The firewall as a layer 4 packet-inspection device has reached maturity. Although not every network requires high-end LAN
switching gear, every Internet-connected network needs a firewall, if only to provide NAT services and simple packet filtering.
What’s growing out of this mature market is the next wave of firewalls.
 |
DOWNLOAD REPORT
|
|
|
 |
|
|
|
|
|
The term firewall may live on in the next generation of security appliances, but it will encompass much more than the relatively
simple devices that abound today. Stateful packet inspection, VPN tunnel termination, and IP translation services are at the
core of today’s firewalls. Just around the corner, firewalls will also deliver true protocol analysis, IDP (intrusion detection
and prevention), and content-based application-layer filtering within the same unit. These capabilities will be the foundation
of a truly secure edge.
The push for the integration of these newer technologies in the trustworthy firewall comes from many angles. The specter of
stringent Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley regulations have network administrators
searching for a way to monitor and prevent information leakage at the edge; the double-edged sword of instant messaging and
the growing adoption of IDP solutions underscores the need to know what information -- not just what protocols -- is passing
from the private network to the public Internet.
Today these capabilities exist, but they are packaged as separate solutions, usually independent of one another, and using
different management interfaces. An IDP solution may be deployed directly behind the firewall, but the two devices have no
knowledge of one another, nor can they cooperate to fend off attacks. Some vendors are offering limited layer 5 to layer 7
filtering in their firewall products, which is somewhat effective in thwarting a limited set of well-known attacks. But the
true promise of application-level filtering and IDP in a firewall has yet to be realized.
In the next few years we can expect to see firewalls that perform deep packet filtering, such as the ability to peer into
TCP packets flowing to and from port 80 (HTTP), as well as the ability to filter out traffic that is not actually HTTP traffic,
but another application using port 80 to slip through the access lists. Further, firewalls will be able to filter traffic
based on keywords found in a protocol stream, and even filter encrypted traffic with known public keys. For instance, it will
be possible to filter out every packet or protocol stream that contains the code name of an unannounced product -- regardless
of the application used -- at wire-rate.
An old argument is also being resurrected regarding higher-level firewalling: Should a firewall be appliance- or server-based?
Both have advantages. A server-based firewall is generally easier to update and has more headroom to accommodate higher-level
functions. The downside of the server approach is the underlying OS, which typically isn't designed for the purpose at hand
and requires a spinning disk.
Appliances with no moving parts -- other than fans -- are generally faster, due to heavy code optimization and reliance on
ASICs to offload repetitive tasks from the CPU. But appliances are also limited by the solid-state storage they require to
store system code and configurations. With the addition of higher-level functionality comes the addition of much more code.
Just as standard firewalls moved to appliances from server-based platforms, it will take time for the next generation of firewalls
to make this migration. But the speed and reliability of appliances will likely win. A whole new way of policing the edge
is on the way.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
