– Melville Wekesa, Technical Lead, Merge Systems


In today’s world, dealing with cyber threats is a foregone conclusion for all businesses. As businesses embrace digitization and the advantages it brings, the IT teams must ensure the infrastructure deployed is immune to outside interference and can secure organizational and customer data from malicious actors and prevent breaches. Failure to do this results in breaches accompanied by public relation nightmares that destroy not only brand value but also lead to direct financial losses due to erosion of value in the stock exchange.

As detailed in our previous post, there are many approaches that an attacker may use to compromise IT systems. The threat landscape has evolved in many ways. Whereas traditionally organizational data resided in desktops and servers that were physically and logically domiciled in one location, now we have mobile devices such as laptops, tablets and phones that allow sensitive and confidential information to exist beyond the physical office. Additionally, consumption of cloud services such as office 365, Salesforce, dropbox, etc. means company information may exist outside of the office infrastructure.

Perimeter security is no longer sufficient, a robust solution today must offer protection for mobile users, multiple endpoints including laptops, tablets and smartphones as well as cloud based applications.  One more important trend to note is encryption, as organizations seek to protect their communication channels, a lot of them have turned to encryption to secure their systems. Malicious players have not been left behind. Today’s malware may be encrypted with a view to bypass detection and filtering engines. Encrypted traffic is not visible to traditional filtering engines and it is important to ensure that any security platforms are able to detect encrypted malware.


Firewalls are the first line of defense for organizations and protect us against known attacks by learning how malicious software (malware) behaves, building a signature for malware and storing these signatures in databases. Incoming traffic is assessed against these databases and if there is a match, the attack is blocked. At the bare minimum, an organization must purchase a next generation firewall that has not only the traditional firewall ability of protecting a trusted network from an untrusted network but is also application aware i.e. it can inspect traffic at OSI layer 4 -7, can inspect encrypted traffic, supports stateful inspection, supports Integrated Intrusion Protection System (IPS), has Identity awareness (User and Group Control), and the ability to utilize external intelligence sources.

Whereas most Next Generation firewall vendors claim these abilities, some of the devices being peddled in the industry are not able to deliver what the datasheet promises. NSS labs is a good resource for verifying which firewalls are worth spending money on. NSS has developed a robust methodology for testing next generation firewalls. It leverages multiple commercial, open-source, and proprietary tools to run 1999 exploits against various firewalls and document the results. They publish this in an annual report available online from their site. It is a good resource for investigating the effectiveness of firewalls, total cost of ownership comparison and performance of firewalls. The 2017 report can be accessed from their site. Customers can also purchase individual product reports. A summary of their 2017 Next Generation Firewall Comparative report is captured below.


As threats evolve, it is also important to evaluate how the firewall you are deploying will deal with Zero day attacks. A zero-day attack is an attack that takes advantage of a Zero-day vulnerability before the vendor fixes it. A Zero Day Vulnerability is a hole in software that is unknown to the vendor. Zero day attacks are particularly problematic. Because they are unknown, the vendor hasn’t built the signatures into the firewall and thus the firewall cannot block the attack. Today, Firewalls handle Zero day threats by sending unknown suspicious files to sandboxes. This is also known as threat emulation. In a nutshell, threat emulation is a means by which suspicious files can run in controlled environments to observe their behavior before allowing the files into the customer’s networks. If the files are found to contain malicious software, appropriate action can be taken as per the policy. Because detection is not based on signatures, sandboxes can detect zero-day threats.

Whereas any self-respecting firewall vendor has threat emulation, not all sandboxes are created equal. Today’s malware is sophisticated, clever and employs various evasion techniques to avoid detection. Firewall vendors have resorted to different strategies to detect malware. Majority of vendors have sandboxes that consist of virtual machines running common operating systems. Files are sent to these sandboxes, accessed and allowed to execute. The file behavior is observed and recorded. Malicious software would behave as it would on unsuspecting client’s machines and any malicious behavior will be detected.

However, sophisticated malware has built in Sandbox detection mechanisms, they look for differences between sandbox and real world environments, if they detect a sandbox environment, they delay or abort execution. For example, malware

can detect that it has been launched in a virtual environment and as such not exhibit malicious behavior. Malware with such capability will pass undetected in such a sandbox. For this reason, some firewall vendors have opted to deploy bare metal sandboxes. Bare metal sandboxes share more similarities with real world customer environments and may be harder to detect for malware.

More sophisticated malware can bypass traditional defense mechanisms by fooling the sandbox systems at the CPU and memory level. A good example is malware based on Return Oriented Programming (ROP). A virtual machine based sandbox or a bare metal based sandbox would be unable to detect such an attack but a CPU level sandbox would be able to detect such an attack. The YouTube videos below demonstrate this point.

As firewall vendors are busy innovating and working hard to stay ahead of security threats, malicious actors are also innovating and coming up with new exploits to bypass the security system. It is not unrealistic to expect that at some point, you will be compromised.Some vendors are thus focused not just on preventing breaches but on reducing the time to detection.  The argument is simple, the sooner you detect a breach the less time an attacker has available to exploit their access and the quicker you can mitigate the breach. To this end, the ability to utilize external information sources including human researchers, Artificial Intelligence and machine learning e.t.c.  aid in the reduction of time to detection. What is your preferred firewall vendor’s mean time to detection?

In conclusion, there is much more to selecting a firewall than performance. We see a lot of RFP’s written for the traditional threat landscape. It is important to update requirements to address and reflect the evolving threat landscape.

As firewall vendors are busy innovating and working hard to stay ahead of security threats, malicious actors are also innovating and coming up with new exploits to bypass the security system. It is not unrealistic to expect that at some point, you will be compromised.