application-layer firewalling: raise your perimeter iq
DESCRIPTION
Application-layer firewalling: Raise your perimeter IQ. Joel Snyder Opus One. Products from Check Point, Cyberguard, NetScreen, Nortel Networks, Symantec, Secure Computing, Watchguard Support from Andy Briney, Neil Roiter at Information Security. Acknowledgements. - PowerPoint PPT PresentationTRANSCRIPT
Application-layer firewalling: Raise your
perimeter IQ
Joel SnyderOpus One
Acknowledgements
• Products from Check Point, Cyberguard, NetScreen, Nortel Networks, Symantec, Secure Computing, Watchguard
• Support from Andy Briney, Neil Roiter at Information Security
http://infosecuritymag.techtarget.com/
Firewalls have been around for a very long time
“[AT&T’s gateway creates] a sort of crunchy shell around a soft, chewy center.” (Bill Cheswick, Design of a Secure Internet Gateway, April, 1990)
1989 1991 1993 1995 1997 1999 2001 2003 2005
First firewalls deployed in Internet-connected organizations
“Firewalls and Internet Security” published
TIS toolkit commonly available
Cisco buys PIX (Network Translation)
CheckPoint revenues cross $100m
WatchGuard introduces 1st FW appliance
Surely firewall makers have been busy since
1999 ?Clear market
trends• Faster• Cheaper• Smaller
New Guard: NetScreen (Juniper), Watchguard, SonicWALL
Old Guard: Cisco, Check Point
Clear product trends
• Add VPN features Site-to-site Remote Access (?)
• Add policy-based URL control Websense-type
• Add interfaces No longer just
inside, outside, DMZ
Shirley firewall makers have been busy since
1999 ?Clear market
trends• Faster• Cheaper• Smaller
New Guard: NetScreen (Juniper), Watchguard, SonicWALL
Old Guard: Cisco, Check Point
Clear product trends
• Add VPN features Site-to-site Remote Access (?)
• Add policy-based URL control Websense-type
• Add interfaces No longer just
inside, outside, DMZ
Incremental improvements are not very exciting
• Smaller, cheaper, faster: that’s great• VPNs, more interfaces: that’s great
• But what have you done for me lately?
• To answer that, we need to digress to the oldest battle in all of firewall-dom: proxy versus packet filter!
Arguments between Proxy and Stateful PF continued
Proxy• More secure
because you can look at application data stream
• More secure because you have independent TCP stacks
Stateful PF• Faster to write• Faster to adapt• Faster to run• Faster also means
cheaper
Proxy-based firewalls aren’t dead… just slow!
Proxy
Packet Filtering
Src=10.1.1.99Dst=5.6.7.8
TCP/IP
Src=1.2.3.4Dst=5.6.7.8
Kernel
Inside network = 10.1.1.0/24
Outside net = 1.2.3.4
RTL
Process Space
Firewall Landscape: five years ago
• IBM eNetwork• Secure Computing• Altavista Firewall• TIS Gauntlet• Raptor Eagle• Elron• Cyberguard• Ukiah Software
• NetGuard• WatchGuard• SonicWALL• Check Point• Livermore Software• Milkyway• Borderware• Global Internet
Stateful Packet Filtering dominates the market
Stateful Packet Filtering
IP
Kernel
Check PointCisco NetScreen SonicWALL
Freeware-based products: Ipchains, IPF, Iptables, IPFW
FW Newcomers:Fortinet, Toshiba, Ingate, Enterasys, many others
But… the core argument was never disputed
• Proxy-based firewalls do have the possibility to give you more control because they maintain application-layer state information
• The reality is that proxy-based firewalls rarely went very far down that path Why? Market demand, obviously…
Firewall Evolution:What we hoped for…
• Additional granular controls on a wide variety of applications
• Intrusion detection and prevention functionality
• Vastly improved centralized management systems
• More flexible deployment options
Firewall Evolution:What we found…
• Additional granular controls on somea wide variety of applications
• Limited intrusion detection and prevention functionality
• Vastly improved centralized management systems
• More flexible deployment options
Why? Market demand, obviously…
Additional Granular Controls focused on a few
applications• Everybody loves
HTTP management Header filtering File type & MIME
type blocking Embedded Data
blocking (Javascript) Virus scanning, URL
Filtering
• Other applications are piecemeal FTP SMTP
VoIP File Sharing
HTTP-oriented featuresserved “pressure points”
HTTP Action Controls
Filename & MIME type blocking
Header Filtering
SOAP controls
URL Translation
Can Block within HTTP…
Virus detection
URL filtering/ blocking
CyberGuardPost/Put/ Delete
Filename; no MIME blocking Full Basic Yes
ActiveX, Java, Javascript, VBScript, XML
Yes, external server WebSense
Netscreen None
Filename .EXE & .ZIP; no MIME blocking No No No ActiveX, Java
Yes, internal or external server
WebSense plus local URL list
WatchGuard Post MIME blocking Limited Set No NoActiveX, Java, Cookies None WebBlocker
SecureComputingAll
Filename & MIME type blocking Full Block/Allow No
ActiveX, Java, Javascript, VBScript
Local scanning, 2 types (signature/heuristic)
Smartfilter and local URL list
SymantecCan block 'upload' only
Filename blocking by extension No No No
WebDAV, DCOM
Local scanning
Rating system and local URL list
Check PointGet/Post/ Put/Head
Filename by wildcard; no MIME blocking Full Basic Yes
ActiveX, Java, Javascript, Vbscript
Yes, external server
OPSEC and local URL list
Advanced Controlsare diverse across
products
Product FTP H.323 HTTP LDAP NNTP RealAudioSIP SMTP POP DNS IMAP Socks SNMP CIFSCyberGuard • • • • • • • •Netscreen • • • • • •WatchGuard • • •Secure Computing• • • • • • •Symantec • • • • • • •Check Point • • • • • •
•Differentiating between “advanced” controls and “basic” controls was easy to do.
•Proxy-based firewalls proved to be almost undistinguishable from their “insecure” stateful packet filtering brethren.
•Vendors appear to be reactive, not proactive.
Virus Scans and Policy Controls are simple, right?
• No! Some firewalls insisted on having virus and/or URL scanning happen “off box”
• No! Some firewalls can’t configure where you scan for viruses
• No! Some devices don’t have virus scanning
• No! Some firewalls don’t support a local list of blocked URLs
Conclusion: it’s not simple
We’ve learned how to write good GUIs, haven’t we?
• Not in the firewall business, we haven’t
• Additional granularity means additional thinking about resources
• Products are … disappointing
The firewall people have a lot to
learn from the SSL VPN people
Centralized management has improved a bit
• Folks who had it are doing slightly better than they were
• Folks who didn’t have it now generally have something
We’re still missing a general policy management system for firewalls
Many of the centralized management tools have very rough edges
“Intrusion” is the new buzzword in security
Rate-based IPS technology
• In firewalls, means “SYN flood protection”
• May be smart (NS)• May include
shunning (SecComp, WG, CP)
Content-based IPS technology
• Based on IDS-style thinking
• May have small signature base (NS, CP)
• May be an “IDS with the IPS bit on” (Symantec)
So what’s going on in the firewall business?
• Products are diverging, not converging• Personalities of products are distinct• IPS is a step forward, but not
challenging the world of standalone products
• Rate of change of established products is slow compared to new entries
What does this mean for me and my firewall?
• Products are diverging
• Personalities are distinct
• IPS weaker than standalone
• Change rate slow
• Matching firewall to policy is hard; change in application or policy may mean changing product!
• Aggressive adoption of new features unlikely in popular products; need new blood to overcome product inertia
Application-layer firewalling
Joel SnyderOpus One
Member, Information SecurityMagazine test alliance
Questions
Submit your questions to Joel by clicking on the Ask a Question link on the lower left corner of your screen.
Thank you
Thank you for participating in this SearchSecurity webcast. For more information on firewalls and an article by Joel, visit our Featured Topic. A copy of this presentation will be posted within the next 24 hours.
http://searchsecurity.com/featuredtopic/firewalls