Shoring up firewalls for the 21st century

As organisations turn their firewalls into Swiss cheese by drilling endless numbers of pipes through them, the role of the firewall in the 21st century is being called into question - despite the fact that attacks on networks by malicious outsiders are increasing as never before.

Chris Potter, a partner in PricewaterhouseCoopers' Global Risk Management Solutions Business, pointed out that the latest statistics show that a new site on the internet will be visited on average within the first 28 seconds of its life and will come under some form of attack within five hours.

In these circumstances, nobody can afford to leave any network that is linked to the internet unprotected. For many people in the industry, firewalls remain the best and only general purpose 'gate-keepers'.

Bernie Dodwell, product manager for Alasso, said that there is, in principle, no upper limit to the number of holes an organisation can drill through its firewall, provided every fresh hole is policed and protected by sufficiently powerful authentication technology.

However, Dodwell recognised that there must come a point in this process of ventilating the firewall, when one starts to wonder whether there is anything much left of the 'wall' at all.

Dodwell's colleague, Alasso technical manager Phil Goff, said that the real danger with proliferating numbers of special access points are the additional layers of complexity they generate in terms of an organisation's overall security policy.

"Every time someone adds to the firewall's rules table in order to allow a new type of traffic through, they need to understand the implications of that decision. Many firewall weaknesses are caused by poor configuration and poor management," he warned.

Richard Murphy, UK and Benelux channel sales manager for Axent, which provides the Raptor firewall, argued that even in the new era of the permeable company, the firewall has a major role to play. "Organisations want to enable trusted partners, other vendors and clients to enter into relationships with them on some kind of systems-to-systems basis, but they want to do this without exposing the vulnerable underbelly of the entire corporate network," he said.

Knocking a hole in the firewall and having an outside party's SAP system talk directly to the host SAP system is not the most obvious approach, he said. A better method is to join two key systems at the hip by allowing the external system to look at information on an internal web server situated in a demilitarised zone (DMZ).

By forcing all users coming in from the external system to go through strong authentication, via a range of challenge response mechanisms, the system is protected from unauthorised access. At the same time, the DMZ prevents a properly authorised user from straying outside the web server and onto the host network.

Application-level security
However, Michael Jannery, vice president of marketing at Gradient Technologies, reckoned that the logic of modern systems development, with ecommerce and virtual supply chains, tends to put the focus on application-level security management rather than way off at the system's perimeter, with a firewall.

"There is a tenet in security that says: put your security system as close to your resource as possible. If you are exposing your back-office systems to the internet in order for customers to be able to see inventory levels in real time, you need the security as close to these applications as possible," he said.

If the organisation is interested only in broad-brush permissions, such as deciding whether external users have the ability to read, write or execute certain files and actions, these can be handled at the operating system level. Setting application policy rules is about getting much more granularity at a very application-specific level, relating just to the domain of a particular application. If the entire organisation is run on the basis of application-level security, there is not much left for a firewall to do, Jannery said.

He points out that the usual metaphor for the firewall - as a locked door with access controls acting as keys - sits uncomfortably with ecommerce, where the web-facing side of the company is open to the world. "The way I put it is that I don't want security at my door. I want everyone to be able to come into the foyer of my company," he said. Progress beyond the foyer, to continue with the metaphor, depends upon each individual having specific permissions for every door.

"There is a huge positive side to having a system in place that can map specific resources to specific, strongly authenticated people. It means that when I know who these people are, I can bring my CRM systems into action. I can personalise the site for every visitor, and this is a key trend in today's approach to ecommerce," he said.

Jannery added that this movement towards application-level screening means that the firewall is being reduced, once again, to the status of a front-end filter. "They will become far less of a security mechanism and much more of a traffic splitter and filter. Real security and personalisation will be done right up at the application layer," he said.

The point here is that future applications developers have to be weaned off the current practice of hard coding security into their applications. "The thing we say to applications developers is this: of all the software that you are going to write yourself, are you certain that you really want to write the security element?" Jannery said.

He argued that there are too many technical issues that have to be dealt with in this area, including arcane specialist areas like the encryption of processor-to-processor messaging, the management of trusted relationships, and delegation from server to server. Applications developers will do far better handing these tasks over to specialist third-party security software vendors. "This is really hard stuff - not to be done at home without adult supervision - and that makes it ideal for a third-party add-on layer approach," he said.

Directory-enabled security policies
The appearance of Windows 2000 with Active Directory has given fresh impetus to the argument for directory-enabled security policies, and there is an argument that much of the responsibility for permission management and handling could be moved to the Directory Services (DS) level. The idea is that the firewall would contain a set of rules that sends it off looking at user permissions at the central directory level. However, Jannery argued against this approach.

"Directories are excellent places to store information about users and user attributes. What they cannot or should not do is store the application-specific things like the permissions allocated to each user for each application," he said.

His reasoning is simple, and has to do with the need to avoid overloading whoever winds up in charge of administering the centralised DS store. "Imagine a global organisation running 15 major applications. When is the right time to answer the question of who user X is and what permissions he or she has? Surely it is when they want to use the resource," he said.

According to Jannery, the problem with trying to store permissions at the DS level becomes clear as soon as one thinks of a real-world example. "Imagine an application developer in Singapore with 75 different levels of permissions they want to put together for a particular application. Now picture telling a network administrator in New York to go ahead and implement those centrally on the DS," he said.

The network administrator is going to have a torrid time figuring out what the distinctions mean on an unfamiliar Chinese application - and if they just copy them across into a central file, it creates a huge potential for errors.

Avoiding bottlenecks
Jannery's solution to this is to have a central security server that authenticates the user and permission stores with each application. This way, even if someone gets through the authentication process, they can't get access to core systems unless they have been granted specific application permissions.

However, Chris Royle, a director at the business consultancy and firewall outsourcing services company Objectronix, disagreed. "Firewalls do create a challenge in administering one peripheral enforcement point, but it is a manageable challenge," he said. "It is significantly less of a headache than trying to manage an enforcement point on every single application server in your organisation."

Trying to do without a firewall because every box is locked down is a bit like saying you don't need to lock the front door of your house because all the cupboards are locked. That approach ignores the fact that vandalism can go on once someone walks through the open door - with DoS attacks being a case in point.

Royle reckons that far from making firewalls redundant, the necessities of ecommerce are forcing organisations to channel more and more throughput through firewalls. This, in itself, is a huge challenge to firewall vendors.

"Vendor speed tests on firewalls are done in optimum conditions. I saw some figures showing 155Mbps for Checkpoint's Firewall-1. With real-world, messy applications you wouldn't get near that. Yet we have clients now who are asking us for half a gigabyte of throughput as a guaranteed service from firewall installations," he said.

In case anyone is wondering where the bandwidth demands for half a gigabyte may come from, he points out that 250 users on 2Mb ADSL lines can be expected to create that kind of demand level within the next six months or less.

"Application service providers have to outsource firewall management services. If they have a client company with 300 to 500 home workers on fast internet connections, the firewall becomes the bottleneck," he said.

Managing multiple firewalls
Load balancing is one way around this. Royle is impressed by the load balancing systems from Alteon and from Stonesoft, which offers a product called Stonebeat Cluster. But he points out that load balancing can only tackle part of the bandwidth issue. "Stateful inspection firewalls like Firewall-1 are almost as fast as packet filters. But they require packet streams to start and end on the same firewall.

"Splitting the load becomes a tricky issue when you have to have continuity like that, so these load balancers are very clever pieces of technology. However, you reach a point where the overheads kill any gain you are getting by adding extra firewalls to a load balancing cluster - and there is the small matter of having to pay additional fees on an ongoing basis for every additional firewall," he said.

Niall Moynihan, Checkpoint Software Technologies' northern European technical director, reckons that the real advances in firewall technology over the next year will all be focused on the need for simplified management of multiple firewalls - and outsourced firewall management will become a very important feature.

Checkpoint already has a management product - Provider 1 - that can bundle the management of up to 100 firewalls on a single server. It has also released multiple firewall modules on the same box, allowing an ASP, for example, to install eight firewall modules on a single server.

Another major development through 2000, he said, will be the move to include PKI technologies at the firewall level. There is a real issue today with incompatibilities between different PKI vendors' encryption technologies, which creates huge problems for network administrators trying to link multiple partners and different PKI systems into a 'virtual' network protected by firewalls.

Checkpoint's answer has been to work with leading vendors and to introduce a hybrid mode into its firewall so that the firewall itself decides what PKI vendor's keys are being used. It then does the cross-certification at the firewall level to enable traffic to flow intelligibly. This feature was first scheduled to be included in the vendor's Firewall-1 V4.1, service pack 1.

Another advance in the technology is the move to turn the firewall into an all-singing, all-dancing intrusion detection and suspicious activity monitoring product. "The firewalls of tomorrow will be along the lines of our Cyber Attack Defence System, which is all about detection and defence," Moynihan said.

The bottom line is that firewall vendors are proving equal to the task of layering service after service on top of firewalls. At the same time, it seems likely that organisations will start making increasing use of internal firewalls to secure particularly sensitive applications from general Lan traffic. With all this activity going on, it seems odds-on that firewall vendors are going to have plenty of business well into the dim and distant future.