The firewall – it’s been around since the dawn of the commercial internet, but it has been and remains a vital layer in the network security defense.
There has been recent discussion about its place in the network today, but as with any technology that stays viable in new times, the firewall has evolved. Let’s take a quick trip back in time to understand how far the firewall has come and then fast-forward to what we can expect in the future.
• Flashback to early 1990: The first generation firewall inspected “packets” transferred between computers on the Internet. Inspections were performed on each packet, looking at the source, destination, port, etc. and primarily only covered the first 3 layers of the OSI model.
• Going one layer up the OSI Model: The firewall’s next step was moving up to layer 4 in the OSI model and performing stateful inspection. Whereas packet filtering looked only at an individual packet at a time, with stateful packet inspection, firewalls could retain packets until there was enough information to make a sound yes/no decision. Stateful firewalls are still widely used today though that is shifting.
• We are currently in the age of firewall acronyms. Firewalls have picked up more capabilities, and more marketing buzzwords!
o UTM – Unified Threat Protection. It’s a bird, it’s a plane… no… it’s a firewall… and a whole lot more. UTM devices provide firewalls, Anti-virus, IPS, etc. – all bundled in one appliance.
o NGFWs – Next-generation firewalls. With Next-Gen firewalls, we get to layer 7 control as these devices are designed to filter traffic based on application and user traffic as well traditional means. NGFWs additionally can integrate IPS into the firewall’s decision to block malicious traffic. Having the ability to incorporate its ability into the firewall’s decision-making process is just another step in its evolution. There is some debate whether it’s best to have IPS as a standalone or integrated with your firewall, but integration is where we’re heading.
Sidenote: I recently participated on a panel discussing the current state of the firewall, which was moderated by Mike Rothman of Securosis and included Pankil Vyas of GM, Patrick Bedwell of Fortinet and Ryan Liles of NSS Labs.
One of the questions from the audience was “what’s the difference between a UTM and a NGFW?” To summarize the thoughts from my peers on the panel, it was basically agreed that it’s more semantics than anything else, with small potential differences around performance (UTMs being thought of as more mid-market and NGFWs more for the enterprise).
• Where we go from Next-Generation firewalls and UTMs to next is up for debate, but here are some ideas to consider:
o Further integration of security capabilities. We’ve already seen a lot of integration with UTMs and NGFWs and we’re getting beyond just throwing more tools on a box and actually integrating the data and capabilities to get faster and better decisions made. One possible evolution would be to have a SIEM correlate data from the gateway and dynamically adapt the firewall rules to mitigate specific threats – this is a ways off still I think, but this type of integration will certainly continue as more intelligence and automation are built into and cross-pollinated across these solutions.
o Hypervisor level firewalls which inspect and enforce a policy on VM-to-VM traffic. We’re just at the beginning stages of adoption and hypervisor level firewalls will not replace dedicated firewalls operating at or near wire speeds, but as organizations begin to mix workloads with different security requirements on the same physical box, there will be more demand for these firewalls.
o Cloud-based firewalls. Spinning up servers on Amazon or Rackspace? What about managing the security policy of those servers? We are starting to see emerging technology that offers security in the cloud that matches the elastic and dynamic nature of cloud environments.
o I think the way firewalls and their policies are managed will also change. It’s already underway. It’s one thing to manage all of the rules that allow traffic to be filtered at different points in the network and based on different criteria, but at the end of the day a firewall is there to allow or block traffic.
With networks becoming increasingly complex, and with these allow/block decisions impacting many stakeholders, instead of looking at these devices from strictly a firewall/security perspective, I believe that at least in large organizations we’ll start to see more decisions made from the perspective of a business application. By business application I mean as an example a credit card processing service that is vital for an ecommerce company to run/make money. If a firewall rule is preventing the application from working or slowing down its performance, the company suffers. It’s a new way of looking at how firewalls are managed and it’s evolving… stay tuned!
I hope you enjoyed this journey down the firewall memory lane and a look into the crystal glass of what is possible down the road. I want to make sure it’s clear that firewalls are here to stay, it’s just that the firewall as we’ve known it is changing. What was considered a firewall is now much more and while names may get fuzzy with deeper levels of integration, the firewall’s place in the network is cemented.