Firewalls go proactive in screening network traffic
- By Kevin Jonah
- Jul 17, 2003
A few years ago, the focus of network security and firewall technology was on the perimeter'keeping bad guys on the outside from getting to systems on the inside.
But then along came denial-of-service attacks and e-mail Trojan horses, which masquerade as legitimate application traffic to get past the firewall and wreak havoc.
And it was no longer enough to merely lock down a range of IP port numbers'if it ever had been.
'It started becoming a real problem with Nimda and Code Red,' said Bill Jensen, government marketing manager for Check Point Software Technologies Ltd. 'The attacks were using legitimate-looking traffic to attack networks. It was very hard for administrators to stop this.'
As a result, firewalls are now more common within enterprise networks themselves as they are at the perimeter, and a whole new class of application monitoring and filtering technology is being integrated into firewall software and firmware.
The complexity of dealing with today's harsh security environment has left many organizations flailing to catch up. Government agencies, especially, are having trouble keeping their perimeters secure. 'We all see the [data security] report cards for agencies; they're failing still,' Jensen said.
Adding to the complexity of securing a network infrastructure is the growing demands on virtual private network connections for branch offices and for remote employees connecting over the Internet.
The financial rewards of using the public Internet to replace private hard-wired networks make VPNs attractive for all but the most security-conscious applications, but it puts pressure on a firewall. And with more firewalls in the enterprise, the need for easy-to-use management tools has grown as well.
The push to execute e-government strategies doesn't make the security problem any easier to deal with, either. Agencies have to find ways to open their networks to legitimate agency-to-agency, vendor-to-agency and citizen-to-agency traffic without leaving gaping holes for denial-of-service attacks that can take e-government applications offline. E-government apps require a defense in depth'agencies can no longer simply lock the front door.
Fortunately, over the last two years firewall technology has advanced significantly on those fronts. Routers are now more intelligent, easier to manage and better integrated with the rest of the infrastructure of enterprise networks and other security measures such as intrusion detection systems.
In some cases, security features such as firewalls, and intrusion detection and virus prevention software, are being combined into single devices'as in Symantec's recently introduced Gateway Security appliance. Or designers are integrating them as modules within a larger piece of hardware, as with Cisco Systems Inc.'s PIX network security appliances.
For its part, Check Point is turning to partners to provide component technologies such as intrusion detection that integrate with its firewall through the company's Open Platform for Security program.
Firewalls themselves have changed, sometimes dramatically. Mike Jones, Cisco's product line manager for PIX firewall appliances, said that more than 30 major features have been added to Cisco's PIX family in the last two years.
Perhaps the most important area of improvement in firewall technology over the past few years has been in application intelligence'that is, being able to recognize whether incoming network packets are real user traffic, an attack from a hacker or a malicious piece of software.
Previously, the only way to control traffic based on which application it was destined for was to use application filtering'also called port filtering'on the firewall. Traffic directed to a known IP logical address, or port, on a network host for a specific server application'such as port 80 for Web server requests and port 25 for e-mail traffic'would be allowed through. Unauthorized traffic would be stopped in its tracks. But denial-of-service attacks and e-mail worms such as Code Red use these known paths into the network for their attacks.Look at data
Most firewalls now go further than screening packets for their destination port; they look at the actual data in the packet through a process known as stateful inspection. As the packet passes through the firewall, its data is analyzed to determine if it is actual application data; if not, it is blocked.
Check Point's Jensen said his company's firewalls equipped with its Smart Defense software 'look at the information passing through and see if it's formatted correctly and up to snuff' before passing it along to its destination. The service also allows customers to use a VPN connection to Check Point to download new attack signatures so that the firewall can block new attacks as they emerge.
Cisco has embedded similar technology in its PIX firewalls, Jones said. 'What we've been doing is building application-specific inspection engines within PIX that check packets on a per-protocol or per-application basis.' Built into these inspection engines is a denial-of-service prevention feature that makes sure packets are 'properly formatted, not masquerading,' hesaid.
It's important to check incoming Internet traffic in this way. Because of the insidiousness of distributed denial-of-service attacks and other malicious software'such as Code Red, which attacked Microsoft SQL Server'merely checking packets at the perimeter is no longer enough. The same screening needs to be applied to traffic within the network and from trusted outside sources, such as networks attached by a VPN connection.Support is critical
Support for VPNs is another important component of enterprise firewalls. As the number of remote users requiring secure access to applications increases, firewalls have to be able to handle an increasingly large amount of encrypted VPN traffic.
Although acceleration hardware and the adoption of new encryption standards such as the Advanced Encryption Standard have increased the amount of VPN data firewalls can handle, another challenge remains: getting the VPN set up in the first place.
'One knock against VPNs has been manageability,' Jensen said. 'It's been hard to set up connections between different agencies.'
Part of the problem is in distributing the required encryption keys to create the encoded connection that carries VPN traffic. Between two fixed points, using a shared-secret encryption method such as AES or Triple DES will usually suffice for establishing a virtual network pipe. But dealing with multiple, changing sites, or mobile and remote users away from a branch office, means having to integrate some sort of authentication system and handling a much larger number of encryption keys.
To make VPNs work well, and quickly, for all users, firewalls need to connect to a variety of directory types to authenticate users. And these authentication methods need to be tied to a policy at the firewall that determines the type and destination of traffic that each user can send into the network.
Cisco's firewalls support its switched network infrastructure, so the same policy structure that controls VPNs can be used to control each user's access to virtual LANs within the switched network.
This sort of internal partitioning of networks is one of the reasons why firewalls are finding their way deeper and deeper into the network infrastructure of many organizations.
There are plenty of reasons to do so. New networking technologies such as WiFi wireless Ethernet make network access more convenient and make all sorts of new applications possible, but they also open new routes for attack on the network.
And even the changing infrastructure of the network itself is helping drive the expansion of the role of firewalls. As the available IP address space shrinks, and agencies start looking at implementing IP Version 6, there will be an increasing need to share IP addresses, translate private IP addresses onto public networks, and otherwise mask the complexity of the network from the devices that use it.
The Network Address Translation function of firewalls can add years to the lifetime of the current Internet address pool of government agencies and help ease them into whatever network address scheme follows.
That's a lot to put on a technology that was originally designed to lock out bad guys. But the versatility of firewalls is making them an important part of nearly every emerging network application, from voice over IP communications to Web services.
And even as the importance of firewall technology grows, the days of the standalone firewall seem numbered'with firewall technology being built into almost every point on the network, firewalls as we think of them could disappear completely'and yet manage to be everywhere at the same time.Kevin Jonah, a Maryland network manager, writes about computer technology.