The next-generation firewall made history.
Now, it may be history.
Detecting and stopping today’s advanced threats requires more than traditional stateful or next-generation firewalls.
Threats are lurking in encrypted traffic
The dramatic explosion in encrypted traffic in the last few years has allowed hackers to leverage SSL to infect users, shroud data exfiltration, and hide C&C communications. Today, 54% of advanced threats hide behind SSL. It’s no longer optional – you must conduct SSL inspection to ensure security and protect your users.
Source: Google Transparency Report 2016
Traditional firewalls struggle to inspect encrypted traffic
Unfortunately, traditional firewalls were not designed to decrypt your traffic. SSL inspection is processor intensive and most firewall appliances simply can’t handle it, and performance grinds to a halt when they try. As a result, inspecting SSL on an appliance often requires you to upgrade your hardware to support it.
To detect SSL-encrypted malware at scale, you need a proxy-based architecture in the cloud
Zscaler Cloud Firewall is built upon a highly scalable proxy-architecture that handles SSL inspection at scale. Our footprint allows us to process increasing SSL bandwidth and sessions, without costly upgrades or reduced inspection. As a result, you get limitless SSL decryption on all ports at a flat per user cost.
Traditional firewalls have blind spots
Traditional firewalls leverage IPS and AV to protect against signature-based threats, which make up a small fraction of the total threat landscape. But, almost ninety percent of signatures were written for HTTP and DNS2. To fully inspect HTTP and DNS traffic, you must have a proxy-based
architecture—signature-based protection is no longer enough.
Source: 2 ThreatLabz analysis of snort free registered user ruleset, snapshot 2990: outbound, active, vulnerabilities
Protecting your most vulnerable protocols
Zscaler Cloud Firewall uses an advanced deep packet inspection engine and proxy-based architecture to proxy everything that appears to be HTTP/HTTPS, DNS, or FTP traffic, regardless of the port. So you get the ability to find more threats for your most vulnerable protocols – whether your users are at HQ, a branch office or even when employees are remote.
