Bugwatch: The dual firewall approach

Each week vnunet.com asks a different expert to give their views on recent virus and security issues, with advice, warnings and information on the latest threats.

This week Paul Henry, senior vice president at CyberGuard Corp, argues that today's most widely deployed firewalls (stateful packet filters) simply cannot protect the enterprise from current threats.

Hackers have exhausted the protocol level attacks that firewalls traditionally were designed to protect against, and have moved their focus to the application layer.

With up to 70 new vulnerabilities being reported weekly in applications and operating systems, combined with the lack of protection afforded by current installed solutions, the application layer attack is clearly the entry point of choice for external hackers to break into your internet-connected network.

The debate over firewall architectures is over
The internet community has been the host for a long-running debate between stateful firewall supporters and application proxy firewall supporters.

Stateful firewall supporters claimed that the additional inspection afforded by application firewalls was too complex to configure and caused too high a performance penalty.

Application proxy vendors maintained that you had to inspect the application layer model to afford 'real' security and anything less was simply unacceptable.

The change in the threat vector by the hacking community has allowed the application proxy firewall vendors to quietly win this debate. In fact, today many stateful packet filter firewall vendors are adopting some form of application layer filtering, and attempting to reinvent themselves as a next-generation product in an effort to try to meet today's threats.

One plus one does not necessarily equal two
As organisations upgrade their firewall technology to address the issues of application layer attacks, I have seen a trend toward the use of two firewalls connected in series: keeping the existing stateful packet filter firewall in place as the first layer of protection and then installing a new application proxy firewall in series behind it as a 'supposed' second layer of defence.

At first glance, one would think that the two firewalls in series would afford more security than one. However careful consideration reveals two critical issues:

1. The stateful packet filter firewall provides no protection whatsoever from an application layer attack. You are relying completely on only one of the two firewalls to protect your network. When considering today's threats, with this topology there is no increase in security.

2. With two firewalls connected in series you actually reduce your network reliability, since each firewall becomes a single point of failure. If either firewall fails, you lose internet connectivity. By using these two firewalls in series you can actually decrease your network reliability.

Getting the most out of dual firewalls
Increased security is attainable using two firewalls in series, but to achieve this additional security you must follow three simple rules:

1. Both firewalls must inspect at the application layer to address today's application layer threat.

2. The inspection methodologies of each firewall should be different, i.e. one application proxy firewall used with an application layer filtering firewall.

3. The firewalls must operate on top of disparate operating systems to eliminate a single operating system vulnerability from becoming your network's Achilles heel.

You can also attain the higher security of the above topology without the associated decrease in reliability by using redundant high availability firewall pairs in series.

Other considerations
The ability to easily manage your dual firewall topology is critical to its long term success. You need to be able to manage both firewalls together as if they were one in order to minimise configuration issues and errors.

Using a centralised management scheme the administrator only has to deal with learning a single GUI and managing a single security policy. If a change is made on the central manager to the 'single policy', it is automatically published to both firewalls in their respective proper data formats.

Dual firewalls connected in series can afford a beneficial increase in security but only if each firewall addresses the current threat vector at the application layer. By following the guidelines presented in this article you can obtain higher security without suffering any decrease in reliability.