Zenith Live is coming to Europe in October. Join us! Register
Zenith Live is coming to Europe in October. Join us!
Register
Products > Traditional vs. Proxy-based Firewall

The next-generation firewall made history.
Now it may be history.

Detecting and stopping today’s advanced threats
requires more than traditional stateful
or next-generation firewalls.

Threats are lurking in
encrypted traffic

The dramatic explosion in encrypted traffic in the last few years has allowed hackers to leverage SSL to infect users, shroud data exfiltration, and hide C&C communications. Today, 54 percent of advanced threats hide behind SSL. It’s no longer optional – you must conduct SSL inspection to ensure security and protect your users.

Source: Google Transparency Report 2016

Traditional firewalls struggle to inspect encrypted traffic

Unfortunately, traditional firewalls were not designed to decrypt your traffic. SSL inspection is processor intensive and most firewall appliances simply can’t handle it, and performance grinds to a halt when they try. As a result, inspecting SSL on an appliance often requires you to upgrade your hardware to support it.

To detect SSL encrypted malware at scale, you need a proxy-based architecture in the cloud

Zscaler Cloud Firewall is built upon a highly scalable proxy-architecture that handles SSL inspection at scale. Our footprint allows us to process increasing SSL bandwidth and sessions, without costly upgrades or reduced inspection. As a result, you get limitless SSL decryption on all ports at a flat per user cost.

Relying on UTM and NGFW appliances to secure internet traffic is costly, results in appliance sprawl, and compromises branch security.

Traditional firewalls have blind spots

Traditional firewalls leverage IPS and AV to protect against signature-based threats, which make up a small fraction of the total threat landscape. But, almost ninety percent of signatures were written for HTTP and DNS2. To fully inspect HTTP and DNS traffic, you must have a proxy-based
architecture—signature-based protection is no longer enough.

Source: 2 ThreatLabZ analysis of snort free registered user ruleset, snapshot 2990: outbound, active, vulnerabilities

Protecting your most vulnerable protocols

Zscaler Cloud Firewall uses an advanced deep packet inspection engine and proxy-based architecture to proxy everything that appears to be HTTP/HTTPS, DNS, or FTP traffic, regardless of the port. So you get the ability to find more threats for your most vulnerable protocols – whether your users are at HQ, a branch office or even when employees are remote.

Suggested Resources

Solution Brief

Zscaler Cloud Firewall

Read the Solution Brief 

Webcast

Enabling the internet-only Branch with Zscaler Cloud Firewall

Watch the Webcast 

Report

Zscaler, a Gartner Magic Quadrant leader

Read the Report