The Threat Intelligence Challenges with Next-Generation Firewalls
Today’s networks are transforming at an unprecedented speed. Nation-state events and global crises are challenging every aspect of how business is conducted. Now more than ever, organizations are relying on their network infrastructure to maintain business continuity and support digital business initiatives. Unfortunately, one aspect of the digital economy that remains constant, is the threat to the network by cyber criminals. As they scramble to adopt new network paradigms, organizations continue to rely on traditional security controls like Next-Generation Firewalls (NGFWs) to secure their businesses.
However, what many organizations are realizing is that their next-generation firewalls are having a tough time keeping up with today’s threats. To be fair, organizations require a lot from their firewalls, including dealing with increasing network traffic, threat volumes, encrypted traffic, and a never-ending array of functions they’re asked to perform. However, there is a more fundamental challenge facing firewalls, that requires our attention, which is their reliance upon proprietary and closed threat intelligence to detect and block threats. Simply put, this means that they operate with too narrow a view of the threat landscape, and therefore struggle to keep up with today’s attacks.
In light of this and in an effort to better secure their networks, organizations have increasingly adopted threat intelligence as a means to identify and respond to evolving threats. However, as organizations look to operationalize threat intelligence, they find it challenging to integrate threat intelligence into their nextgeneration firewalls.
When combined, the limitations of broad-based threat visibility and an inability to integrate threat intelligence at scale, represent two significant challenges for next-generation firewalls. In this whitepaper, we will provide an overview of these challenges, provide real world data, discuss why these challenges exist, and briefly describe how the ThreatBlockr Cyber Threat Intelligence Firewall platform eliminates these challenges.
Challenge 1: Firewalls Rely On Proprietary & Closed Threat Intelligence
Cyber security vendors, especially mainstay, next-generation firewall vendors, have long advertised threat intelligence expertise as a differentiating value proposition beyond their product technology. It makes sense in an industry whose bread and butter relies on the ever evolving sophistication of cyber attacks.
However, with so many different vendors, institutions, and government entities engaged in the pursuit of threat intelligence, its definition has become muddled. This has resulted in confusion around both the definition of what constitutes threat intelligence, as well as its uses.
Next-generation firewalls are powered by threat intelligence. However, the threat intelligence they use is wholly controlled by the vendor, and is typically both proprietary and closed. The threat intelligence they use to detect and block threats is predominantly based on threat activity they see within their own customer base supplemented by analysis from their internal “Intelligence” teams. Make no mistake, this threat intelligence is valuable. However, it alone is insufficient to protect organizations from today’s dynamic threats, because it provides too narrow a view of constantly evolving threat activity. Simply put, it’s just one vendor’s perspective.
Fortunately, the challenges with relying on single source threat intelligence are well known. For this reason, more organizations are supplementing the threat intelligence they get from existing controls with a broad-based view of threat intelligence that spans multiple, diverse sources. These sources include commercial threat intel providers like DomainTools, IntSights, Recorded Future, and others, open source threat intel (OSINT), government providers like DHS, and industry sharing communities like ISACs/ISAOs. This broad-based view of threat intelligence enables organizations to better protect themselves from cyber threats.
Challenge 2: Firewalls Have Limited Ability to Integrate Third-Party Threat Intelligence
As organizations invest more in threat intelligence, they logically look to maximize its value by making it actionable thereby using that intelligence to detect and block threats. To make threat intelligence actionable, organizations first look to integrate it into existing security controls like firewalls. However, it doesn’t take long to realize the significant challenges that exist here.
“The fact is, next-generation firewalls don’t ‘play nicely’ with third-party threat intelligence.”
The fact is, next-generation firewalls don’t “play nicely” with third-party threat intelligence. These legacy devices have significant limitations with respect to the volume and ways that third-party threat intelligence can be integrated. Volume limitations can include the total volume of third-party indicators, the size of external blocklists, and/or the number of lists that can be used. Firewalls also have significant limitations in the ways third-party threat feeds can be integrated into them with most firewalls only having the ability to consume text file lists of indicators over HTTPS. While some firewall providers have broadened their integration abilities to support standards like STIX/TAXII, using this capability requires an additional solution.
Real World Data Illustrates the Threat Intelligence Limitations of Firewalls
Third-party threat intelligence limitations within next-generation firewalls is a very real challenge facing organizations. Here at ThreatBlockr Cyber, we see it and hear it daily, as we interact with our customers and prospects. We often hear that this fundamental reality is a key reason why organizations purchase and deploy our platform. Importantly, real world data from leading firewall providers validates the limitations. Let’s take a look.
Palo Alto Networks External Dynamic Lists
Palo Alto Networks is arguably, the most popular Next-Generation Firewall on the market today. However, it is not without its own faults. In it’s PAN-OS® Administrator’s Guide, the company provides information on its External Dynamic Lists, which are defined as text files that are hosted on an external web server. The data clearly illustrates the limitations Palo Alto Networks’ next-gen firewalls have with respect to third-party threat indicators.
- The PA-5200 Series and the PA-7000 Series firewalls, which are Palo Alto’s high-end models, support a maximum of 150,000 total IP addresses; all other models support a maximum of 50,000 total IP addresses.
- The maximum number of domain ranges from 50,000 to 4 million depending on the model, The upper end of the maximum range requires upgraded network processing cards.
- On each firewall model, you can add a maximum number of 30 custom External Dynamic Lists with unique sources.
By its own admission, the top-end Palo Alto Networks next-generation firewall, the PA-7080, which is marketed to large enterprises and service providers, can only handle 150,000 total third-party IP indicators and 4 Million total third-party domain indicators.
To put this into perspective, let’s compare Palo Alto Networks’ External Dynamic List limits with two threat feed examples.
The first graphic below shows an IP Reputation feed that typically has over 4.5 Million indicators. The second graphic below shows a Malicious Domain Blocklist that is powered by threat intelligence from DomainTools. This blocklist represents domains with a risk score of 99 and higher (out of 100). As you can see, integrating these threat feeds into a Palo Alto Networks’ External Dynamic List is next to impossible.
Fortinet Threat Feeds (External Dynamic Block Lists)
Another leader in the next-gen firewall market is Fortinet. Similar to Palo Alto Networks, Fortinet has the ability to dynamically import external block list text files from an HTTP server. Text files can contain IP addresses, domain names, and hashes. Fortinet calls these dynamic block lists “Threat Feeds.”
Identifying third-party threat intelligence limitations with Fortinet is more challenging than Palo Alto due to limited data. However, one important data point illustrates key limitations. Fortinet indicates that the size of a blocklist file can be 10 MB, or 128,000 lines of text, whichever is most restrictive.
While it’s unclear if Fortinet has a total volume limit, what is clear is that integrating a large, third-party threat feed into Fortinet would be cumbersome requiring the separation of one large threat list into many smaller lists. For example, the IP Reputation feed would require over 30 separate lists and the DomainTools threat feed would require over 170 separate lists.
“…what is clear is that integrating a large third-party threat feed into a firewall would be cumbersome…”
SonicWall Threat API
Data from SonicWall, a well established provider of firewall solutions to small and mid-sized businesses, also validates threat intelligence limitations. SonicWall’s Threat API “allows administrators to send lists of URLs or IP addresses to be blocked via command line.” Based on this, it appears there is no automated way to integrate third-party threat intelligence into SonicWall firewalls. SonicWall also indicates that the list is limited to 5,000 entries for all product versions.
Why Do Firewalls Have These Limitations?
Understanding the limitations firewalls have with respect to using third-party threat intelligence is the first step. Next, we must ask, why do these limitations exist? We believe there are two motivating factors: (1) lack of incentives; and (2) resource constraints.
Lack of Incentives
Firewall providers are in the business of providing solutions that protect networks. As mentioned earlier, their solutions are powered by their own proprietary threat intelligence. In fact, one of the key ways firewall providers compete against one another is based on their ability to detect and block threats. This is evidenced in annual firewall tests conducted by organizations like NSS Labs. This fuels a virtuous circle where firewall providers focus on improving their own detection capabilities. The focus on proprietary threat intelligence leads to a natural lack of incentive to use threat intelligence from other sources or to share threat intelligence with other systems.
The other major factor that we believe inhibits firewalls’ ability to work with third-party threat intelligence are resource constraints. Simply put, today’s firewalls perform multiple functions many of which are resource intensive. These functions include deep packet inspection in order to provide services like intrusion detection and prevention (IDS/IPS), URL filtering, and malware detection. The resource intensity of deep packet inspection is evident in the significant decrease in firewall throughput that occurs when these features are used. This decrease is typically in the area of 50%.
Adding further burden to resource requirements is that an increasing amount of traffic is encrypted. This means that firewalls need to decrypt the traffic in order to inspect the traffic for threats. This decryption requires significant additional resources. Many firewalls are now adding SD-WAN capabilities so the list of functions being added keeps growing.
Simply put, the more functions a firewall performs, the more resources this requires. With firewalls being challenged already to provide their own services, this leaves few resources to divert to process third-party threat intelligence feeds.
A Quick Look at the ThreatBlockr Platform
Over the last several years, ThreatBlockr has been at the forefront of driving a new category of cyber security technology that makes threat intelligence actionable.
ThreatBlockr uses simple, innovative technology and best-in-class threat intelligence to secure your networks, data and users in real time – wherever they are. Whether it’s from data we provide out of the box, data from one of our Partner Integrations – or any other data source you have – we block attacks from up to 150 million malicious IPs and domains in real-time, with no latency.
How It Works
ThreatBlockr blocks known bad traffic at scale using a combination of simple, innovative technology and best-inclass threat intelligence. We provide 30 million “out of the box” threat indicators from the world’s best sources, including leading commercial providers like DomainTools, Proofpoint, Webroot, open source data providers and leading government sources. We also have over 50 point-and-click integrations with ISACs, ISAOs, Threat Intelligence Platforms (TIPs), SIEMs, SOARs, and other systems. If you have a data source that isn’t on our integration list – you can easily integrate IP and domain indicators in real-time from any source.
Policy enforcement and blocking is handled by our ThreatBlockr appliances, which can block up to 150 million threat indicators in real-time with no latency. ThreatBlockr inspects inbound and outbound traffic and makes simple, policy-based allow or deny decisions based on threat intelligence (IP reputation, block lists, allow lists), GEO-IP, and/or Autonomous System Number (ASN). ThreatBlockr can be flexibly deployed on physical, virtual or cloud appliances, as a cloud-based service or any combination of these. Regardless of deployment, we can protect your users and networks everywhere and our Cloud-based Management Portal gives you a central point of visibility and control.
As data flows through our ThreatBlockr appliances, our platform generates a significant amount of data that helps you analyze your security posture, identify and remediate threats in real time, and easily solve for false positives. Non-PII metadata is sent to our Global Management Center to allow quick analysis of your security posture and detailed data is sent to any SIEM, Syslog server or security analytics tool of your choice for further detailed analysis.
ThreatBlockr Complements Next- Generation Firewalls
A critical point is that the ThreatBlockr platform complements next-generation firewalls providing another layer of protection using large volumes of third-party threat intelligence. ThreatBlockr allows organizations to proactively use third-party threat intelligence to detect and block threats at a scale that can’t be done with next-generation firewalls.
Importantly, the ThreatBlockr platform not only provides another layer of network protection but it also improves the efficiency and effectiveness of firewalls. ThreatBlockr offloads known threat blocking from the firewall allowing the firewall to focus its more resource-intensive deep packet inspection (DPI) processor cycles on a reduced amount of cleaner traffic.
Compared to traditional firewalls, the ThreatBlockr Cyber Platform is:
- Smart – The ThreatBlockr platform is purpose-built to detect and block threats based on massive volumes of third-party threat intelligence vs. relying on proprietary threat intelligence. The platform provides “out of the box” threat indicators from the world’s best sources and makes it simple to integrate threat indicators in real-time from any source.
- Scalable – The platform can block up to 150 million unique IP and domain threat indicators at line speed before they hit your network and security controls far exceeding the capabilities of next-generation he world’s best sources and makes it simple to integrate threat indicators in real-time from any source.
- Simple – The platform is simple to deploy and manage with intuitive policy management and centralized management capabilities provided by our cloud-based Management Portal.
Next-generation firewalls remain an important foundational component of network security. However, a reliance on proprietary and closed threat intelligence and an inability to integrate threat intelligence at scale are resulting in firewalls having a tough time keeping up with today’s threats.
The ThreatBlockr platform helps organizations overcome these challenges allowing you to protect networks, users, and data in a Smart, Simple, and Scalable way — wherever they are.
Contact ThreatBlockr for a Free Risk Assessment