March/April issue

Firewalls ring changes

Once they were border controls, then customs and excise, now they are the police, the fire brigade and the health service. Can the firewall become the sole security device in the enterprise?

Zaphod Beeblebrox, the two-headed anti-hero of Douglas Adams’ Hitchhiker’s guide to the galaxy, wears the future of firewalls on his head. His Joo Janta 200 Super-Chromatic Peril Sensitive Sunglasses turn black at the first hint of danger. This saves him from witnessing frightening events, so he remains cool and un-panicked in a dangerous universe.

To understand how such advanced content filtering might come from the evolution of the firewall, it is useful to recap how we got to where we are today.
Dr Anton Grashion, security strategist at Juniper Networks, recalls the original packet filters that ran on general purpose computing platforms along with the routers, and how application layer protocols like FTP were always drivers for change. The trouble was, with firewalls and routers integrated on one machine, there was too little horsepower for the dynamic inspection required. So the network firewall was born, situated on the enterprise perimeter, in its single purpose server.

Niall Moynihan, technical director of firewall vendor Check Point, takes up the story. “(Market analyst firm) Gartner shook the tree a little bit. About 2002 they said, ‘You’ve had a nice time, you’ve been sailing and catching the wind but really you need to get your act together, you’re not providing a full security solution anymore’. I think most security vendors woke up to the fact that their devices were not good enough and were not covering enough in the network,” he says.
To provide better threat protection, intrusion detection was added to the firewall. “We moved everything up and everybody started thinking about the application layer,” says Grashion. “We’d been great down at the network layer, and firewalls had done a good job of passport control, but the major infection vector was SMTP [email].”

So the firewall has always been hostage to processor power, and it is a hungry beast, always willing to take over the tasks of the next layer of security software up the protocol stack. Andrew Kellet, a senior analyst with Butler Group, talks of the present market place: “In most cases vendors are putting together blended solutions that have features that can be turned on or off as required. They are also building ranges of solutions that mean that firewalls can be utilised on a number of different levels and applications.”

All aboard the UTM
But the inclusion of multiple features in the same device causes immense confusion. Gartner moves items in and out of its network firewall category and creates markets with each new analysis. Web application firewalls are now considered a distinct market, and IPS (Intrusion Protection System) is not included in the Magic Quadrant report on network firewalls. Nevertheless, by Gartner’s own admission, “Many IPS products now include stateful firewalls, substantiating the all-in-one security-platform market dynamic.”

Arguably IPS, and application firewalls are features of the same product, but the market has been defined by subjective partitions. The customer is thinking: When is an IDS an IPS? or What is a pure intrusion protection product? The segmentation of the market is increasingly meaningless when considered as a security solution.

But analyst firm IDC recently coined the phrase ‘Unified Threat Management’, or UTM. As if by magic, the market was simplified to the extent that firewalls, IPS/IDS and gateway anti-virus (AV) software could be bundled in a computer appliance and stamped ‘UTM’.

Grashion explains how the concept has simplified certain aspects of the firewall market. “You don’t want a proliferation of different management consoles. So if you have AV and you have a firewall, you really want to go to one management console.”

Before the UTM there was the multi-factorial firewall, the next generation firewall, the integrated application firewall, the blended solution, the integrated product, but none has been adequately defined. Now the UTM looks likely to become the baseline, and, according to IDC, the worldwide UTM market will be worth $2 billion by 2008.

But that is not the end of the story. Alastair Williams, EMEA regional product manager for Symantec, lists the features of the Gateway 5400 series. These include full inspection firewall, virtual private networking, intrusion detection, intrusion prevention, anti-virus protection, content filtering and anti-spam.
By IDC’s definition, this is clearly a UTM with additional features, and Williams is concerned with tackling advanced attacks. “This integration is necessary. It is the only effective way to stop ‘blended’ or complex threats,” he says.

Blended threats are exploits that use more than one mechanism to spread and/or execute. For example, a malicious email might download a key logger, ‘blending’ the classic Trojan attack with spyware. A single vendor wanting to protect its customers from these attacks must offer products that defend in depth at the packet and application layers; moreover, customers are asking vendors to provide this cross-layer protection.

“I do believe vendors will go after more and more of other vendor’s markets because we are being asked to,” says Moynihan. “Let’s say we have a customer and he has 800 gateways, and a management station, and he needs to secure the corporate desktops. That’s 10,000 clients. Does he want to have two security managers with 800 gateways? No, he doesn’t.”

While Moynihan thinks we are heading towards a fully integrated security solution he says it may take some time. “No one company can put its hand up and give you everything because there is history involved. If you are a sheep farmer, you can’t just start doing dairy cattle. It doesn’t work that way.”

But the market is moving steadily toward integration by merging complementary technologies into security appliances. Gartner says: “Network intrusion prevention systems comprise an immature and crowded market as new IPS products, next-generation firewalls and converted intrusion detection systems (IDS) compete for market share and mind share. In 2005, consolidation will occur as leaders emerge and smaller vendors are acquired.”

Inside and outside the perimeter
The cleverness of malware writers is not disputed, but the growing opportunities afforded by wireless and portable devices have also changed the threat landscape. To maintain their position as top guard dogs, firewalls must also keep one eye glued on the enterprise.

Moynihan says the internet connection is the least of a company’s worries. “Having a firewall at the perimeter of your network now is like a chocolate kettle because there is so much activity inside. You can’t say, ‘I don’t need that perimeter device anymore,’ but the problems inside are not actually connected to the perimeter device.”

Jonathan Mepstead, EMEA regional director for Fortinet, agrees on the threat. “The continued extension of network connectivity with the advent of wireless networks and broadband makes it possible for a company’s VPN (virtual private network) to appear in the back garden of a competitor or amateur hacker.”
Identifying where the next threat will come from, inside or outside the corporate perimeter, and defending against it, has led to the concept of zoning. Grashion suggests splitting the corporate network into areas, or zones, each with its own security policy and trusted operation. “Security zones allow you to terminate all sorts of things: physical, virtual, VPN, wireless traffic, into specific zones and you can put a policy between them,” he says.

Defending each zone is a firewall and/or other security device to enforce the zone’s policy and report to a management system. There may be hundreds of virtual firewalls, each configured according to its zone of operation and the company’s security policy for that zone.

“You can have one physical device but carve it into many virtual devices and use it in many different positions in the network,” says Ian Kennedy, an expert systems engineer with Cisco Systems. “We need security at every tier of an n-tier application environment.”

Kennedy’s enthusiasm for dividing the corporate network using virtual firewalls leads to his next problem: “How on earth do we configure hundreds of firewalls effectively and monitor them to make sure they are doing the job properly?”
And, of course, you can’t. Unless, that is, all the firewalls and their included features or associated security devices are reporting events in the same way, and can be configured using a common mechanism interpreted by an automatic security manager.

There are two ways of achieving this. First a vendor can decide, like Symantec, to build or obtain all the elements to a complete security solution and package them as a single vendor solution. Or the industry can work together in partnerships to create a common security-event format and method of controlling their devices.
A bit of both happens, but the timing depends on the maturity of the market. First movers often, but not always, dominate the market. They are therefore best placed to drive others to adopt their proprietary technology as the basis for an industry standard.

For example, in October 2003 IBM and Cisco announced the Common Base Event (CBE) format to help identify problem events in complex IT systems. The CBE format is now expected to be sanctioned by OASIS, the web standards agency. Some vendors are already using it to provide interoperable data to third party controllers. For instance, Kavado’s web application firewall, InterDo, allows the IBM Tivoli Intelligent Orchestrator to control service availability remotely and automatically.

Mepstead warns that common formats and interoperability may not be the Holy Grail. “Event correlation between multi-vendor solutions will drive a requirement for standard analysis tools, but the danger is that too much information will be logged. Just because you can log, doesn’t mean it makes sense to do so, or that meaningful information can be extracted.”

Moynihan sees the problem escalating. “When IPV6 comes in, there will be an abundance of IP addresses,” he says. “Everything will get an IP address. In a corporate environment, where everything is talking, where do you start (to manage)? The hard part is to be able to sit somewhere in the back with a management station and understand what you are doing.”

But customers demand features that promise total security. They wish to control, and understand, their networks for improved policy enforcement and dynamic threat response. Carl Windsor, chief technical consultant at managed service provider TeleCity, points to both trends when he discusses the next phase for his security devices. “A service reporting solution is required for enhanced visibility. We are also looking to increment our security suite with an anti-spam solution.”
But all this bundling and feature-inclusion takes its toll on performance. The advent of total security solutions, reporting millions of events a second, and the insatiable hunger for bandwidth and media-rich applications will only make matters worse.

“It also pre-supposes that you’ve got a lot of headroom in the firewall,” says Grashion. “If you are going to look at the context of an application rather than a single packet, you have to have a high performance firewall.”

Grashion, enthused by the content available, admits visiting the Hitchhikers’ Guide to the Galaxy website with his children. “What a great use of resource [it is], but it’s just a fact of life, we are getting more demanding.”

And that demand is fuelling advances in firewalls that are leading to an integration of the security market into total security solutions that combine firewalls, anti-virus, anti-spam and intrusion prevention into one appliance. Content is already filtered by web application firewalls, so Zaphod’s Peril Sensitive sunglasses do not seem quite so far-fetched.

But will the device still be a firewall or will it become something else? “I think that whatever added value services are included, the term firewall will continue to exist,” says Kellet. “The technology is far from discredited and nobody gets fired for buying a good quality firewall.”

William Knight is a technology writer with 18 years experience in Software Development and IT consulting. He writes for titles that include: Computing, JavaPro and Gantthead.com

Back to features index