Application layer firewalling raise your perimeter iq
Download
1 / 25

Application-layer firewalling: Raise your perimeter IQ - PowerPoint PPT Presentation


  • 351 Views
  • Updated On :

Application-layer firewalling: Raise your perimeter IQ Joel Snyder Opus One Products from Check Point, Cyberguard, NetScreen, Nortel Networks, Symantec, Secure Computing, Watchguard Support from Andy Briney, Neil Roiter at Information Security Acknowledgements

Related searches for Application-layer firewalling: Raise your perimeter IQ

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Application-layer firewalling: Raise your perimeter IQ' - Gabriel


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Acknowledgements l.jpg

Products from Check Point, Cyberguard, NetScreen, Nortel Networks, Symantec, Secure Computing, Watchguard

Support from Andy Briney, Neil Roiter at Information Security

Acknowledgements

http://infosecuritymag.techtarget.com/


Firewalls have been around for a very long time l.jpg
Firewalls have been around for a very long time

“[AT&T’s gateway creates] a sort of crunchy shell around a soft, chewy center.” (Bill Cheswick, Design of a Secure Internet Gateway, April, 1990)

First firewalls deployed in Internet-connected organizations

CheckPoint revenues cross $100m

“Firewalls and Internet Security” published

WatchGuard introduces 1st FW appliance

Cisco buys PIX (Network Translation)

TIS toolkit commonly available

1989 1991 1993 1995 1997 1999 2001 2003 2005


Surely firewall makers have been busy since 1999 l.jpg

Clear market trends

Faster

Cheaper

Smaller

New Guard: NetScreen (Juniper), Watchguard, SonicWALL

Old Guard: Cisco, Check Point

Clear product trends

Add VPN features

Site-to-site

Remote Access (?)

Add policy-based URL control

Websense-type

Add interfaces

No longer just inside, outside, DMZ

Surely firewall makers have been busy since 1999 ?


Shirley firewall makers have been busy since 1999 l.jpg

Clear market trends

Faster

Cheaper

Smaller

New Guard: NetScreen (Juniper), Watchguard, SonicWALL

Old Guard: Cisco, Check Point

Clear product trends

Add VPN features

Site-to-site

Remote Access (?)

Add policy-based URL control

Websense-type

Add interfaces

No longer just inside, outside, DMZ

Shirley firewall makers have been busy since 1999 ?


Incremental improvements are not very exciting l.jpg
Incremental improvements are not very exciting

  • Smaller, cheaper, faster: that’s great

  • VPNs, more interfaces: that’s great

  • But what have you done for me lately?

  • To answer that, we need to digress to the oldest battle in all of firewall-dom: proxy versus packet filter!


Arguments between proxy and stateful pf continued l.jpg

Proxy

More secure because you can look at application data stream

More secure because you have independent TCP stacks

Stateful PF

Faster to write

Faster to adapt

Faster to run

Faster also means cheaper

Arguments between Proxy and Stateful PF continued


Proxy based firewalls aren t dead just slow l.jpg
Proxy-based firewalls aren’t dead… just slow!

Process Space

Proxy

RTL

TCP/IP

Outside net = 1.2.3.4

Inside network = 10.1.1.0/24

Src=1.2.3.4

Dst=5.6.7.8

Src=10.1.1.99Dst=5.6.7.8

Packet Filtering

Kernel


Firewall landscape five years ago l.jpg

IBM eNetwork

Secure Computing

Altavista Firewall

TIS Gauntlet

Raptor Eagle

Elron

Cyberguard

Ukiah Software

NetGuard

WatchGuard

SonicWALL

Check Point

Livermore Software

Milkyway

Borderware

Global Internet

Firewall Landscape: five years ago

Where have they all gone?


Stateful packet filtering dominates the market l.jpg
Stateful Packet Filtering dominates the market

Check PointCisco NetScreen SonicWALL

Freeware-based products: Ipchains, IPF, Iptables, IPFW

FW Newcomers:Fortinet, Toshiba, Ingate, Enterasys, many others

IP

Stateful Packet Filtering

Kernel


But the core argument was never disputed l.jpg
But… the core argument was never disputed

  • Proxy-based firewalls do have the possibility to give you more control because they maintain application-layer state information

  • The reality is that proxy-based firewalls rarely went very far down that path

    • Why? Market demand, obviously…


Firewall evolution what we hoped for l.jpg

Additional granular controls on a wide variety of applications

Intrusion detection and prevention functionality

Vastly improved centralized management systems

More flexible deployment options

Firewall Evolution:What we hoped for…


Firewall evolution what we found l.jpg

Additional granular controls on applicationssomea wide variety of applications

Limited intrusion detection and prevention functionality

Vastly improved centralized management systems

More flexible deployment options

Firewall Evolution:What we found…

Why? Market demand, obviously…


Additional granular controls focused on a few applications l.jpg

Everybody loves HTTP management applications

Header filtering

File type & MIME type blocking

Embedded Data blocking (Javascript)

Virus scanning, URL Filtering

Other applications are piecemeal

FTP

SMTP

VoIP

File Sharing

Additional Granular Controls focused on a few applications


Http oriented features served pressure points l.jpg
HTTP-oriented features applicationsserved “pressure points”


Advanced controls are diverse across products l.jpg
Advanced Controls applicationsare diverse across products

  • Differentiating between “advanced” controls and “basic” controls was easy to do.

  • Proxy-based firewalls proved to be almost undistinguishable from their “insecure” stateful packet filtering brethren.

  • Vendors appear to be reactive, not proactive.


Virus scans and policy controls are simple right l.jpg

No! Some firewalls insisted on having virus and/or URL scanning happen “off box”

No! Some firewalls can’t configure where you scan for viruses

No! Some devices don’t have virus scanning

No! Some firewalls don’t support a local list of blocked URLs

Conclusion: it’s not simple

Virus Scans and Policy Controls are simple, right?


We ve learned how to write good guis haven t we l.jpg

Not in the firewall business, we haven’t scanning happen “off box”

Additional granularity means additional thinking about resources

Products are … disappointing

The firewall people have a lot to learn from the SSL VPN people

We’ve learned how to write good GUIs, haven’t we?


Centralized management has improved a bit l.jpg

Folks who had it are doing slightly better than they were scanning happen “off box”

Folks who didn’t have it now generally have something

Centralized management has improved a bit

We’re still missing a general policy management system for firewalls

Many of the centralized management tools have very rough edges


Intrusion is the new buzzword in security l.jpg

Rate-based IPS technology scanning happen “off box”

In firewalls, means “SYN flood protection”

May be smart (NS)

May include shunning (SecComp, WG, CP)

Content-based IPS technology

Based on IDS-style thinking

May have small signature base (NS, CP)

May be an “IDS with the IPS bit on” (Symantec)

“Intrusion” is the new buzzword in security


So what s going on in the firewall business l.jpg
So what’s going on in the firewall business? scanning happen “off box”

  • Products are diverging, not converging

  • Personalities of products are distinct

  • IPS is a step forward, but not challenging the world of standalone products

  • Rate of change of established products is slow compared to new entries


What does this mean for me and my firewall l.jpg

Products are diverging scanning happen “off box”

Personalities are distinct

IPS weaker than standalone

Change rate slow

Matching firewall to policy is hard; change in application or policy may mean changing product!

Aggressive adoption of new features unlikely in popular products; need new blood to overcome product inertia

What does this mean for me and my firewall?


Slide23 l.jpg

Application-layer firewalling scanning happen “off box”

Joel Snyder

Opus One

Member, Information SecurityMagazine test alliance

[email protected]


Questions l.jpg
Questions scanning happen “off box”

Submit your questions to Joel by clicking on the Ask a Question link on the lower left corner of your screen.


Thank you l.jpg
Thank you scanning happen “off box”

Thank you for participating in this SearchSecurity webcast. For more information on firewalls and an article by Joel, visit our Featured Topic. A copy of this presentation will be posted within the next 24 hours.

http://searchsecurity.com/featuredtopic/firewalls


ad