Hardware Today Next-Gen Firewalls Reach High
Firewalls have come a long way since 1985, when U.S. Department of Defense experiments spawned basic packet filtering technologies.Firewalls have come a long way since their humble beginnings nearly 20 years ago. We look at the latest trends and examine Fortinet and SonicWALL, two lesser-known players with unique products.
At their most simple, firewalls
The rash of virus and worm infestations that began in the second half 2003 altered the nature of organizations' firewall needs. This week, we look at how the latest crop of firewalls are fortifying enterprises with the addition of anti-spam, anti-virus, and anti-worm deep packet inspection capabilities. We will also spotlight two companies building firewalls with unique capabilities.
Firewalls protect networks from other untrusted networks by filtering packets based on origin, destination, application type, and packet type.
Previous generations of firewalls were known as intrusion detection systems (IDSes). The main function of an IDS was to sound an alarm on detection of an intrusion. This was akin to, "having a fire alarm but no fire department," Gartner Research Director for Security and Privacy Greg Young told ServerWatch.
But change is afoot. Today, firewall improvements are replacing IDSes with a new baseline intrusion prevention systems (IPSes), Young said. Some vendors have already introduced IPS functionality directly into firewalls. These products can detect a worm, for example, and allow other non-worm packets to travel by at functional speeds. Young describes this as a hand-in-glove fit because "firewalls typically block everything except things that are specifically allowed," whereas "IPSes allow everything except for the very specific [incoming data]."
The key question enterprises now face is whether to use an all-in-one firewall with IPS built in or pair an IPS device with a firewall at the network front-end. Young cited bandwidth, architecture, and technology refresh cycle concerns as paramount in this determination. He argues that an enterprise generally chooses a solution based on the environment's individual quirks and concerns.
"There are always real concerns about performance when you start turning on deep packet inspection on a firewall," he said. Evaluate carefully, as "latency can really vary considerably between vendors."
Sometimes, keeping the IPS and firewall functionality separate makes sense, as "it reduces some risk," according to Young. For example, with a stand-alone IPS, "if you're going with a vendor and latency becomes an issue, you can swap it [the firewall] out," whereas if you're using a combined IPS/firewall, "you have all your eggs in one basket."
On the other hand, "from a management perspective, it's great to have it all in one; you have one vendor to deal with," Young said.
It may be more a matter of semantics, however, as even when the devices are kept separate, "quite often the differentiation is just there's a cable between them, so it's effectively one security appliance," he adds.
Gartner predicts firewall, anti-spam, anti-virus, and other traffic management technologies will converge in the next 12 to 24 months to be present in a single security appliance. The IPS deep packet inspection on the firewall is just one component, and by 2007, Young believes such devices will have matured enough to be customized based on the market segment they target.
Management Takes Priority
Manageability drives the decision more often than price, according to Young, "People are looking at this total cost of ownership and realizing that the command line interface isn't cutting it for multiple devices." Thus, larger enterprises tend to standardize on homogeneous firewalls from the same vendor. Training requirements for also encourage homogeny. A management standard for firewalls isn't in cards at this time, as some firewalls still aren't using IPS technology and there is little incentive for vendors to standardize.
Enterprises looking to secure the perimeter more efficiently should look to IPS, as it covers patch management gaps. Young cites a 30-day to six-month window of heavy patch deployments after a vulnerability is announced. During this time, exploits that take advantage of the vulnerability may erupt quicker than patches are actually deployed. Firewalls coupled with IPS function as a "Bandaid on the way to the hospital a really good strategy," Young said.