Next-generation firewalls (NGFWs) have proven to be incapable of stopping advanced malware and targeted attacks. While NGFWs typically take a more application-centric approach to traffic classification, they do not detect nor block the new breed of advanced attacks such as zero-day, targeted attacks or advanced persistent threat (APT) attacks.
At their core, NGFWs' anti-malware technologies rely on traditional anti-virus and IPS signatures, reputation analysis, and URL blacklists. These approaches are reactive and have proven incapable of stopping advanced threats. With more than 286 million new malware variants surfacing in 2010 alone, it is no wonder NGFWs, like traditional firewalls, fall short when it comes to next-generation threats.
NGFW vendors have tacitly conceded this point and are now augmenting their products with cloud-based analysis of binaries and DLLs and "rapid" hourly updates of the firewall signature set.
Fundamentally, cloud-based analysis does not provide advanced malware protection.
Does not stop Web page attacks
NGFW cloud-based analysis does not analyze document and file formats for malware (PDFs, Microsoft documents, image formats) used to exploit application vulnerabilities.
Does not stop email-based attacks
NGFW cloud-based analysis does not analyze emails for malware, so it cannot stop spear phishing attacks. Spear phishing is a primary mechanism used in targeted APT attacks.
Cannot address encrypted binaries
NGFW cloud-based analysis is based on the premise that malware binaries will be transmitted in the clear and that there is no need to detect the exploit phase that actually initiates a binary download.
Too slow and reactive
Hourly updates of attack signatures are too slow even if they manage to detect a new attack binary. FireEye research has found that 90% of binaries morph within one hour and initiate callbacks within minutes of compromise to download further malware infections.
Key Gaps in NGFW Protection
The Operation Aurora APT attack that targeted Google and many others used an XOR encoding to mask the binary. Without visibility into the exploit phase, NGFWs did not detect the encrypted binary, and therefore missed the Aurora attack entirely.
Also, there are many APT attacks that utilize email attachments as the initial exploit phase of the attack. The attack on RSA in early 2011 utilized an infectious spreadsheet to begin the process of infiltrating deep inside RSA's network to target valuable source code. Again, NGFWs are architecturally incapable of detecting or blocking an email attachment-style attack.
In short, NGFWs have fundamental architectural flaws as they relate to the detection and blocking of the advanced malware and APT-style attacks. These flaws leave the end user's network wide open to web page exploits that subsequently mask or encrypt the binary download phase. Without any real-time analysis within the locally deployed firewall, NGFWs are unable to address advanced malware and targeted APT attacks. Companies deploy FireEye products to complement traditional NGFWs to ensure they are fully protected against cyber attacks.