Transcript 21st Century Firewalls
Application-layer firewalling: Raise your perimeter IQ
Joel Snyder Opus One
Acknowledgements
http://infosecuritymag.techtarget.com/ • • Products from Check Point, Cyberguard, NetScreen, Nortel Networks, Symantec, Secure Computing, Watchguard Support from Andy Briney, Neil Roiter at Information Security
Firewalls have been around for a very long time
“[AT&T’s gateway creates] a sort of crunchy shell around a soft, chewy center.”
(Bill Cheswick, Design of a Secure Internet Gateway, April, 1990)
First firewalls deployed in Internet-connected organizations TIS toolkit commonly available “Firewalls and Internet Security” published Cisco buys PIX (Network Translation) CheckPoint revenues cross $100m WatchGuard introduces 1st FW appliance 1989 1991 1993 1995 1997 1999 2001 2003 2005
Surely firewall makers have been busy since 1999 ?
• • •
Clear market trends
Faster Cheaper Smaller New Guard: NetScreen (Juniper), Watchguard, SonicWALL Old Guard: Cisco, Check Point • • •
Clear product trends
Add VPN features Site-to-site Remote Access (?) Add policy-based URL control Websense-type Add interfaces No longer just inside, outside, DMZ
Shirley firewall makers have been busy since 1999 ?
• • •
Clear market trends
Faster Cheaper Smaller New Guard: NetScreen (Juniper), Watchguard, SonicWALL Old Guard: Cisco, Check Point • • •
Clear product trends
Add VPN features Site-to-site Remote Access (?) Add policy-based URL control Websense-type Add interfaces No longer just inside, outside, DMZ
Incremental improvements are not very exciting
• • Smaller, cheaper, faster: that’s great VPNs, more interfaces: that’s great • But what have you done for me
lately?
•
To answer that, we need to digress to the oldest battle in all of firewall-dom: proxy versus packet filter!
Arguments between Proxy and Stateful PF continued
• •
Proxy
More secure because you can look at application data stream More secure because you have independent TCP stacks • • • •
Stateful PF
Faster to write Faster to adapt Faster to run Faster also means cheaper
Proxy based firewalls aren’t dead… just slow!
Proxy Process Space RTL
Inside network = 10.1.1.0/24
Src=10.1.1.99
Dst=5.6.7.8
TCP/IP Packet Filtering Kernel
Src=1.2.3.4
Dst=5.6.7.8
Outside net = 1.2.3.4
Firewall Landscape: five years ago
• • • • • • • • IBM eNetwork Secure Computing Altavista Firewall TIS Gauntlet Raptor Eagle Elron Cyberguard Ukiah Software • • • • • • • • NetGuard WatchGuard SonicWALL Check Point Livermore Software Milkyway Borderware Global Internet
Stateful Packet Filtering dominates the market Check Point Cisco NetScreen SonicWALL
Freeware-based products: Ipchains, IPF, Iptables, IPFW FW Newcomers: Fortinet, Toshiba, Ingate, Enterasys, many others IP
Stateful Packet Filtering Kernel
But… the core argument was never disputed
• Proxy-based firewalls do have the
possibility
to give you more control because they maintain application-layer state information • The
reality
is that proxy-based firewalls rarely went very far down that path
Why? Market demand, obviously…
Firewall Evolution: What we hoped for…
• Additional granular controls on a wide variety of applications • Vastly improved centralized management systems • Intrusion detection and prevention functionality • More flexible deployment options
Firewall Evolution: What we found…
• Additional granular controls on some a wide variety of applications • Limited intrusion detection and prevention functionality • Vastly improved centralized management systems • More flexible deployment options
Why? Market demand, obviously…
Additional Granular Controls focused on a few applications
• Everybody loves HTTP management Header filtering File type & MIME type blocking Embedded Data blocking (Javascript) Virus scanning, URL Filtering • Other applications are piecemeal FTP SMTP VoIP File Sharing
HTTP-oriented features served “pressure points” CyberGuard Netscreen WatchGuard HTTP Action Controls
Post/Put/ Delete None Post
Filename & MIME type blocking Header Filtering
Filename; no MIME blocking Full Filename .EXE & .ZIP; no MIME blocking No MIME blocking Limited Set
SecureComputing
All
Symantec
Can block 'upload' only
Check Point
Get/Post/ Put/Head Filename & MIME type blocking Filename blocking by extension Full No Filename by wildcard; no MIME blocking Full
SOAP controls
Basic No No Block/Allow No Basic
URL Translation
Yes No No No No Yes
Can Block within HTTP…
ActiveX, Java, Javascript, VBScript, XML
Virus detection
Yes, external server ActiveX, Java ActiveX, Java, Cookies ActiveX, Java, Javascript, VBScript Yes, internal or external server None Local scanning, 2 types (signature/he uristic) WebDAV, DCOM Local scanning ActiveX, Java, Javascript, Vbscript Yes, external server
URL filtering/ blocking
WebSense WebSense plus local URL list WebBlocker Smartfilter and local URL list Rating system and local URL list OPSEC and local URL list
Advanced Controls are diverse across products Product CyberGuard Netscreen WatchGuard Secure Computing Symantec Check Point FTP H.323
• • • • • • • • • •
HTTP LDAP NNTP RealAudio
• • • • • • • • • • •
SIP SMTP POP DNS IMAP Socks
• • • • • • • • • • • • •
SNMP CIFS
• • • •Differentiating between “advanced” controls and “basic” controls was easy to do.
•Proxy-based firewalls proved to be almost undistinguishable from their “insecure” stateful packet filtering brethren.
•Vendors appear to be reactive, not proactive.
Virus Scans and Policy Controls are simple, right?
• No! Some firewalls insisted on having virus and/or URL scanning happen “off box” • No! Some devices don’t have virus scanning • No! Some firewalls can’t configure where you scan for viruses • No! Some firewalls don’t support a local list of blocked URLs
Conclusion: simple it’s not
We’ve learned how to write good GUIs, haven’t we?
• Not in the firewall business, we haven’t • Products are … disappointing • Additional granularity means additional thinking about resources
The firewall people have a lot to learn from the SSL VPN people
Centralized management has improved a bit
• Folks who had it are doing slightly better than they were • Folks who didn’t have it now generally have something We’re still missing a general policy management system for firewalls Many of the centralized management tools have
very
rough edges
“Intrusion” is the new buzzword in security
• • •
Rate-based IPS technology
In firewalls, means “SYN flood protection” May be smart (NS) May include shunning (SecComp, WG, CP) • • •
Content-based IPS technology
Based on IDS-style thinking May have small signature base (NS, CP) May be an “IDS with the IPS bit on” (Symantec)
So what’s going on in the firewall business?
• • • Products are diverging, not converging Personalities of products are distinct IPS is a step forward, but not challenging the world of standalone products • Rate of change of established products is slow compared to new entries
What does this mean for me and my firewall?
• • Products are diverging Personalities are distinct • Matching firewall to policy is hard; change in application or policy may mean changing product!
• • IPS weaker than standalone Change rate slow • Aggressive adoption of new features unlikely in popular products; need new blood to overcome product inertia
Application-layer firewalling Joel Snyder Opus One Member, Information Security Magazine test alliance [email protected]
Questions
Submit your questions to Joel by clicking on the Ask a Question link on the lower left corner of your screen.
Thank you
Thank you for participating in this SearchSecurity webcast. For more information on firewalls and an article by Joel, visit our Featured Topic. A copy of this presentation will be posted within the next 24 hours. http://searchsecurity.com/featuredtopic/firewalls