Sometimes in IT, the best defense is a good defense moved further up the network stack. At least that is what some vendors and analysts are predicting about the next generation of network firewalls.
“The firewall is the piece of network security infrastructure with all the traffic … every frame going in and out of the network. It is absolutely the perfect place to provide visibility and control into these [Web] applications,” said Dave Stevens, CEO of Palo Alto Networks, based in Alviso, Calif.
Vendors are increasingly looking to integrate IPS (intrusion prevention systems) with firewalls, but truly integrated, full-featured products are in short supply, said Gartner analyst Greg Young. He cited research by his firm stating that threats have become more complex and moved higher in the network stack, forcing firewalls to move beyond just providing stateful protocol analysis to having increasingly rich management and configuration tools.
Robert Whiteley, an analyst with Forrester Research, agreed that firewalls will be more tightly integrated with all network security functions in the future.
“We already see products under the unified threat management category that combine firewall, VPN, IPS, anti-malware, and content filtering – I think Ciscos ASA and Junipers SSG are good enterprise examples,” he said. “However, these are not truly integrated.”
The ability to scan Web applications as they hit the firewall will be critical, Whiteley continued.
“An organization will have a gaping hole in its security architecture if it thinks traditional network firewalls are protecting the perimeter. We see trends like Web 2.0, Web services and SOA [service-oriented architecture], and software-as-a-service dramatically changing companies application architectures,” he said. “It also means that far more mission-critical traffic is now flowing over the standard Web ports.”
XML, Java, Flash and many other new Web protocols will allow for new, innovative application types – but they also carry with them an unknown number of vulnerabilities, Whiteley added.
“Companies will have to migrate to application-level protection in order to stop evolving exploits,” he said, adding that exploits are increasingly sophisticated and targeted. “It will be critical for the next generation of firewalls to provide better visibility to better tackle todays threatscape – never mind tomorrows.”
But bringing all these technologies together in the firewall will only succeed in the marketplace if it can be done without sacrificing latency and the throughput of basic firewall functions, analysts said. To this end, Check Point Software Technologies is putting its focus on performance.
“Were leveraging our open performance architecture so that performance is not just about how fast the firewall can go, but how fast it can go while it is actually protecting your network with intrusion prevention and other security measures activated,” said Bill Jensen, product marketing manager for Check Point, headquartered in Tel Aviv, Israel, and Redwood City, Calif.
Todays corporate users are installing applications—for both personal and business use—that have been designed to dodge detection by legacy network firewalls, Palo Alto Networks officials said. A new approach that leverages features such as application control, IP reputation technology and gateway anti-virus filtering in network firewalls is required to meet the needs of the modern enterprise, company officials said.
“Modern applications,” Stevens said, “are starting to adopt a communications model which is pretty effective at bypassing the existing security infrastructure … by hopping from port to port, or tunneling through encrypted links or just masquerading as port 80.”
As a result enterprises have effectively lost control over those connections and created compliance and information leak issues at some businesses, he said. To help companies address the situation, Palo Alto Networks has added application classification technology into its recently released PA-4000 Series, a family of firewall devices that can identify application traffic across ports.
“We can open the SSL [Secure Sockets Layer] links if necessary to identify the application,” Stevens said.
In addition, the PA-4000 devices perform deep packet inspection, apply filters and enforce policies based on the application. For example, an organization might choose to allow Web-based mail, but scan files being transferred for viruses, Stevens said.
With Ciscos marriage with IronPort now complete, Cisco officials have said they will look to weave IronPorts IP reputation technology into the firewall.
Armed with reputation data from IronPorts SenderBase Web site, Ciscos firewall will be aware of the reputation of the servers it is connecting to, said Tom Gillis, vice president of marketing in Ciscos IronPort Business Unit, in San Jose, Calif.
“In the first release of that, which will be in the first half of 2008, [it] will allow you to provide visibility into these connections so you can see how many clients are in your network that are connecting to servers that are known to be botnet control nodes,” Gillis said, adding that users would be able to block, throttle or deny connections considered suspect.
Connection blocking is the most obvious use of reputation technology, Gillis said. But he also said he foresees it being used to route traffic that hits the firewall. For example, if content is coming in from a server that is considered to be “rogue,” the traffic can be blocked; if the server is considered beyond reproach, the traffic can be routed around the spam scanning engine. Traffic from servers not known to be good or bad can be sent past a number of different signature-based scanning engines, he said.
“Future firewalls are going to have the ability to route traffic through the appropriate scanning measure based on the reputation of the connecting server,” Gillis said. “The firewall is effectively the traffic cop.”
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
