Proxy-based firewalls or web proxies have been considered an essential security component for some time now, but the question remains: Can proxies really help keep users safe?
The first proxy-based firewalls achieved the basic task of controlling which websites users could access on the Internet. Since then, the technology has developed and evolved to provide additional features like malware detection and blocking, in-line data loss prevention (DLP), SSL/TLS inspection and bandwidth control.
However, web proxies have significant drawbacks that prevent them from being effective security tools.
The technical details of how proxy-based firewalls are implemented make it likely that they won’t protect all traffic. The most common way to deploy a cloud proxy-based firewall is by using a Proxy Auto Configuration (PAC) file or explicitly specifying a proxy server address in a user’s operating system and browser settings.
The primary issue with both these deployments:
- Not all applications are proxy-aware. Some applications ignore system configurations for proxy servers and will always send their traffic directly out.
Savvy users can easily bypass proxy servers using VPN, server-side browsing apps (such as Puffin Browser), anonymous and encrypted browsing apps (such as Tor Browsers) or other methods.
Proxy-based firewalls were never designed to deal with modern security threats and only inspect a limited number of protocols such as HTTP, HTTPS, FTP and DNS. This means that using only web proxies leads to significant blindspots in traffic and an inability to identify applications and threats on non-standard ports or across multiple protocols. Additionally, some applications aren’t compatible with proxies at all and must be bypassed.
A New Approach: Secure Access Service Edge (SASE)
Secure access service edge (SASE) is emerging as a solution to the challenges of legacy web proxy solutions by providing complete Zero Trust access to the Internet, SaaS applications and privately hosted applications. A true SASE solution combines networking and security services delivered from the cloud. This includes a variety of technologies such as cloud access security broker (CASB), Zero Trust Network Access (ZTNA), firewall as a service (FWaaS), advanced threat prevention and others. SASE products are cloud native and allow more control and visibility over user traffic for dynamic scaling. Because of this, SASE allows the use of multiple technologies, like IPSec or SSL VPN, on both endpoints and in branch offices, allowing security enforcement for all traffic all the time. Policy actions then become business decisions, instead of forced compromises due to technical limitations.