“Next-Generation” firewalls provide functionality well beyond the traditional filtering capabilities. They offer deep protocol inspection, application identification, user based filtering, VPN functionality and more.
While this significantly increases the attack surface of these devices, little public research is available. In this talk I will present an in-depth analysis of one of the leading NGFW solutions: PAN-OS. Besides describing the overall system architecture, I will discuss and demonstrate several critical vulnerabilities in the different components that can result in a full remote compromise of the appliance. To go beyond 2015 & the pure bashing of security appliances, I’ll also present some positive insights.