Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Firewalls Gain Strength as Main Line of Network Defense



 By: Brian Prince
2007-06-24
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
The next generation of firewalls will include tight integration with intrusion prevention systems.

Sometimes in IT, the best defense is a good defense moved further up the network stack. At least that is what some vendors and analysts are predicting about the next generation of network firewalls.

"The firewall is the piece of network security infrastructure with all the traffic … every frame going in and out of the network. It is absolutely the perfect place to provide visibility and control into these [Web] applications," said Dave Stevens, CEO of Palo Alto Networks, based in Alviso, Calif.

Vendors are increasingly looking to integrate IPS (intrusion prevention systems) with firewalls, but truly integrated, full-featured products are in short supply, said Gartner analyst Greg Young. He cited research by his firm stating that threats have become more complex and moved higher in the network stack, forcing firewalls to move beyond just providing stateful protocol analysis to having increasingly rich management and configuration tools.

Robert Whiteley, an analyst with Forrester Research, agreed that firewalls will be more tightly integrated with all network security functions in the future.

"We already see products under the unified threat management category that combine firewall, VPN, IPS, anti-malware, and content filtering – I think Ciscos ASA and Junipers SSG are good enterprise examples," he said. "However, these are not truly integrated."

The ability to scan Web applications as they hit the firewall will be critical, Whiteley continued.

Resource Library:
"An organization will have a gaping hole in its security architecture if it thinks traditional network firewalls are protecting the perimeter. We see trends like Web 2.0, Web services and SOA [service-oriented architecture], and software-as-a-service dramatically changing companies application architectures," he said. "It also means that far more mission-critical traffic is now flowing over the standard Web ports."

XML, Java, Flash and many other new Web protocols will allow for new, innovative application types – but they also carry with them an unknown number of vulnerabilities, Whiteley added.

"Companies will have to migrate to application-level protection in order to stop evolving exploits," he said, adding that exploits are increasingly sophisticated and targeted. "It will be critical for the next generation of firewalls to provide better visibility to better tackle todays threatscape – never mind tomorrows."

But bringing all these technologies together in the firewall will only succeed in the marketplace if it can be done without sacrificing latency and the throughput of basic firewall functions, analysts said. To this end, Check Point Software Technologies is putting its focus on performance.

Click here to read about how a simple Unicode flaw could undercut firewalls and intrusion protection systems.

"Were leveraging our open performance architecture so that performance is not just about how fast the firewall can go, but how fast it can go while it is actually protecting your network with intrusion prevention and other security measures activated," said Bill Jensen, product marketing manager for Check Point, headquartered in Tel Aviv, Israel, and Redwood City, Calif.

Todays corporate users are installing applications—for both personal and business use—that have been designed to dodge detection by legacy network firewalls, Palo Alto Networks officials said. A new approach that leverages features such as application control, IP reputation technology and gateway anti-virus filtering in network firewalls is required to meet the needs of the modern enterprise, company officials said.

"Modern applications," Stevens said, "are starting to adopt a communications model which is pretty effective at bypassing the existing security infrastructure … by hopping from port to port, or tunneling through encrypted links or just masquerading as port 80."

As a result enterprises have effectively lost control over those connections and created compliance and information leak issues at some businesses, he said. To help companies address the situation, Palo Alto Networks has added application classification technology into its recently released PA-4000 Series, a family of firewall devices that can identify application traffic across ports.

"We can open the SSL [Secure Sockets Layer] links if necessary to identify the application," Stevens said.

In addition, the PA-4000 devices perform deep packet inspection, apply filters and enforce policies based on the application. For example, an organization might choose to allow Web-based mail, but scan files being transferred for viruses, Stevens said.

With Ciscos marriage with IronPort now complete, Cisco officials have said they will look to weave IronPorts IP reputation technology into the firewall.

Armed with reputation data from IronPorts SenderBase Web site, Ciscos firewall will be aware of the reputation of the servers it is connecting to, said Tom Gillis, vice president of marketing in Ciscos IronPort Business Unit, in San Jose, Calif.

To read about how a modern Windows firewall can fit on a USB key, click here.

"In the first release of that, which will be in the first half of 2008, [it] will allow you to provide visibility into these connections so you can see how many clients are in your network that are connecting to servers that are known to be botnet control nodes," Gillis said, adding that users would be able to block, throttle or deny connections considered suspect.

Connection blocking is the most obvious use of reputation technology, Gillis said. But he also said he foresees it being used to route traffic that hits the firewall. For example, if content is coming in from a server that is considered to be "rogue," the traffic can be blocked; if the server is considered beyond reproach, the traffic can be routed around the spam scanning engine. Traffic from servers not known to be good or bad can be sent past a number of different signature-based scanning engines, he said.

"Future firewalls are going to have the ability to route traffic through the appropriate scanning measure based on the reputation of the connecting server," Gillis said. "The firewall is effectively the traffic cop."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.



  Reader Comments: Firewalls Gain Strength as Main Line of Network Defense
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


x}r㶲s\@♵MQGJɖlkmyYԩRQ$$1H.GO]'7nBIL&{Ɩnt7F;?{{~$rhiɕc,J1>D{{}.ІPhS sѩe軫F]̱]kkH|Nx  tjOt0.Ps< j99ԗoˏ~e0-ڶAQ6)֐N0-Z P8"h] X(~&c1 ߷(|}؁䛿Q=|e376m( C Jd/B(?F#c5~{N0/Pcw0}Gdh9=r4x;2oVClvy!rs#g+ͻH͠匝8Gd`jI:@"4ԘC2R!1k;T*R*65-晚u@|͖|#XulAzf@dnQ/*! lpq+J9yp O,Ӈ;) ۱ȭB ¿{kײ߂CM{6̳L]b6jmO |l ͟P~$ꎧchGGH5#o83t6 dݺ?VrP jrX(?*G6G2g2{޾{KPQTP8]w.nr$({p mI5M-0Wn{'ݏwq@.{A~$Vj}&DeR)I&0h'6tt<_B^,9BFI?j|%rX:,X-]jz[zOa`%pfQ!2I}ou}{sI}zqri!|c9̠T PAfPKe+ԩZuܝ9:׭]uoIs!+|rf!5 0\6:jo~9c_CS:NR'm)5ٴ>l;4}t>჆$>hhƋMri\OLrӇtu4AGͣn]=&tfo7,Abχa`Ns!FAтMx>tTێ]6}l29<:=L&&zrWt#` VPCh' 6)@}9\P)QmA3-mhZ`1 5f:%Km@i0xz[ dQJ$@!-i]R@Az68 -8,rr2 /~#azGBJe6Os@PGҥ3vJ\B;7 ˥=*%nqR%a 934YIjL=?꺾j1!G,D`v9J,L.Y ϴjԭeRp|:IoB{42u0sҺ!&B~`Z&4$ 7q9準I<9`*,q{rdžfXi8Õ=3q TfЬ||=厬m\.MmUPS7˕L4+׬UPM g2)*[hslrp VM7)\P{`ELE2a5?%ǁf

Y[*^|W(+ȁUruXkj2익])/_(g6y+CoLu Dm G#|Ӛ#WHZ`"!f6 EEi?O~5<2.eX"PY΁=mQr)'j9Y$ Fi.z22Y4p<}"}Nt8#Hu~HLb 46\,0|*W*U `n*Vѹ(٩% 7]@.&Dtl?`"'>Ѕڣnssa*/W3g Z IZ+k՘frE)WKJZ9 >㎾2:EwH_ଯ8݉]??Qo>A};݁r͙|pqZLcv"O`V$OM_wz͡<]I0K1SlcSxt( b=7\+b_aso'bh!.~4 X=0`6Yന ^SӲjSJ jf h> '3DžR2ϡn׃Z`zž+a7֬ӪP^مHB&dHt=k;J8K-f1[5{AqM|ٌm!yUq@WIe& 24Zڃ/Zd7W6>37}&mnf]{my7upj93#OP͕G%X Ul+Ji ׸v Aū;m#2镍0: M}GQWT@`LfQJg1 eg z[ ٔY]}6r 5z߼AFp%2A g "[;A?Us3ѱtNs|oRY,gJA֮vY(7ϰU2)y-0U-vfCXi̋z l䔇%b "8&K8.h#2"/60&-BPr\9HÞ1|M}Yy>u'Si lm[Q <h3JLfЦ厰Hz98$*۳ WLdSdX*Xe0LvJ_kA~fZX)c=+\,JRG~=͠1pS Fnu1H>JS-b tri#ZwMFbZ*BBлgQ!VQ%'.6A)™M`khs-sp:'S6PFͧz*E!I#̸yF0×!wgO@l;Zik.ŒtH]61cfa2N4D*풮IGb όT! 4&ZQRjϢCs@l_z̢ tDe2qy4(۾b0D_L7 xED <w,f 0Nrl(UJZVJ=Pȕi#kF)Uj=Kr]N6[_T ad9#R@BRNbNxlēoa mPҟۆ+~W?l)ɡ$ |¯ʍ D@7wb^\1м͇}gV{$}QLMXޟ9 #{?J:)l/{ݗΚWOGxŀK5ϥt{~{}DDyEs~яκﵲy%<4sj눔 Nޟv?\U߅ø@oٷP K1cF16dd+](aooV\uY?R`f{ѰI^ 8Wεi{ˏu[J:ވ;jtKKAVC%';yRb QWZ4ҫ:BrcQlj9l0)$a#rWJ*m6GHԝi(6{GT@(NV1k=-,:]W__lȜGoIM21J}ɘ A/gh9[Qf'x."64N%ywy#kUr"|%3aWZ7vY?yxXT3mD1CZ]re}KןIW{$U zeNx>HА=c-p9#M P_:za'3 ]sOA}i^wl'UzyJ}~Vj/t:D(y[e{wC_ $]Bn/:K9z `M#}۾Jfz7ki^x̠t4u遧{ }!.u06/^ǚ5ϯ3i8e~W i}E)]K5"vW TE:'%:mחB}{+!bi4V3[TzQc%F}?^ϗ t8a8?6#,iԕbPɇ&L?u p~ru_,6;]E=<^Qe1˕iH=7~lL8vf>(tN<=oh|X}&;Srxy{;vP8bA-AE!gGuOũTϤ TqKxc<2s|q+3>7`f( g>9\x"\Dzo<#ttB,Aoʛs^תIPl8 D-l `2֗ᵓR7^o;3 1 R.rBL&`Nv P6L12aּNɂβ @pBld5nh 2Pq <:n)>8Vc"OlY jG1^{2K~lԳ,*3P2V1dJbTwDKeb3(YlvR{?Ar ,qsmӧ\+*8EIiƈ΄_:"K 噌y"T&&˟ 3G#ϥGRL>Y &0q޵qVbye2L"Z-DCxF@4,7o$ dL-FLۀ}%$6:~« zzV-;Bm77o9_)K#”h9G{iw,ޫeM#zRY3,|yԂ$qNZ H`Jb"I*YY~> > vl!m!=L-dCNϤMyo_%x-)T&Of0tFMǴ}hn`M"!;gGa%KVWD| \b3 O0vx6Up.t!\8v4ڏ)MJ|  -:gUf~׼/[3|Oc'>hOMz\P/@ƋڒOK/ŧK:s4}y u>RKA+9,B ˡ!\s$HÔB~|Ϩ%ϕ_|2|tώ/{ T@]郻fJ4{\`5k60klzc˱|1W&RF_R I-|:Rs) ~fa3l$ aA:Jף9^P 㩴iJxǶ'_?q#> (mFu%)]g6ۤe:[YHi`U~#꒸W`wA7 ٌ^c;xۚW?:iRol' *sWW dڢ/Z66"}1 b{',kBawQ p.WZ&ߍnT˟2#*ß +ly֫_«k],Ok")ڄN_|#ķvf7Y* >M%Bt/6k1{R_tLHJ~Pc+@m4U|[`8N?ŋ4`򣧹. {E]_[ͮ=:uR"Y,+{Cͬf#1}Ge>lrC؂_ ZRce։5yV$H_FXL4s+x(Yn0J=|Ub98Z"O<@1;>&a3h΃co P>b5?}r闺Up~QmuT`2le-NړEiİOi+UX ђ,ÑBu}ųKTa~o Dxr~v͸7{6;KG:&A'я"xp xfY+ Z B l?. dP /_Z6`;TP/m.͂͢E tMc%5UՒ|Rӊ,w9]dDo-81j֘1h*B ǯ9-Qj54]RUBI?Z|^c`ٍi3t3#66z^C Kk&p{y 6/LxZ8Ow| 􄼥 -J4sW'J"on04~ =T$h 7pKycdcqS|jm ZƒM)RӰp-3|ri?NRUzB94IfۨZZcX(+J PcnؑZfG@f{,w mӂS U%ff2|z`u.B .kXGl7K1eTUR5Ϛs8,֐K&t%baGN$(cX az C8pr|w\9QXl S\b 㽻n%5D3S:s:0ڱ]st3>н^3Bsl^?Rm{ι0eaeY &xfVؖmmq.]CJN`srٚmj6AD4#V¯R9*1f㭸= GrK5Gvt1І]3#ZIHh5J;a*T&9ǘxa1aV eզٝ$7zgVٿ[!gV{F dM,K|U:g|%wEܶh:&yM .oJ@QoIg4oF_ 6f^zGZQ1IG)e}o< #b2zވ9# XZ `Oh$~b Cy"uFf."Q\B p7w{f\z~}C{ =3C}.: x5g{(ehs>(4u? A(!'vѻ 2u Y»vI@ sb0阿aں5c3bwt]?[Y_i C> &(?,p E {GLƙ;fQ IFK7E T&}fAm??&~eKL)awSos# h_fJ Lma`t.t>M8]:сAf) p͒w\j:rtT b8+M 5?3,ȏ]cKlݜ(8ÓZi$P!%h$bcx=9aqadnz~X׻Se/( @Ka1c~PBMФPs]+J9q <>˩AguUq VH+^@03@SISk9:h\~"g[$g6}8vn59i_vDoWj(;utڽtֹnvb1(kyl2/*vg(P]7NQʩb q&c"Gd̀W.}QX\m_<JWjo7C.1Sln۽M-W'>;tɩcdhw>>r:X)` \& CL8SD^}'vԼVxy xQgdB&(By794h3Ot},>/:Eg}yktZпNF?ӹ(w2keO/e|Ws_e}2{ʠU^^e'ucF_dQ~W0{ s!?0~ׅw3?]/ rq7P&-m^=A֗_cV91@r߻ 2ڿ\'I73y S.rq/ 苬UrXB]eBy><_`fk7tsf_2̭L_:7Vr]!,.%PW^;qմ 6 x[Йq%#ޢD)+Fyk@Lg<?jnAmz'4`oy=gz}yPW4MdBgpXc$+"7<R9g)螡Z(_ MW+ 7\1"q`j@L ;J*V*r;~O;E"D(&0#*+P#}a`J\L3B /(@#غM{%}C3<8fȳRL u+J!'\Cxߏ ѱ7F]$xW2fdy3 @%aw8c+x;R(q X~Y8P*`!K؞9F̆$r$gLߟa޴c 6V{[2gډ:ܓq8SsӄwY"Dxx4@4Xʹ)9f NjW+-u23Mť{:\x| "e*sMJl!f=Nؒ1bQURۨ*ur$w|H-}I_\#u{^:x/ C4|']Ãq`a\m8u̮g焏v'4.FČk,'5`ca5}" >&|6bZb֠}QQ I4;|XNƀ_@s/7%O7"f̯!۝S%eOpKh.mc6H_,mgrlC*nܙ%O_x*8" "kH "s{B|%i;goP%n3!-p|;6M(ïU+2‡4u;7eԢı"tnHϱf=8~ C >1qkN@A0P$=Cf Kǣ,hM)u](OkdY9Hr&zU h$7=j"6: gK“J'Ңr\鱻$0\d~\g;Tlv[i>Oe;BI<ŗ5_x|X%cϷϒeTO"Ntx9m$Kd7-YmˊL3t#[G3R+i/ K7 oX)un'|oS{)0XPy4w8̝ -ӟ~H׶I _[0~O;_ڕ+zYL1e~}=3ӲG(q",@zP݌Z`Kei$VinnpSGghwq#b uu+e!.0:xa˟]lׁR#nȕxaWnvщ߉n^ ®"vyXA\gXIڙB ya1 g{y6W=?5zl5F9aim,eH&}+qd. " $8jo.-ua4,Lb9"[^QI(`vX33}"@a)5BLN So 3pRaL  b[и<>q,SsϢq9u93E~rxX0Up, j׺WȀ7H>YD,5Rb:({-zk|FXKc&&ı`=br8Lte4QS|J)Km)g3 Gτ T4}vcv4<1TF_E@G7dyUG/kI˖#795I(>eS1C'@n0\|H d9[\O^م53\j/YH~> \99.@OI"c؛b_yfȅ^a\YG+n:' ^e{b~g!gtּ\~:!# *`.gq^v>!2D!6xv{ٽ{^z<}~pݒ-9EKBӽm D>M\'_z`o3 g|oUAF]Q+j5Nbi|ۊX#iQgrYO ZqKmN~늘p6JL?-۔9MR"GZi/%!zh6