize your legal liability.

Leave a Reply

Your email address will not be published. Required fields are marked *