Application-layer firewalling: Raise your perimeter IQ - PowerPoint PPT Presentation

About This Presentation
Title:

Application-layer firewalling: Raise your perimeter IQ

Description:

Application-layer firewalling: Raise your perimeter IQ Joel Snyder Opus One Acknowledgements Products from Check Point, Cyberguard, NetScreen, Nortel Networks ... – PowerPoint PPT presentation

Number of Views:14
Avg rating:3.0/5.0
Slides: 26
Provided by: JoelS51
Category:

less

Transcript and Presenter's Notes

Title: Application-layer firewalling: Raise your perimeter IQ


1
Application-layer firewalling Raise your
perimeter IQ
  • Joel Snyder
  • Opus One

2
Acknowledgements
  • Products from Check Point, Cyberguard, NetScreen,
    Nortel Networks, Symantec, Secure Computing,
    Watchguard
  • Support from Andy Briney, Neil Roiter at
    Information Security

http//infosecuritymag.techtarget.com/
3
Firewalls have been around for a very long time
  • ATTs gateway creates a sort of crunchy shell
    around a soft, chewy center. (Bill Cheswick,
    Design of a Secure Internet Gateway, April, 1990)

First firewalls deployed in Internet-connected
organizations
CheckPoint revenues cross 100m
Firewalls and Internet Security published
WatchGuard introduces 1st FW appliance
Cisco buys PIX (Network Translation)
TIS toolkit commonly available
1989 1991 1993 1995 1997 1999 2001
2003 2005
4
Surely firewall makers have been busy since 1999 ?
  • Clear market trends
  • Faster
  • Cheaper
  • Smaller
  • New Guard NetScreen (Juniper), Watchguard,
    SonicWALL
  • Old Guard Cisco, Check Point
  • Clear product trends
  • Add VPN features
  • Site-to-site
  • Remote Access (?)
  • Add policy-based URL control
  • Websense-type
  • Add interfaces
  • No longer just inside, outside, DMZ

5
Shirley firewall makers have been busy since 1999
?
  • Clear market trends
  • Faster
  • Cheaper
  • Smaller
  • New Guard NetScreen (Juniper), Watchguard,
    SonicWALL
  • Old Guard Cisco, Check Point
  • Clear product trends
  • Add VPN features
  • Site-to-site
  • Remote Access (?)
  • Add policy-based URL control
  • Websense-type
  • Add interfaces
  • No longer just inside, outside, DMZ

6
Incremental improvements are not very exciting
  • Smaller, cheaper, faster thats great
  • VPNs, more interfaces thats great
  • But what have you done for me lately?
  • To answer that, we need to digress to the oldest
    battle in all of firewall-dom proxy versus
    packet filter!

7
Arguments between Proxy and Stateful PF continued
  • Proxy
  • More secure because you can look at application
    data stream
  • More secure because you have independent TCP
    stacks
  • Stateful PF
  • Faster to write
  • Faster to adapt
  • Faster to run
  • Faster also means cheaper

8
Proxy-based firewalls arent dead just slow!
Process Space
Proxy
RTL
TCP/IP
Outside net 1.2.3.4
Inside network 10.1.1.0/24
Src1.2.3.4 Dst5.6.7.8
Src10.1.1.99Dst5.6.7.8
Packet Filtering
Kernel
9
Firewall Landscape five years ago
  • IBM eNetwork
  • Secure Computing
  • Altavista Firewall
  • TIS Gauntlet
  • Raptor Eagle
  • Elron
  • Cyberguard
  • Ukiah Software
  • NetGuard
  • WatchGuard
  • SonicWALL
  • Check Point
  • Livermore Software
  • Milkyway
  • Borderware
  • Global Internet

Where have they all gone?
10
Stateful Packet Filtering dominates the market
Check PointCisco NetScreen SonicWALL
Freeware-based products Ipchains, IPF, Iptables,
IPFW
FW NewcomersFortinet, Toshiba, Ingate,
Enterasys, many others
IP
Stateful Packet Filtering
Kernel
11
But the core argument was never disputed
  • Proxy-based firewalls do have the possibility to
    give you more control because they maintain
    application-layer state information
  • The reality is that proxy-based firewalls rarely
    went very far down that path
  • Why? Market demand, obviously

12
Firewall EvolutionWhat we hoped for
  • Additional granular controls on a wide variety of
    applications
  • Intrusion detection and prevention functionality
  • Vastly improved centralized management systems
  • More flexible deployment options

13
Firewall EvolutionWhat we found
  • Additional granular controls on somea wide
    variety of applications
  • Limited intrusion detection and prevention
    functionality
  • Vastly improved centralized management systems
  • More flexible deployment options

Why? Market demand, obviously
14
Additional Granular Controls focused on a few
applications
  • Everybody loves HTTP management
  • Header filtering
  • File type MIME type blocking
  • Embedded Data blocking (Javascript)
  • Virus scanning, URL Filtering
  • Other applications are piecemeal
  • FTP
  • SMTP
  • VoIP
  • File Sharing

15
HTTP-oriented featuresserved pressure points
16
Advanced Controlsare diverse across products
  • Differentiating between advanced controls and
    basic controls was easy to do.
  • Proxy-based firewalls proved to be almost
    undistinguishable from their insecure stateful
    packet filtering brethren.
  • Vendors appear to be reactive, not proactive.

17
Virus Scans and Policy Controls are simple, right?
  • No! Some firewalls insisted on having virus
    and/or URL scanning happen off box
  • No! Some firewalls cant configure where you scan
    for viruses
  • No! Some devices dont have virus scanning
  • No! Some firewalls dont support a local list of
    blocked URLs
  • Conclusion its not simple

18
Weve learned how to write good GUIs, havent we?
  • Products are disappointing
  • The firewall people have a lot to learn from the
    SSL VPN people
  • Not in the firewall business, we havent
  • Additional granularity means additional thinking
    about resources

19
Centralized management has improved a bit
  • Folks who had it are doing slightly better than
    they were
  • Folks who didnt have it now generally have
    something

Were still missing a general policy management
system for firewalls Many of the centralized
management tools have very rough edges
20
Intrusion is the new buzzword in security
  • Rate-based IPS technology
  • In firewalls, means SYN flood protection
  • May be smart (NS)
  • May include shunning (SecComp, WG, CP)
  • Content-based IPS technology
  • Based on IDS-style thinking
  • May have small signature base (NS, CP)
  • May be an IDS with the IPS bit on (Symantec)

21
So whats going on in the firewall business?
  • Products are diverging, not converging
  • Personalities of products are distinct
  • IPS is a step forward, but not challenging the
    world of standalone products
  • Rate of change of established products is slow
    compared to new entries

22
What does this mean for me and my firewall?
  • Products are diverging
  • Personalities are distinct
  • IPS weaker than standalone
  • Change rate slow
  • Matching firewall to policy is hard change in
    application or policy may mean changing product!
  • Aggressive adoption of new features unlikely in
    popular products need new blood to overcome
    product inertia

23
Application-layer firewalling Joel Snyder Opus
One Member, Information SecurityMagazine test
alliance jms_at_opus1.com
24
Questions
  • Submit your questions to Joel by clicking on the
    Ask a Question link on the lower left corner of
    your screen.

25
Thank you
  • Thank you for participating in this
    SearchSecurity webcast. For more information on
    firewalls and an article by Joel, visit our
    Featured Topic. A copy of this presentation will
    be posted within the next 24 hours.
  • http//searchsecurity.com/featuredtopic/firewalls
Write a Comment
User Comments (0)
About PowerShow.com