Moving Beyond Proxies

Executive Summary

Proxy deployments today have outlived their usefulness and practicality. They have joined a long list of legacy security products, providing limited security functionality against today’s advanced threats. Once upon a time, Proxies fulfilled a need traditional firewalls could not meet: visibility into web traffic starting with categorization of HTTP and later HTTPS traffic. However, little to no emphasis was put on traffic and the vast number of applications utilizing other avenues of accessing corporate networks. Proxy vendors still over-emphasize the importance of HTTP and HTTPS traffic while downplaying the role of applications utilizing other entry points in cyber attacks.

The limited benefits of proxy solutions come at a great cost: network latency, complex and costly deployments, arbitrary security limitations, such as application bypass lists, and slow adoption of new security technologies are just some examples of the downfalls of proxy deployments.

With their roots in Web access control, proxies base security decisions primarily on URL categories, and secondarily on content, leaving proxy customers vulnerable to attacks in spite of complex security deployments.

The shortcomings of proxies intensified with the explosive growth of web- and network-based applications, combined with the changing threat landscape and increased adoption of mobile technology. These changes brought with them the need for less complex, more comprehensive, and higher performing solutions—a need met by today’s next-generation security platforms with fully integrated security technology that protects all applications, entry points and users with streamlined, easy-to-manage deployments able to handle today’s speed of business.

The Rise and Fall of Proxies—A Short Overview

Traditional firewalls enforced network access via positive control models. Access Control Lists (ACLs) performed this function, often in routers. Unfortunately, these traditional firewalls shared a common shortcoming—the inability to inspect all of the applications traversing the network across all ports and protocols. Proxy-based devices offered the ability of more granular analysis and visibility into a small set of applications and protocols where traditional firewalls were blind.

Many organizations started to deploy proxy-based devices to gain a degree of visibility and control over web traffic because their stateful inspection firewalls lacked this critical capability.

Those who added dedicated proxies in conjunction with their existing legacy firewalls now had access to security functions such as URL filtering, and web access control.

Over time, proxy-based devices evolved to become part of a growing collection of security point solutions, like dedicated anti virus (AV) or Intrusion Prevention Systems (IPS). Each point solution came with a limited view of network traffic, mainly focused on HTTP (port 80) and HTTPS (port 443) traffic. Each solution also added to the complexity of security networks, while still not improving the lack of visibility into non-web based traffic.

Web proxies are inherently slow. The effort needed to inspect HTTP and HTTPS traffic inline results in growing network latency especially in today’s accelerating business environment with ever increasing web traffic. Web content has become so dynamic, that latencies associated with proxy web traffic inspection have become a major burden to IT departments. Companies started to deploy multiple proxy appliances just to keep up with network requirements, adding to an already complex network environment.

The explosive growth of web- and network-based applications, combined with the changing

threat landscape, and the fast adoption of mobile access technology in the work place brought

with it the need for less complex, more comprehensive, and higher performing solutions that

address the needs of today’s business environment. Let’s take a closer look at why more and

more businesses are choosing to move away from proxies.

The Increasing Irrelevance of Proxies Limited visibility into ports and protocols

The list of applications and protocols supported by most proxies is limited to a handful of applications (e.g. web-based clients and media streaming) and specific protocols, such as HTTP (port 80), HTTPS (port 443), and FTP (port 21). While many applications are web-based by design, and are using ports 80 or 443, some very common applications, like Skype, BitTorrent, or Lync are capable of dynamically seeking out and utilizing any available port on the network.

These port-hopping capabilities allow these applications to scale, be responsive, service the needs of the user… and bypass the limited visibility and security technologies of proxy-based devices.

Similarly, proxies are limited in their ability to protect against evasive techniques used by tools such as open proxy servers (e.g PHProxy or CGIproxy), or anonymizers (e.g. Tor or Hamachi).

Scanning determined by URL category, not content

With their origin in URL categorization the security functionality of proxies is built around that capability. Security decisions are made based on URL categorization, with the majority of identified web requests bypassing additional security engines. Only a small amount of all web traffic is sent for content inspection, since the URL category determines what is analyzed for content. This prioritization of URL categories over actual content is accompanied by a higher exposure to threats and decreased security.

Decreased network performance

Proxy-based devices require significantly more computing resources due to the additional proxy connections being established between the source client, the proxy device, and the destination server. These workload demands, along with the latency introduced with proxied connections, have relegated proxy-based devices to be deployed where rapid throughput and high scalability are not key requirements. Confining the placement of proxies to a small portion of traffic on the network can help; otherwise the entire organization’s network performance may suffer.

Growing application bypass lists

To address the performance issues of proxies, web security vendors are constantly increasing the list of applications that bypass the security engines. This application bypass list is often determined by the security vendor and cannot be modified by the customer. In addition, vendors provide their customers with the option to create their own application bypass lists. These lists impose arbitraty limitations on the capabilities of the purchased security solution, and reduce its effectiveness.

Slow adoption of new security functionality

Proxy-based products struggle to keep pace with the rapid development of new applications and updates of existing applications or protocols. Proxies simply can’t scale appropriately to keep pace with the highly dynamic content of the Internet and Web 2.0 applications that continually undergo updates and improvements.

Interruptive Technology

With proxy deployments all users across the organization must have their traffic requests steered to the proxy-based device. There are two primary proxy deployment methods, explicit and transparent, both involve complex implementations and include unique challenges. In both scenarios, traffic egress points need to be cut and proxies need to be physically inserted, resulting in major traffic interruptions and frequent traffic-flow complications.

An Administrative and Financial Nightmare

Deployments of proxy-based solutions are becoming increasingly complex in order to keep up with

today’s web security requirements. Antivirus appliances, external database servers, management

deploy a proxy solution. This bolt-on approach is becoming increasingly pricey and difficult to manage. As can be seen in figure 1 below, a typical deployment of proxy solution is crying out for simplification.

Figure 1: A typical Proxy deployment is too complex for today’s business environment

The Beauty of Integrating Web Security into a Next-Generation Security Platform Unlike proxy solutions, next-generation security platforms have complete visibility into network ports and applications. Palo Alto Networks

next generation security platform tackles the fundamental problems associated with proxy-based security solutions, including standalone URL filtering. It combines the benefits of Threat Prevention, Sandboxing, and URL filtering with the comprehensive application control

of the Palo Alto Networks next- generation firewall and eliminates compromise by natively classifying all traffic, identifying the application regardless of port, determining the content, malicious or otherwise, and mapping the traffic to the user, regardless of location or device type.

This allows companies to achieve their security objectives without the latency or complexity of proxy deployments:

• Gain unprecedented visibility into the applications, the related content and users with actionable intelligence for policy setting, forensics and reporting

• Safely enable applications, allowing only those you need to run the business and implicitly denying all others

• Prevent known threats by eliminating unwanted applications to reduce your threat footprint and applying port-agnostic threat prevention to allowed traffic

“I No Longer Needed Their Proxies”

A top technology provider for a global consulting firm currently protects approximately 8,000 users via a High Availability (HA) pair of Palo Alto Networks PA-5020 security platforms at their network perimeter. These appliances integrated smoothly with the customer’s existing high-speed switching gear, and were placed in front of their standalone, proxy-based URL filtering devices.

Seven months after having deployed the Palo Alto Networks security platform, the network design consultant realized that their proxy appliances hadn’t been logging any security alerts. Upon investigation, they learned the Palo Alto Networks equipment was catching all of the malware and continued to protect their network against threats.

The customer decided to disconnect and decommission their proxy-based appliances, simplifying network architecture and saving operational and capital expenses.

Server SQL

LB Log

Server

Firewall

Policy Server Web Proxy

Management Server

Transparent Identification

Agent

SIEM HA

• Block unknown threats that could potentially come through newly developed cloud applica- tions with real-time sandbox-based behavioral analysis and automated signature delivery A Unified, Comprehensive Security Plat- form for known and unknown threats The Palo Alto Networks next generation security platform—a combination of next-generation firewall and advanced threat prevention technologies—delivers visibility into, and control over applications, users, and content for enterprise data networks to protect against known and unknown threats alike. Tightly integrated technologies identify the applications in use across all ports, search for threats within the content, and identify the user associated with the event. Advanced threat technologies continually look for and block known and unknown threats inside the application traffic.

The first task executed by Palo Alto Networks next generation security platform is to determine the precise identity of the application regardless of port, protocol, or evasive technique employed;

the identity then becomes the basis of the firewall security policy. Palo Alto Networks next generation security platform is continually updated with information on the latest

applications and threats, along with malware details collected by the WildFire

cloud-based virtual environment.

Easy-to-deploy, integrated Technology

Deploying network security technology from Palo Alto Networks is easy and doesn’t require multiple, independently managed endpoint solutions, or hardware components. With a single policy, all Palo Alto Networks security technologies can be brought to bear against that policy’s traffic. An administrator simply specifies one or more security profiles within the management console, creating effective security policies. Palo Alto Networks security platforms offer flexible deployment modes along with a rich set of networking features, allowing network engineers to easily insert the network security platform into any existing network architectural design.

Complete Visibility without the Latency of a Proxy

The Palo Alto Networks platform sees all network traffic across all ports. Predictable, high- speed performance is achieved through a single-pass software engine combining application,

content and user ID, along with a purpose-built hardware platform that uses function-specific processing for networking, security, threat prevention, and management functions.

Dynamic, Contextual Policies – more than URL Filtering and Web Security Complete visibility and control over applications, users and content arm security

“A True Solution Shouldn’t Take Forever”

A Canadian organization in the energy industry with one thousand employees struggled with implementing proxy devices into their network environment.

They spent an entire year toiling with their proxies, but couldn’t get it to work to their satisfaction—resulting in six to seven use cases they never fully solved.

Palo Alto Networks offered a solution evaluation. Installing the equipment using a Layer 1 (Virtual Wire) deployment mode, the engineer was able to solve all of the company’s proxy problems in just half a day.

This compelling demonstration convinced the customer to purchase several Palo Alto Networks solutions and manage them with a Palo Alto Networks Panorama central management console.

Palo Alto Networks offers a next

generation security platform that safely

enables all applications through granu-

lar use of controls and prevention of

known and unknown cyber threats

for all users on any device across any

network.

to use in creating dynamic, contextual policies. In contrast, traditional standalone URL filtering and web security devices, such as proxies, only see a small portion of network traffic and focus solely on classifying websites into defined URL categories. They lack the shared intelligence, which Palo Alto Networks next generation security platform offers.

The Palo Alto Networks URL filtering security profile works alongside all other integrated technologies and available security profiles, thereby creating a complete threat protection framework, using context gained from the network traffic. For example, Palo Alto Networks App-ID technology perfectly complements the URL filtering security profile to enforce control of network activity, while preventing the use of URL filtering avoidance tools. Identifying the application, who the user is and where they’re coming from is a powerful capability in policy enforcement, especially when combined with URL filtering and threat prevention security profiles. Ultimately, this liberates security administrators to create policies that safely enable traffic, versus simply blocking or allowing traffic for a specific URL category.

Protection across the entire network for all devices

The next generation security platform can be seamlessly extended from on-premises protection to remote and mobile users with GlobalProtect mobile user protection and Traps endpoint protection.

Both technologies extend policies seamlessly to remote, mobile, and endpoint users. This eliminates the need for additional point solutions, which would increase the complexity of a proxy deployment even more.

Figure 2: Palo Alto Networks Next Generation Security Platform NATIVELY

INTEGRATED EXTENSIBLE

AUTOMATED

NEXT-GENERATION

FIREWALL ADVANCED ENDPOINT

PROTECTION THREAT

INTELLIGENCE

CLOUD

4401 Great America Parkway Copyright ©2015, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks,

Moving Beyond Proxies with Palo Alto Networks Next Generation Security Platform As applications and threats continue to evolve, it becomes increasingly difficult for some organizations to secure their networks without getting in the way of their employees conducting business. Challenges unfold as diverse users roam the network with an assortment of company-owned and personal devices, accessing new types of applications that communicate across many different network ports and protocols. Although proxy-based devices support the original capabilities of traditional firewalls with an added degree of visibility and control over web traffic, that visibility is restricted to a limited number of protocols such as HTTP (port 80) and HTTPS (port 443).

Palo Alto Networks delivers a next generation security platform to secure corporate networks, utilizing dynamic policies that take advantage of the context shared between applications, users, and content gleaned from the platform’s central location within the network. The platform provides complete network visibility to apply granular security over an organization’s users and safe enablement of their applications—regardless of ports, protocols, or evasive techniques.

Implementing next-generation security and threat prevention technologies from Palo Alto Networks provides IT organizations the confidence to reevaluate their original requirements for utilizing proxy-based devices, like standalone URL filtering solutions.

Contact your Palo Alto Networks authorized reseller to learn more and arrange an online or

in-person demonstration.