Distributed firewalls - protecting from the inside

While firewalls have become a must-have security mechanism for most businesses, some people in the industry believe they are still not quite up to the job. This has led to the development of a new breed of products in the shape of distributed firewalls.

Firewalls protect computer networks from unwanted outside intrusion by acting as gatekeepers to the internet, but they have been criticised for hitting network performance and for a lack of scalability. Users can either buy firewall software that they run on enterprise or departmental servers or they can purchase dedicated firewall appliances that they simply add to their network.

Distributed firewall software, on the other hand, can reside on web servers, PCs, modems or silicon chips, and is quickly gaining the attention of the industry. Although the market is still in its infancy, meaning that current offerings are difficult to configure and manage, they are reputed to reduce the increasing threat of internal attacks.

Steven Bellovin, a researcher at AT&T Labs, and author of a paper entitled Distributed Firewalls - Firewalls and Internet Security, describes traditional firewalls as 'choke points' that do little to prevent internal security problems.

"Distributed firewalls can reduce the threat of actual attacks by insiders simply by making it easier to set up smaller groups of users. One can restrict access to a file server to only those who need it, rather than letting anyone inside the company pound on it," he said.

"From both a performance and an availability standpoint, there is no longer a single point of failure that can isolate an entire network," he added.

King of the castle
Steve Hunt, an analyst at Giga Information Group, explained that companies used to divide their network off from the internet by creating a hard and clear boundary in the shape of a corporate firewall. A good analogy would be the way in which kings of old built moats around their castles.

This was the primary, and in some cases the sole, authorisation mechanism for users to access the corporate network. "It made the decision who was in and who was out; who was trusted and who was untrusted; who was us and who was them," he explained.

But over time, customers started changing the parameters by laying drawbridges across the moats and allowing some external business partners to connect to their internal applications.

"We did this by devising a way around the corporate firewall architecture called a demilitarised zone [DMZ]. This is a semi-trusted, untrusted network where we would put resources and applications and make them available to our external users without putting the entire network at risk," he said.

A DMZ enables resources such as web servers to be accessed by the general public. But users still need to filter traffic to determine which packets should be sent to the DMZ and which need to pass through the firewall.

Hunt said that, as a result, the DMZ is already showing signs of wear and will require a new architecture to meet the demands of ebusiness.

"There are ramifications for the security architecture because we are giving more and more access to external users to connect to more and more internal resources. The way we did security in the past does not address this new need or address the demands of extranets and ecommerce," he said.

But distributed authorisation is being seen as a potential solution to this problem and distributed firewalls enable this to take place. The good news is that introducing such technology should require an evolutionary rather than revolutionary approach, said Hunt.

"It's a migration, or adapting your current infrastructure to meet the new demands. The solution involves using all authorisation devices to co-ordinate hardware, software, routers, firewalls and VPNs [virtual private networks]. To do that, you will need administration processes, but once you have co-ordinated [these], you can have distributed authorisation," he explained.

Distributed firewalls include a policy language that enable users to authorise which connections are permitted or prohibited. They also enable administrators to provide users with differing levels of internet access - something that would be difficult to do with conventional firewalls, especially if internal IP addresses change.

The technology is also intelligent enough to reject random probes because the host can listen out for particular data connections. It also supports system management applications such as Microsoft's SMS and IPSec, the network-level encryption mechanism for TCP/IP-based networks.

Room for improvement
But products on the market today still fall short of such high expectations.

Network-1's CyberWallPlus desktop and server firewall products lack a reporting capability, for example, while Check Point's personal desktop firewall cannot be reconfigured.

Mark McArdle, a vice president at Network Associates' managed security services division, said another problem is that staff who tended to manage traditional firewalls are different from those that usually manage server-based applications, and therefore distributed firewalls.

"Application servers tend to be changed with a little more of a cavalier attitude, which could affect the firewall on it," he said, adding that running a firewall on the server rather than deploying a separate device might make it harder to filter attacks.

So while it appears that firewalls in whatever shape or form are here to stay, it looks like the market is changing as users attempt to handle the increasingly demanding requirements of the New Economy.