Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:47 AM
Connect Directly

Firewalls Ready for Evolutionary Shift

Next-generation firewalls will come with true IPS integration and app-awareness, but experts say ability to distinguish data is key

First it was ports, then protocols, and now, applications: A new generation of firewalls is slowly emerging with more sophisticated inspection and blocking features at higher speeds. These new devices will not only do intrusion prevention, but also filter by application type.

The protocol inspection method used by traditional firewalls is no longer enough, as more and more applications use Port 80, or HTTP.

"It's increasingly clear that 10 years from now, virtually everything will run on port 80, alongside Web browsers, which means that 90 percent of the rules in today's firewalls will be irrelevant," says Thomas Ptacek, principal with Matasano Security.

Palo Alto Networks says its so-called App-ID technology in its PA-4000 firewall addresses the Port 80 problem by using signatures and other known characteristics of specific applications to identify them on the network. "We classify the traffic, then you can secure it with antivirus, anti-spyware," etc., says Nir Zuk, founder and CTO of Palo Alto Networks. "First we decrypt SSL traffic and figure out what it [the application] is" using the App-ID technology and its repository of application characteristics, he says. (See Startup Puts New Spin on Firewalls and Palo Alto Networks Unveils its Next-Gen Firewall).

Most major firewall vendors are planning an "all-ports/all-protocols" approach similar to Palo Alto Networks' for their products, Matasano's Ptacek says. But merely adding application protocol awareness is not the solution to the Port 80 problem, he contends: "The Port 80 problem is that both PeopleSoft and Digg use the same protocol, HTTP," for instance, he says. "How do you differentiate?"

Firewalls must go deeper than this approach -- there are just too many apps to account for, he says. "When both Digg and PeopleSoft use the same protocol, it's clearly not enough to know what the protocol is," he says. "The problem is that there are thousands and thousands of applications."

Gartner, meanwhile, predicts that the next-generation firewall will have protocol awareness, some URL filtering, and is likely to be an appliance with integrated IPS beyond the basic "console" integration most have today. But it will stop short of processing-intensive tasks such as email AV or message content-filtering. Gartner also expects these newer firewalls will be able to block new threats at network speeds.

"The next-generation firewall will have greater blocking and visibility into types of protocols," says Greg Young, research vice president for Gartner.

"It does not require a complete rebuild at one time -- it can be done in stages -- but a full next-generation firewall will certainly look much different than what we see in products today," Young says.

CheckPoint, Cisco, and Juniper, for instance, already have some initial basic IPS capabilities in their firewalls today, Young says. "It's less about firewalls and more about how networks and users have changed," he says. "As they change, the firewall is forced to change."

The pressure is definitely on for today's firewalls to grow up, as application-layer threats increase. "Perimeter firewalls are nothing but giant colanders" letting Port 80 and Port 443 traffic through, says Christofer Hoff, chief architect for security innovation at Unisys. "And they are fine for that. But [firewall] rules are getting very complex, and interdependencies are getting very complex. And it's difficult at line speed to make decisions on content and context without latency" problems, he says.

Don't expect enterprises to yank out their older firewalls for a new generation any time soon, however. Most of Palo Alto Networks' early customers today, for instance, are running the PA-4000 behind their existing perimeter firewalls, as an extra layer rather than a replacement firewall.

Application awareness is becoming a key ingredient because firewalls can't catch a clueless corporate user downloading an MP3 movie clip at work, notes Palo Alto's Zuk, one of the developers of stateful inspection technology for firewalls. "They would install the peer-to-peer application eMule, for example, and nothing could stop them. The firewall is not going to stop them -- eMule doesn't have a port number," Palo Alto Networks' Zuk says.

Then the user mistakenly checks a box that allows eMule to share its hard drive. "That's very easy to do. Some eMule clients have that as a default," he says. "Now your user's entire computer has opened up your network to share with the Internet. Anyone can execute a search and find files on your network."

Even so, giving the firewall an application protocol view still isn't enough, security experts say. "The problem is that applications are merely conduits. Data is the real problem," Hoff says.

Hoff says the "next-next" generation of firewalls, which can drill down to details such as "Social Security numbers shouldn't be moving from one portion of the network to another," for instance, will be more of a breakthrough. "Making decisions on content and context is the 'next-next generation,' " Hoff says. "That will be when the technology catches up to deliver technology at that line rate where there's no impact on performance. Then it can start making decisions on the data itself in the payload."

That, of course, will somehow intersect with data leakage prevention and network access control technologies, he says. Palo Alto, for instance, has stated that its product architecture is capable of supporting DLP features.

"The future of firewalls is a move from perimeter security into internal networks, with firewalls protecting business units instead of entire networks -- making sure that an outsourcing company doesn't let Coke get the secret formula for Pepsi, when both are customers," says Matasano's Ptacek.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Palo Alto Networks Inc.
  • Matasano Security LLC
  • Unisys Corp. (NYSE: UIS)
  • Gartner Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 5/28/2020
    The Problem with Artificial Intelligence in Security
    Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
    10 iOS Security Tips to Lock Down Your iPhone
    Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-05-28
    CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.
    PUBLISHED: 2020-05-28
    node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.
    PUBLISHED: 2020-05-28
    Certain NETGEAR devices are affected by Missing SSL Certificate Validation. This affects R7000 through, and possibly R6120, R7800, R6220, R8000, R6350, R9000, R6400, RAX120, R6400v2, RBR20, R6800, XR300, R6850, XR500, and R7000P.
    PUBLISHED: 2020-05-28
    IBM Security Identity Governance and Intelligence 5.2.6 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 175484.
    PUBLISHED: 2020-05-28
    A denial of service vulnerability was reported in the firmware prior to version 1.01 used in Lenovo Printer LJ4010DN that could be triggered by a remote user sending a crafted packet to the device, causing an error to be displayed and preventing printer from functioning until the printer is rebooted...