Archive    22 April 2008     #67

Firewalls:  The Next Generation

By William Flanagan and Vladimir Kaminsky

Network security is an important component of high availability (HA). Firewalls are the basic building block of an organization's network security architecture and, as such, should be deployed at every possible intrusion point throughout the enterprise network.  Many organizations partition their internal networks with additional firewalls. 

Unfortunately, HA works against you if it means your network is always open to hackers. This is especially true in the new network environment when more and more websites and servers are attacked by hackers armed with techniques aimed making money, not just scoring points with other hackers.

What We Have

Traditional firewalls are unable to keep up with phishing, pharming, and exploits based on social engineering. These firewalls generally have low performance and single-function security.

--Low performance because all security functions are performed in a single CPU. While today most backbone and enterprise network’s are running Gigabit or higher speed, traditional firewalls are capable of transacting at 100 megabit speeds.

--Single-function; other network security devices are needed to achieve acceptable network security. These include VPN devices for data encrypt-decryption or SSL acceleration, IPS products for network invasion, virus scanning, etc.

The protocol inspection method based on UDP or TCP port numbers, used by traditional firewalls, is no longer enough. More and more applications use Port 80, originally intended for only HTTP, which almost all firewall configurations allow to pass.

Users have found that traditional firewall technology does not meet the new threats as hackers and malicious internal users move from network abuse to attacks on the enterprise's applications, business logic, and critical data. Even systems categorized as “deep inspection” or “intrusion prevention” may focus on preventing worm storms on internal user segments. Most of the current firewalls are generally limited to an understanding of the underlying protocols and lack insight into the actual business logic, associated data, or their interactions. Thus, they are clearly not comprehensive in terms of meeting the security needs of business applications and databases.

What's Coming

Next-generation firewalls (NGFWs, or appliances for Unified Threat Management, UTM) will consolidate firewall, intrusion prevention system (IPS) filtering, and possibly other security functions such as virus blocking.  In part, capital savings and operational simplicity drive consolidation.  Integration can also enhance security by correlating security-data events, and can provide superior performance.

An example of simplification is load balancing. Scaling up a firewall to large capacity may involve multiple devices, with a load balancer appliance (or two for redundancy) to distribute traffic evenly over all of them.  The NGFW may have sufficient capacity to allow a "virtual router" technique between an active and a standby device, eliminating the load balancer in an HA deployment.

NGFWs can leverage their existing deep packet inspection engine by sharing this functionality with an intrusion protection engine.  As part of this process, streams--which have been allowed by the firewall--are subsequently submitted for analysis to the IPS engine.  The reuse of the deep packet inspection engine brings about a significant increase in performance and helps administrators get a consolidated security view of their network.  Applying an external IPS function before the firewall (also in the NGFW) lets the operator track probes and threats the firewall blocks from the internal IPS.

With time, these firewalls should include other content processing technologies like anti-virus, which can leverage the deep packet inspection technologies to provide comprehensive protection. NGFWs blend sophisticated application-aware firewalls with IPS that integrates vulnerability assessment and network behavior anomaly detection at a higher protocol layer, such as the application layer.  The latest approach is to learn the vulnerabilities of key applications, then watch for behavior that could exploit those vulnerabilities.   But it likely will stop short of processing-intensive tasks such as email AV or message content-filtering.

In the NGFW, the actual firewall technology is the foundational element. It is also the one suffering most from scalability problems, especially in the data center. This is not because appliances are slow. It is because an appliance-based architecture itself is flawed:  it does not allow for the easy addition of new functions and is slow to accommodate enterprise growth.  In addition, severe connectivity constraints force multiplication of new boxes, even when capacity is adequate. Thus, the firewall refresh cycle becomes an opportunity to review the architectural implications of traditional deployment strategies.

These newer firewalls will be able to block new threats at network speeds through integration of specialized hardware (FPGAs, ASICs) and Network Processors.  In an increasingly complex network environment, it is without doubt that an integrated UTM device provides streamlined management efforts and ease-of-installation while allowing you to enjoy multiple layers of network protection.

Malware (worms, Trojan horses, spyware, etc.) can overwhelm server and network resources and cause denial of service (DoS) to internal employees, external Web users, or both.  By filtering for known file and activity signatures, IPSs block malware from the network by dropping the packets that carry it.  The latest approach is to learn the vulnerabilities of key applications, rather than just the signatures of exploits, then watch for behavior that could exploit those vulnerabilities.  This method provides protection for new exploits as soon as they appear, before they are characterized with a signature.

NGFWs may integrate firewalls and IPSs such that traffic is inspected just once for both functions.  Traditionally, having to inspect traffic in the same processor once for connection-layer access information and again for malware significantly slows system throughput.  Network processors speed up the throughput, but another approach is to build the NGFW on a multi-slot chassis into which you add processing blades as needed to meet capacity requirements.  Blades themselves can contain multiple processors each and may be dedicated to a specific function (f/w, IPS, A/V, etc.).

Several advances collectively distinguish the next generation in UTM systems.  The first is performance. Certain security provisions require deep packet inspection (DPI) through Layer 7--the Application Layer--to detect spam, viruses, worms and other sophisticated forms of attack, as well as potentially offensive or unauthorized content. And because some threats span multiple packets, multi-packet payload reassembly is required.  Because many enterprise networks now support delay-sensitive applications like voice over IP (VoIP), DPI and reassembled content inspection must occur with a very low latency that is transparent to delay-sensitive applications.  As an in-line appliance, UTM systems must support line-rate throughput while detecting, logging, and eliminating the multiple security threats.  To achieve high throughput with a low latency, hardware-based acceleration technology is required.  Some such advanced UTM systems today are capable of delivering 70 Gbit/s or more of performance.  For the moment, scale seem achievable.

Because bandwidth must be managed to deliver peak performance, some next-generation systems also include traffic shaping capabilities that can be applied to virtual domains.  We'll take that up another time.

For Further Reading

http://crossbeamsys.com/solutions/nextgen_firewall.php

Chassis-based NGFW with internal redundancy and load balancing for multiple functions (F/W, IPS, etc.). 

http://www.juniper.net/products_and_services/firewall_slash_ipsec_vpn/isg_series_slash_gprs/

Large capacity firewalls with IDP (IDS and IPS) offering active-active and active-passive redundancy modes.

New Books

FC Associate Ray Horak recently authored two books on networking.  William Flanagan was the technical editor for both books.  They offer extensive coverage of many technologies, and are as accurate as two old pros can make them.

The new titles are:

Telecommunications and Data Communications Handbook, 791 pages.

Webster's New World Telecom Dictionary, 568 pages.

Wiley is the publisher.  Available in bookstores and on the web from multiple merchants--do a web search for "Ray Horak" or start with Ray's profile page at http://www.amazon.com/gp/pdp/profile/AL7TPWAFURLDA.