Building a better firewall
Tomorrow's firewalls will not only fend off attacks but also prevent intrusionsFollow @pvenezia
The firewall as a layer 4 packet-inspection device has reached maturity. Although not every network requires high-end LAN switching gear, every Internet-connected network needs a firewall, if only to provide NAT services and simple packet filtering. What’s growing out of this mature market is the next wave of firewalls.
The term firewall may live on in the next generation of security appliances, but it will encompass much more than the relatively simple devices that abound today. Stateful packet inspection, VPN tunnel termination, and IP translation services are at the core of today’s firewalls. Just around the corner, firewalls will also deliver true protocol analysis, IDP (intrusion detection and prevention), and content-based application-layer filtering within the same unit. These capabilities will be the foundation of a truly secure edge.
The push for the integration of these newer technologies in the trustworthy firewall comes from many angles. The specter of stringent Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley regulations have network administrators searching for a way to monitor and prevent information leakage at the edge; the double-edged sword of instant messaging and the growing adoption of IDP solutions underscores the need to know what information -- not just what protocols -- is passing from the private network to the public Internet.
Today these capabilities exist, but they are packaged as separate solutions, usually independent of one another, and using different management interfaces. An IDP solution may be deployed directly behind the firewall, but the two devices have no knowledge of one another, nor can they cooperate to fend off attacks. Some vendors are offering limited layer 5 to layer 7 filtering in their firewall products, which is somewhat effective in thwarting a limited set of well-known attacks. But the true promise of application-level filtering and IDP in a firewall has yet to be realized.
In the next few years we can expect to see firewalls that perform deep packet filtering, such as the ability to peer into TCP packets flowing to and from port 80 (HTTP), as well as the ability to filter out traffic that is not actually HTTP traffic, but another application using port 80 to slip through the access lists. Further, firewalls will be able to filter traffic based on keywords found in a protocol stream, and even filter encrypted traffic with known public keys. For instance, it will be possible to filter out every packet or protocol stream that contains the code name of an unannounced product -- regardless of the application used -- at wire-rate.
An old argument is also being resurrected regarding higher-level firewalling: Should a firewall be appliance- or server-based? Both have advantages. A server-based firewall is generally easier to update and has more headroom to accommodate higher-level functions. The downside of the server approach is the underlying OS, which typically isn't designed for the purpose at hand and requires a spinning disk.
Click for larger view.
Appliances with no moving parts -- other than fans -- are generally faster, due to heavy code optimization and reliance on ASICs to offload repetitive tasks from the CPU. But appliances are also limited by the solid-state storage they require to store system code and configurations. With the addition of higher-level functionality comes the addition of much more code. Just as standard firewalls moved to appliances from server-based platforms, it will take time for the next generation of firewalls to make this migration. But the speed and reliability of appliances will likely win. A whole new way of policing the edge is on the way.