The firewall is dead, long live the firewall
Security at a crossroads.
By Bryan Betts | Techworld | Published: 00:00, 23 October 2003
Some ten years after the launch of the first firewall, security is at a crossroads. With the network layer now largely secure the threats have moved into new areas, such as applications and Web services.
This is a big problem for vendors and users alike, says Paul DiBernardi, product marketing director at Secure Computing. Existing vendors face competition from start-up technology developers, while users may find themselves having to assemble and manage security tools from multiple sources, some of them subscription-based.
"There is an inflection point in the firewall market, because most firewalls were never intended to block applications. We're now having to relearn the security business," DiBernardi says.
Stateful Inspection
Part of the problem is that the stateful inspection technology used in today's firewalls has reached commodity status without ever maturing: "I've been in the business from the beginning," he says. "In the early days, people hardly knew what a firewall was and it was the security experts who evaluated and bought them. "The general market evolved so IT staff were buying them and that changed the landscape because a firewall became a checkmark. Now the major analysts all refer to the firewall market becoming commoditised. "That's good because prices come down, but when things become commodities you assume all firewalls are the same. So stateful inspection is seen as equivalent to a firewall. "But the evolution of high level attacks has exposed the limitations of firewalls - the purpose of stateful inspection is to decide whether to open a connection and pass packets through. Once the connection is open, they don't watch it anymore. Firewall-evading tunnels
"Web Services are a problem - they are evolving into firewall-evading tunnels. Technologies, such as XML and SOAP, all go through port 80, so everyone is moving to use that hole, including the hackers." Another fast-growing technology that creates tunnels through the firewall is the SSL VPN. "It's designed to encrypt the session but unlike IPSec it doesn't authenticate and check every packet," he adds. "So you'd better have filtering right next to the SSL gateway." Among the technologies challenging application-level attacks are IPS, or Intrusion Prevention Systems. These in-line devices look for the signatures of known attacks, such as Nimda or Slammer, and block them. Once your systems are correctly patched, those signatures can be turned off to save network loading. DiBernardi points out that IPS, just like anti-virus software, must be kept up to date: "Anti-virus has established acceptance of a daily update service, IPS will evolve similarly." He adds that it will not be enough on its own. "Application filtering needs to deal with unknown attacks too, so you need general security strategies. We can knock down whole classes of attack because we know how hackers think." One possible route is a proxy, which takes traffic in and re-creates it in perfect RFC-compliant form, thereby breaking attacks based on malformed packets. Similarly, VPNs must be terminated at the firewall and security scanned, which of course makes it even more important that the firewall itself cannot be compromised. "The next big challenge will be Distributed Denial of Service (DDoS)," DiBernardi says. "That will be really tough to solve though and will probably take network commitments to solve." The problem is that all these new attacks mean that the security market is becoming more and more segmented, with a proliferation of niche products. Often these are from start-up companies with hot new technology but they all need to be managed, which means added complexity. Not too surprisingly, DiBernardi's preferred solution is to find a single vendor who can do as much as possible in one box. "You can get suites," he adds, "but there's no industry standard to tie them all together, yet." He doesn't see security standards emerging either, because security moves too fast: "A long time ago we learnt that if we follow standards religiously we missed every market window. Encryption is the one area - IPSec - where standards might evolve, because people need to interoperate."
Part of the problem is that the stateful inspection technology used in today's firewalls has reached commodity status without ever maturing: "I've been in the business from the beginning," he says. "In the early days, people hardly knew what a firewall was and it was the security experts who evaluated and bought them. "The general market evolved so IT staff were buying them and that changed the landscape because a firewall became a checkmark. Now the major analysts all refer to the firewall market becoming commoditised. "That's good because prices come down, but when things become commodities you assume all firewalls are the same. So stateful inspection is seen as equivalent to a firewall. "But the evolution of high level attacks has exposed the limitations of firewalls - the purpose of stateful inspection is to decide whether to open a connection and pass packets through. Once the connection is open, they don't watch it anymore. Firewall-evading tunnels
"Web Services are a problem - they are evolving into firewall-evading tunnels. Technologies, such as XML and SOAP, all go through port 80, so everyone is moving to use that hole, including the hackers." Another fast-growing technology that creates tunnels through the firewall is the SSL VPN. "It's designed to encrypt the session but unlike IPSec it doesn't authenticate and check every packet," he adds. "So you'd better have filtering right next to the SSL gateway." Among the technologies challenging application-level attacks are IPS, or Intrusion Prevention Systems. These in-line devices look for the signatures of known attacks, such as Nimda or Slammer, and block them. Once your systems are correctly patched, those signatures can be turned off to save network loading. DiBernardi points out that IPS, just like anti-virus software, must be kept up to date: "Anti-virus has established acceptance of a daily update service, IPS will evolve similarly." He adds that it will not be enough on its own. "Application filtering needs to deal with unknown attacks too, so you need general security strategies. We can knock down whole classes of attack because we know how hackers think." One possible route is a proxy, which takes traffic in and re-creates it in perfect RFC-compliant form, thereby breaking attacks based on malformed packets. Similarly, VPNs must be terminated at the firewall and security scanned, which of course makes it even more important that the firewall itself cannot be compromised. "The next big challenge will be Distributed Denial of Service (DDoS)," DiBernardi says. "That will be really tough to solve though and will probably take network commitments to solve." The problem is that all these new attacks mean that the security market is becoming more and more segmented, with a proliferation of niche products. Often these are from start-up companies with hot new technology but they all need to be managed, which means added complexity. Not too surprisingly, DiBernardi's preferred solution is to find a single vendor who can do as much as possible in one box. "You can get suites," he adds, "but there's no industry standard to tie them all together, yet." He doesn't see security standards emerging either, because security moves too fast: "A long time ago we learnt that if we follow standards religiously we missed every market window. Encryption is the one area - IPSec - where standards might evolve, because people need to interoperate."
Comments