By Jason Pappalexis, Ty Smith
NSS Labs investigative reports draw from preliminary research on security technologies and are used to help our enterprise clients understand product capabilities. The research also informs our continuously evolving test methodologies. This blog accompanies a recent investigative report on the impact of code obfuscation and web-encoding techniques on the detection efficacy of next generation firewalls (NGFWs).
Test Results: All of the ten products investigated were impacted to some degree when exploits were transformed by one or more code obfuscation techniques. Implementation of web transport encoding mechanisms further impacted test results.
Not all products were affected to the same degree. Products with scanning engines that appeared to normalize the transport encodings prior to scanning appeared less affected by code obfuscation and encoding. However, normalization does impact throughput since it involves pre-processing (i.e., CPU impact), which could add latency if a product is running near its limit. Proper capacity planning should factor in these variables to limit impact to end users. (This is not true if an NGFW is incorrectly sized, or if it is an older generation device that has been updated with newer firmware and forced to handle new traffic.)
The Use Case: Most of Today’s Web Traffic
The modern web browsing experience is quite different to that experienced by web users even as little as five years ago. Complex content, background video, custom fonts, personalization (geography, time, etc.), and dynamic updates are intrinsic to the modern web page, which works to connect with users in order to retain them as visitors.
Code obfuscation and encoding techniques are commonplace; in fact, your navigation to this blog page likely involved several of these elements.
The Need to Understand Product Limits
The data from our investigation highlights a larger challenge within the industry: the lack of clearly-defined product capabilities. NGFWs are designed to scan and detect threats within network traffic, and it is reasonable for organizations to expect them to protect against web-delivered attacks. It is also reasonable for enterprises to expect that their NGFWs will be unaffected by content encoding transformations specified within the HTTP/1.1 RFC. However, our investigation results indicate that many NGFWs are in fact susceptible to these attacks and transformations, and this may undermine an organization’s confidence in its product—if it is being fooled by HTTP/1.1, what else is it missing?
Industry marketing teams often describe product capabilities in broad terms, which is misleading. To stay ahead of the competition, many marketing teams suggest capabilities that are nascent or not yet available. This obscures a product’s true capabilities—and limitations, which increases operational costs for security IT teams. Enterprise organizations require transparency to make informed purchasing decisions. In order to fully understand the capabilities of an NGFW, NSS recommends an organization rebuild all policies and comprehensively test them prior to deploying the product.
So, would you want to have an NGFW in your security architecture? More than 80% of US enterprises do, but the results of this investigation (and the results of the NSS Labs NGFW v8.0 Group Test) should be a wake-up call for NGFW product and product marketing teams.
This month, NSS Labs released an investigative report on the effects of code obfuscation and HTTP/1.1 web traffic encoding mechanisms on NGFWs.
Jason Pappalexis is managing director of the NSS Labs Enterprise Architecture Research Group (EARG), whose charter is to help enterprises solve security challenges. He has worked with endpoint protection products for more than 18 years and has held roles in the IT security industry that include administration, architecture, field engineering, and product testing.
Gain access to the NSS Labs' group test reports and analyst briefs from the Research Library.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.