Firewalls Ready for Evolutionary Shift

First it was ports, then protocols, and now, applications: A new generation of firewalls is slowly emerging with more sophisticated inspection and blocking features at higher speeds. These new devices will not only do intrusion prevention, but also filter by application type.

The protocol inspection method used by traditional firewalls is no longer enough, as more and more applications use Port 80, or HTTP.

"It's increasingly clear that 10 years from now, virtually everything will run on port 80, alongside Web browsers, which means that 90 percent of the rules in today's firewalls will be irrelevant," says Thomas Ptacek, principal with Matasano Security.

Palo Alto Networks says its so-called App-ID technology in its PA-4000 firewall addresses the Port 80 problem by using signatures and other known characteristics of specific applications to identify them on the network. "We classify the traffic, then you can secure it with antivirus, anti-spyware," etc., says Nir Zuk, founder and CTO of Palo Alto Networks. "First we decrypt SSL traffic and figure out what it [the application] is" using the App-ID technology and its repository of application characteristics, he says. (See Startup Puts New Spin on Firewalls and Palo Alto Networks Unveils its Next-Gen Firewall).

Most major firewall vendors are planning an "all-ports/all-protocols" approach similar to Palo Alto Networks' for their products, Matasano's Ptacek says. But merely adding application protocol awareness is not the solution to the Port 80 problem, he contends: "The Port 80 problem is that both PeopleSoft and Digg use the same protocol, HTTP," for instance, he says. "How do you differentiate?"

Firewalls must go deeper than this approach -- there are just too many apps to account for, he says. "When both Digg and PeopleSoft use the same protocol, it's clearly not enough to know what the protocol is," he says. "The problem is that there are thousands and thousands of applications."

Gartner, meanwhile, predicts that the next-generation firewall will have protocol awareness, some URL filtering, and is likely to be an appliance with integrated IPS beyond the basic "console" integration most have today. But it will stop short of processing-intensive tasks such as email AV or message content-filtering. Gartner also expects these newer firewalls will be able to block new threats at network speeds.

"The next-generation firewall will have greater blocking and visibility into types of protocols," says Greg Young, research vice president for Gartner.

"It does not require a complete rebuild at one time -- it can be done in stages -- but a full next-generation firewall will certainly look much different than what we see in products today," Young says.

CheckPoint, Cisco, and Juniper, for instance, already have some initial basic IPS capabilities in their firewalls today, Young says. "It's less about firewalls and more about how networks and users have changed," he says. "As they change, the firewall is forced to change."

The pressure is definitely on for today's firewalls to grow up, as application-layer threats increase. "Perimeter firewalls are nothing but giant colanders" letting Port 80 and Port 443 traffic through, says Christofer Hoff, chief architect for security innovation at Unisys. "And they are fine for that. But [firewall] rules are getting very complex, and interdependencies are getting very complex. And it's difficult at line speed to make decisions on content and context without latency" problems, he says.

Don't expect enterprises to yank out their older firewalls for a new generation any time soon, however. Most of Palo Alto Networks' early customers today, for instance, are running the PA-4000 behind their existing perimeter firewalls, as an extra layer rather than a replacement firewall.

Application awareness is becoming a key ingredient because firewalls can't catch a clueless corporate user downloading an MP3 movie clip at work, notes Palo Alto's Zuk, one of the developers of stateful inspection technology for firewalls. "They would install the peer-to-peer application eMule, for example, and nothing could stop them. The firewall is not going to stop them -- eMule doesn't have a port number," Palo Alto Networks' Zuk says.

Then the user mistakenly checks a box that allows eMule to share its hard drive. "That's very easy to do. Some eMule clients have that as a default," he says. "Now your user's entire computer has opened up your network to share with the Internet. Anyone can execute a search and find files on your network."

Even so, giving the firewall an application protocol view still isn't enough, security experts say. "The problem is that applications are merely conduits. Data is the real problem," Hoff says.

Hoff says the "next-next" generation of firewalls, which can drill down to details such as "Social Security numbers shouldn't be moving from one portion of the network to another," for instance, will be more of a breakthrough. "Making decisions on content and context is the 'next-next generation,' " Hoff says. "That will be when the technology catches up to deliver technology at that line rate where there's no impact on performance. Then it can start making decisions on the data itself in the payload."

That, of course, will somehow intersect with data leakage prevention and network access control technologies, he says. Palo Alto, for instance, has stated that its product architecture is capable of supporting DLP features.

"The future of firewalls is a move from perimeter security into internal networks, with firewalls protecting business units instead of entire networks -- making sure that an outsourcing company doesn't let Coke get the secret formula for Pepsi, when both are customers," says Matasano's Ptacek.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.