New Firewall Capabilities Necessary as Apps, Use Evolve

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

One of the work horses of efforts to protect corporate networks is the firewall. Increasingly, however, experts say that these border patrollers of the modern age -- at least in their current form -- are no longer up to the task.


The emergence of Web 2.0 applications is one reason that firewalls need to be upgraded and fine tuned. Thiago at Enterprise 3 Portals/Collaboration/Web points out that people behind firewalls have the ability to bypass them and access file-sharing applications -- the writer mentions eMule and BitTorrent -- that spell danger. The answer, Thiago says, is a new type of firewall that spots specific behavior the enterprise wants to avoid. The result can be the best of both worlds: The ability to squelch dangerous traffic while allowing the collaborative and interactive Web 2.0 applications that help business.


Reavis Consulting Group, which keeps the Risk Bloggers blog, is running focus groups on what it calls firewall 2.0. This posting offers five early and apparently unscientific conclusions to the research. Significantly, focus group participants agreed that current firewalls provide "minimal value." There is no view on what is leaving the organization through port 80 tunnels, and suggests that this makes the enterprise vulnerable to "outside-in" attacks. The research also suggested that the next iteration of firewalls must find a way to truly identify users -- not just IP addresses and ports -- and that virtualization will further upset the firewall apple cart.


To understand the changes that firewalls must undergo in order to remain relevant as the Internet changes, it is important to understand how current versions work. Doktertomi.com does a good job of explaining firewalls and how they fit within the large framework of a security infrastructure. Most firewalls use packet filtering in which screening or filtering routers examine packets traveling between the intranet (the internal network) and the Internet. As their name implies, proxy servers execute requests on the part of internal users. This unburdens internal users from the dangerous job of connecting directly to the Internet. Bastion hosts are the focal point of all requests coming from the Internet.


This piece at Inftek begins by reiterating the common wisdom that older firewalls can't handle new pressures. The piece then defines what a firewall is and says there are four types: packet layer, circuit layer; application layer and proxy layer. The next step is to list five firewall tasks: Provide gateway defense; execute security policies; segregate traffic between the trusted network, the Internet and the DMS; hide the network addresses; and report threats and activity.


Just as importantly, the piece points to things that firewalls can't be relied upon to do. Firewalls can't stop malware, spam, distributed denial of service (DDoS) attacks and data leakage. The conclusion is that firewalls are no longer sufficient to protect the network alone.


The application-specific element called for by participants in the Reavis Group focus group and elsewhere is provided by Web application firewalls (WAFs). Ivan Ristic suggests that this type of security element hasn't exactly taken the world by storm during the past few years. The reasons, he thinks, are that it is new and requires users to understand both the technology and the rapidly evolving threats that make it necessary. He adds that many companies are not assigning enough people to the issue and that it is unclear who in an organization should oversee WAFs. The time is coming for WAFs, the writer says, as attacks on Web applications are becoming more numerous and dangerous.


Network firewalls and WAFs are different devices that do different things. Considering them at the same time, however, shows how quickly things are changing. The bottom line is simple: The highly interactive collaborative world requires a new approach to firewalls.