Advanced evasion firewalls are here to stay
Firewalls of yesterday were largely static devices: routing rules, security zones, and databases of known-bad signatures. That model worked when threats were noisy, predictable, and exploit-driven—teardrop attacks, ping-of-death, and similar patterns that could be matched and dropped.
Modern attacks no longer cooperate with that model.
Modern threats, however, have long-since surpassed the ability of these on-premise firewalls to block, hiding their tracks through obfuscation in the form of javascript, protocol tunneling, Living Off the Land (LOtL) tactics, and other Advanced Evasive Techniques (AETs). AETs do not necessarily rely on zero-day exploits, they rely on the manipulation of the delivery mechanism. But the impact is the same.
Some of the advanced techniques that traditional firewalls might miss include:
IP Fragmentation Attacks
A malicious payload is split across multiple packets. If a firewall only inspects initial fragments or fails to reassemble traffic correctly, the signature never materializes.
TCP Segmentation Attacks
The attacker sends overlapping TCP segments with identical sequence numbers but different payloads. The firewall accepts the benign segment; the endpoint OS later reconstructs and executes the malicious one.
Session Splicing (Low-and-Slow Attacks)
Payloads are delivered byte-by-byte over long intervals. This defeats time-bound inspection engines and overwhelms state tracking.
These are a few examples, there are more coming out all the time.
Adapting to the cloud
The failure of signature-based inspection becomes even more pronounced in cloud environments.
It’s not just “lift and shift” workloads directly to the cloud either, it’s more complex. While some Advanced Cloud Firewall (ACFW) vendors have stepped up their game, optimized their codebase specifically to leverage (and accommodate) cloud specific architecture, some have not. For example, hardware firewalls leverage specific hardware acceleration like FPGAs and custom ASICs to handle specific high load traffic. Typical cloud environments, like C5.XLarge, are more generally optimized for compute power, not specifically network performance, so they can choke on heavy loads.
Also, cloud firewalls need to guard not only against north-south traffic, but between “trusted” zones running east-west behind the firewall. East–west traffic often carries higher implicit trust—and typically less inspection—making it a prime target for lateral movement if perimeter controls fail.
Then there’s the attack volume – cloud attack floods come fast, and from all directions. We see this in the spike of cloud-centric breaches recently. The sheer velocity of the attacks against publicly-facing cloud perimeters are staggering, high enough to cripple throughput and shut your organization down, so the ability to blunt attacks and still pass traffic is paramount.
A firewall that can’t see through evasion at scale isn’t a firewall—it’s a bottleneck with a false sense of security. Want to know which ACFWs do better or worse in real-world testing, drop us a line.
