Multiple firewalls defend against multiplying threats
Incoming traffic must be screened throughout network
- By Kevin Jonah
- Jul 18, 2003
A few years ago, the focus of network security and firewall technology was on the perimeter ? keeping bad guys on the outside from getting to systems on the inside.
But then along came denial-of-service attacks and e-mail Trojan horses, which slip past firewalls by masquerading as legitimate application traffic.
And it was no longer enough to merely lock down a range of IP port numbers ? if that ever had been.
"It started becoming a real problem with Nimda and Code Red," said Bill Jensen, government marketing manager for Check Point Software Technologies Ltd., Redwood City, Calif. "The [e-mail worm] attacks were using legitimate-looking traffic to attack networks. It was very hard for administrators to stop this."
As a result, firewalls are now more common within enterprise networks than at the perimeter, and a whole new class of application monitoring and filtering technology is being integrated into firewall software and firmware.
The complexity of dealing with today's harsh security environment has left many organizations scrambling to catch up. Government agencies especially are having trouble keeping their perimeters secure.
"We all see the [data security] report cards for agencies; they're failing still," Jensen said.
Adding to the complexity of securing a network infrastructure is the growing demands on virtual private network connections for branch offices and for remote employees connecting over the Internet.
The financial rewards of using the public Internet to replace private, hard-wired networks make VPNs attractive for all but the most security-conscious applications, but they put pressure on a firewall. With more firewalls in the enterprise, the demand for easy-to-use management tools also has grown.
The need to execute on e-government strategies doesn't make the security problem any easier, either. Agencies have to find ways to open their networks to legitimate agency-to-agency, vendor-to-agency and citizen-to-agency traffic without leaving gaping holes for denial-of-service attacks that can take e-government applications offline.
E-government applications require an in-depth defense ? agencies can no longer simply lock the front door. Fortunately, over the past two years firewall technology has advanced significantly on those fronts. Routers are now more intelligent, easier to manage and better integrated with the rest of the infrastructure of enterprise networks and other security measures, such as intrusion detection systems.
In some cases, security features, such as firewalls, intrusion detection and virus prevention software, are being combined into single devices. For example, Symantec Corp., Cupertino, Calif., recently introduced its Gateway Security appliance. Or designers are integrating them as modules within a larger piece of hardware, as with Cisco Systems Inc.'s PIX network security appliances.
For its part, Check Point is turning to partners to provide component technologies such as intrusion detection that integrate with its firewall through the company's Open Platform for Security program.
Firewalls themselves have changed, sometimes dramatically. Mike Jones, Cisco's product line manager for PIX firewall appliances, said more than 30 major features have been added to Cisco's PIX family in the past two years.
Perhaps the most important area of improvement in firewall technology over the past few years has been in application intelligence, being able to recognize whether incoming network packets are real user traffic, an attack from a hacker or a malicious piece of software.
Previously, the only way to control traffic based on which application it was destined for was to use application filtering, also called port filtering, on the firewall. Traffic directed to a known IP logical address, or port, on a network host for a specific server application, such as port 80 for Web server requests and port 25 for e-mail traffic, would be allowed through. Unauthorized traffic would be stopped in its tracks. But denial-of-service attacks and e-mail worms use these known paths into the network for their attacks.
Most firewalls now go further than just screening packets for their destination port; they look at the actual data in the packet through a process known as stateful inspection. As the data passes through the firewall, its data is analyzed to determine if it is actual application data. If not, it's blocked.
Check Point's Jensen said his company's firewalls equipped with Check Point's Smart Defense software "look at the information passing through and see if it's formatted correctly and up to snuff" before passing it along to its destination. The service also allows customers to use a VPN connection to Check Point to download new attack signatures so that the firewall can block new attacks as they emerge.
San Jose, Calif.-based Cisco has embedded similar technology in its PIX firewalls, Jones said.
"What we've been doing is building application-specific inspection engines within PIX that check packets on a per-protocol or per-application basis," he said. Built into these inspection engines is a denial-of-service prevention feature that makes sure packets are "properly formatted, not masquerading," he said.
It's important to check incoming Internet traffic in this way. Because of the insidiousness of distributed denial-of-service attacks and other malicious software, such as Code Red's attack on Microsoft SQL Server, merely checking packets at the perimeter is no longer enough. The same screening needs to be applied to traffic within the network and from trusted outside sources, such as networks attached by a VPN connection.
Support for VPNs is another important component of enterprise firewalls. As the number of remote users requiring secure access to applications increases, firewalls must be able to handle a large amount of encrypted VPN traffic. Although acceleration hardware and new encryption standards have increased the amount of VPN data that firewalls can handle, another challenge remains: getting the VPN set up in the first place.
"One knock against VPNs has been manageability," Jensen said. "It's been hard to set up connections between different agencies."
Part of the problem is in distributing the required encryption keys to create the encoded connection that carries VPN traffic. Between two fixed points, using a shared-secret encryption method such as Advanced Encryption Standard usually will suffice for establishing a virtual network pipe. But dealing with multiple, changing sites or remote users means having to integrate an authentication system and handling a much larger number of encryption keys.
To make VPNs work well and quickly for all users, firewalls need to connect to a variety of directory types to authenticate users. And these authentication methods need to be tied to a policy at the firewall that determines the type and destination of traffic that each user can send into the network.
Cisco's firewalls support its switched network infrastructure, so the same policy structure that controls VPNs can be used to control each user's access to virtual LANs within the switched network.
This sort of internal partitioning of networks is one of the reasons why firewalls are finding their way deeper and deeper into the network infrastructure of many organizations.
There are plenty of reasons to do so. New networking technologies, such as WiFi Ethernet, make network access more convenient and all sorts of new applications possible. But they also open new routes for attack on the network.
Even the changing infrastructure of the network itself is helping to expand the role of firewalls. As the available IP address space shrinks and agencies start looking at implementing IP Version 6, there will be an increasing need to share IP addresses, translate private IP addresses onto public networks and mask the complexity of the network from the devices that use it.
The Network Address Translation function of firewalls can add years to the lifetime of the current Internet address pool of government agencies and help ease them into whatever network address scheme follows.
That's a lot to put on a technology that was originally designed to lock out bad guys. But the versatility of firewalls is making them an important part of nearly every emerging network application, from voice over IP communications to Web services.
And even as the importance of firewall technology grows, the days of the standalone firewall seem numbered. With firewall technology being built into almost every point on the network, firewalls as we think of them could disappear completely. Yet, firewalls manage to be everywhere at the same time. Kevin Jonah, a Maryland network manager, writes about computer technology.