Cisco firewall upgrade boosts visibility into encrypted traffic

The software that runs Cisco’s new Firewall 4200 Series now includes the ability to see into encrypted traffic without decrypting it, which the vendor says will allow enterprise customers to better protect hybrid and multicloud applications.

The enhanced Cisco Encrypted Visibility Engine (EVE) is part of the 7.4 version of the Secure Firewall operating system. Version 7.4 also includes zero-trust capabilities and improved application access control. The 4200 Series’ operating system also helps improve overall firewall performance – it’s twice as fast as previous high-end Cisco firewalls, the company says.

EVE, which has been available since version 7.2 of the software, takes things further than traditional firewalls because it now lets customers detect the client application within an encrypted tunnel, according to Rick Miles, vice president of product management, cloud and network security in Cisco’s security business group.

“With [EVE], we can tell what kind of client application is running inside, keeping your network from going dark. The firewall administrator can block traffic based on the application the client is using, such as a malicious app or a shadow IT app,” Miles said.

According to the Google Transparency Report from June 2023, almost 95% of Internet traffic is encrypted. When traffic is encrypted, organizations lose visibility, Miles said. “Typically, organizations would decrypt traffic at the firewall, analyze it, then re-encrypt it before allowing it into the network. However, modern encryption protocols such as TLS 1.3 and QUIC [part of the 7.4 release] make it even more difficult to gain visibility,” Miles said.

“What our competitors are saying is ‘just decrypt everything.’ But we know in the real world, customers refrain from doing that due to data privacy concerns and to meet legal/compliance requirements. Furthermore, decrypting and re-encrypting data requires technical prowess not everyone has, increases the attack surface, and also causes severe performance challenges,” Miles said.

EVE works by extracting two primary types of data features from the initial packet of a network connection, according to a blog written by Blake Anderson, a software engineer in Cisco’s advanced security research group. First, information about the client is represented by the Network Protocol Fingerprint (NPF), which extracts sequences of bytes from the initial packet and is indicative of the process, library, and/or operating system that initiated the connection. Second, it extracts information about the server such as its IP address, port, and domain name (for example a TLS server_name or HTTP Host).

“EVE then identifies the client process by using machine learning built on top of an extensive collection of labeled data that is updated daily, allowing EVE to identify malicious, encrypted traffic even when it is destined for a trustworthy service,” Anderson wrote.

EVE gathers up-to-date network and security trend data and signature information from a variety of sources, including Cisco Talos security research, to conduct traffic threat scoring and block traffic based on those results, Miles said.

“[In addition] we have recently added support for HTTP. While HTTP is not an encrypted protocol, the EVE concepts of simultaneously analyzing the NPF/server information and continuous data collection have proven valuable. This is especially true given the trend of benign processes and operating systems moving away from unencrypted HTTP,” Anderson wrote.

The overarching idea with EVE is to help security operations teams more quickly spot applications that are not authorized to use the network and discover malware that is using encryption to avoid detection, Miles said.

“Our application security strategy, part of a more holistic approach, is based on the premise that our hybrid and multicloud world is increasingly becoming more complex and harder to protect,” Miles said.

Cisco’s Secure Firewall 4200 Series will be generally available in September with version 7.4 OS support. The 7.4 OS will be available for the rest of the Secure Firewall appliance family in December of this year. Organizations can enable EVE by clicking a button in the Secure Firewall Management Center. No complex configuration or advanced knowledge of encryption is required, Miles said.

Cisco’s latest security moves

Cisco has made a number of cloud-related application security enhancements recently, including a new service called Multicloud Defense that will help customer security operations teams manage workload security across AWS, Google Cloud, Azure, and Oracle Cloud Infrastructure services.

“Cisco Multicloud Defense brings together distributed Layer-7 protection, web application firewall (WAF), and data loss prevention (DLP) capabilities managed through a single, dynamic policy,” Miles wrote in a recent blog.

“It acts as the interpreter across clouds and uses gateways, which are distributed across customer VPCs, as enforcement points for security policies. This enables Multicloud Defense to stop threats that target applications, block command & control, prevent data exfiltration, and mitigate lateral movement,” Miles stated. 

Cisco also enhanced its Panoptica cloud-native application security software. Panoptica lets developers and engineers provide cloud-native security from application development to runtime. It offers a single interface for container, serverless, API, service mesh, and Kubernetes security, it scales across multiple clusters with an agentless architecture, and it integrates with CI/CD tools and language frameworks across multiple clouds.

The idea is to allow developers to embed security-centric or security-conscious decisions earlier in the software development lifecycle, Cisco stated.

The importance of application security protection is growing, with IDC predicting that the application protection and availability market will increase from $2.5 billion in 2021 to $5.7 billion by 2026.

“Applications provide a unique vantage point in the security architecture. Applications enable functionality, and the manner in which users interact with this functionality is a good indicator of abuse and misuse, and ultimately malicious intent. This insight is unique and difficult to glean from other sources of security telemetry such as network firewalls,” IDC wrote in its latest application protection and availability forecast.