Application-layer firewalling: Raise your perimeter IQ Joel Snyder Opus One
Products from Check Point, Cyberguard, NetScreen, Nortel Networks, Symantec, Secure Computing, Watchguard Support from Andy Briney, Neil Roiter at Information Security Acknowledgements http://infosecuritymag.techtarget.com/
Firewalls have been around for a very long time “[AT&T’s gateway creates] a sort of crunchy shell around a soft, chewy center.” (Bill Cheswick, Design of a Secure Internet Gateway, April, 1990) First firewalls deployed in Internet-connected organizations CheckPoint revenues cross $100m “Firewalls and Internet Security” published WatchGuard introduces 1st FW appliance Cisco buys PIX (Network Translation) TIS toolkit commonly available 1989 1991 1993 1995 1997 1999 2001 2003 2005
Clear market trends Faster Cheaper Smaller New Guard: NetScreen (Juniper), Watchguard, SonicWALL Old Guard: Cisco, Check Point Clear product trends Add VPN features Site-to-site Remote Access (?) Add policy-based URL control Websense-type Add interfaces No longer just inside, outside, DMZ Surely firewall makers have been busy since 1999 ?
Clear market trends Faster Cheaper Smaller New Guard: NetScreen (Juniper), Watchguard, SonicWALL Old Guard: Cisco, Check Point Clear product trends Add VPN features Site-to-site Remote Access (?) Add policy-based URL control Websense-type Add interfaces No longer just inside, outside, DMZ Shirley firewall makers have been busy since 1999 ?
Incremental improvements are not very exciting • Smaller, cheaper, faster: that’s great • VPNs, more interfaces: that’s great • But what have you done for me lately? • To answer that, we need to digress to the oldest battle in all of firewall-dom: proxy versus packet filter!
Proxy More secure because you can look at application data stream More secure because you have independent TCP stacks Stateful PF Faster to write Faster to adapt Faster to run Faster also means cheaper Arguments between Proxy and Stateful PF continued
Proxy-based firewalls aren’t dead… just slow! Process Space Proxy RTL TCP/IP Outside net = 184.108.40.206 Inside network = 10.1.1.0/24 Src=220.127.116.11 Dst=18.104.22.168 Src=10.1.1.99Dst=22.214.171.124 Packet Filtering Kernel
IBM eNetwork Secure Computing Altavista Firewall TIS Gauntlet Raptor Eagle Elron Cyberguard Ukiah Software NetGuard WatchGuard SonicWALL Check Point Livermore Software Milkyway Borderware Global Internet Firewall Landscape: five years ago Where have they all gone?
Stateful Packet Filtering dominates the market Check PointCisco NetScreen SonicWALL Freeware-based products: Ipchains, IPF, Iptables, IPFW FW Newcomers:Fortinet, Toshiba, Ingate, Enterasys, many others IP Stateful Packet Filtering Kernel
But… the core argument was never disputed • Proxy-based firewalls do have the possibility to give you more control because they maintain application-layer state information • The reality is that proxy-based firewalls rarely went very far down that path • Why? Market demand, obviously…
Additional granular controls on a wide variety of applications Intrusion detection and prevention functionality Vastly improved centralized management systems More flexible deployment options Firewall Evolution:What we hoped for…
Additional granular controls on somea wide variety of applications Limited intrusion detection and prevention functionality Vastly improved centralized management systems More flexible deployment options Firewall Evolution:What we found… Why? Market demand, obviously…
Advanced Controlsare diverse across products • Differentiating between “advanced” controls and “basic” controls was easy to do. • Proxy-based firewalls proved to be almost undistinguishable from their “insecure” stateful packet filtering brethren. • Vendors appear to be reactive, not proactive.
No! Some firewalls insisted on having virus and/or URL scanning happen “off box” No! Some firewalls can’t configure where you scan for viruses No! Some devices don’t have virus scanning No! Some firewalls don’t support a local list of blocked URLs Conclusion: it’s not simple Virus Scans and Policy Controls are simple, right?
Not in the firewall business, we haven’t Additional granularity means additional thinking about resources Products are … disappointing The firewall people have a lot to learn from the SSL VPN people We’ve learned how to write good GUIs, haven’t we?
Folks who had it are doing slightly better than they were Folks who didn’t have it now generally have something Centralized management has improved a bit We’re still missing a general policy management system for firewalls Many of the centralized management tools have very rough edges
Rate-based IPS technology In firewalls, means “SYN flood protection” May be smart (NS) May include shunning (SecComp, WG, CP) Content-based IPS technology Based on IDS-style thinking May have small signature base (NS, CP) May be an “IDS with the IPS bit on” (Symantec) “Intrusion” is the new buzzword in security
So what’s going on in the firewall business? • Products are diverging, not converging • Personalities of products are distinct • IPS is a step forward, but not challenging the world of standalone products • Rate of change of established products is slow compared to new entries
Products are diverging Personalities are distinct IPS weaker than standalone Change rate slow Matching firewall to policy is hard; change in application or policy may mean changing product! Aggressive adoption of new features unlikely in popular products; need new blood to overcome product inertia What does this mean for me and my firewall?
Application-layer firewalling Joel Snyder Opus One Member, Information SecurityMagazine test alliance firstname.lastname@example.org
Questions Submit your questions to Joel by clicking on the Ask a Question link on the lower left corner of your screen.
Thank you Thank you for participating in this SearchSecurity webcast. For more information on firewalls and an article by Joel, visit our Featured Topic. A copy of this presentation will be posted within the next 24 hours. http://searchsecurity.com/featuredtopic/firewalls