Why Proxy-Based Firewalls Are Not Enough

This post is also available in: 日本語 (Japanese)

Proxy-based firewalls or web proxies have been considered an essential security component for some time now, but the question remains: Can proxies really help keep users safe?

The first proxy-based firewalls achieved the basic task of controlling which websites users could access on the Internet. Since then, the technology has developed and evolved to provide additional features like malware detection and blocking, in-line data loss prevention (DLP), SSL/TLS inspection and bandwidth control.

However, web proxies have significant drawbacks that prevent them from being effective security tools. 

 

  1. Implementation

The technical details of how proxy-based firewalls are implemented make it likely that they won’t protect all traffic. The most common way to deploy a cloud proxy-based firewall is by using a Proxy Auto Configuration (PAC) file or explicitly specifying a proxy server address in a user’s operating system and browser settings.

PAC files use JavaScript functions to determine where to send traffic, either via explicitly specified proxy servers or directly to the Internet. Explicit proxy deployments send all browser traffic through the proxy server.

The primary issue with both these deployments:

  • Not all applications are proxy-aware. Some applications ignore system configurations for proxy servers and will always send their traffic directly out.
  • Savvy users can easily bypass proxy servers using VPN, server-side browsing apps (such as Puffin Browser), anonymous and encrypted browsing apps (such as Tor Browsers) or other methods.

 

  1. Effectiveness

Proxy-based firewalls were never designed to deal with modern security threats and only inspect a limited number of protocols such as HTTP, HTTPS, FTP and DNS. This means that using only web proxies leads to significant blindspots in traffic and an inability to identify applications and threats on non-standard ports or across multiple protocols. Additionally, some applications aren’t compatible with proxies at all and must be bypassed.

 

A New Approach: Secure Access Service Edge (SASE)

Secure access service edge (SASE) is emerging as a solution to the challenges of legacy web proxy solutions by providing complete Zero Trust access to the Internet, SaaS applications and privately hosted applications. A true SASE solution combines networking and security services delivered from the cloud. This includes a variety of technologies such as cloud access security broker (CASB), Zero Trust Network Access (ZTNA), firewall as a service (FWaaS), advanced threat prevention and others.

SASE products are cloud native and allow more control and visibility over user traffic for dynamic scaling. Because of this, SASE allows the use of multiple technologies, like IPSec or SSL VPN, on both endpoints and in branch offices, allowing security enforcement for all traffic all the time. Policy actions then become business decisions, instead of forced compromises due to technical limitations. 

Picking a cloud-based security partner is not a decision that should be taken lightly. Consider the methods, scale and effectiveness of any technology before purchasing. Palo Alto Networks is revolutionizing the way companies transform their networking and security infrastructure. Prisma Access is the industry’s most comprehensive SASE solution. It delivers the networking and security that organizations need in an architecture designed for all traffic, all applications and all users. 

Learn more about the key components of SASE in our 10 Tenets of a Comprehensive SASE Solution ebook.

This blog is part of a series explaining the modern realities of cloud security. Read the next entry, “Secure Connectivity Is the Only Connectivity.”