Today we begin the our next blog series: Understanding and Selecting an Enterprise Firewall.
Yes, really. Shock was the first reaction from most folks. They figure firewalls have evolved about as much over the last 5 years as ant traps. They’re wrong, of course, but most people think of firewalls as old, static, and generally uninteresting. In fact, most security folks begin their indentured servitude looking after the firewalls, where they gain seasoning before anyone lets them touch important gear like the IPS.
As you’ll see over the next few weeks, there’s definitely activity on the firewall front which can and should impact your perimeter architecture and selection process. That doesn’t mean we will be advocating yet another rip and replace job on your perimeter (sorry vendors), but there are definitely new capabilities that warrant consideration, especially as the maintenance renewals come due.
To state the obvious, the firewall tends to be the anchor of the enterprise perimeter, protecting your network from most of the badness out there on the Intertubes. We do see some use of internal firewalling, driven mostly by network segmentation. Pesky regulations like PCI mandate that private data is at a minimum logically segmented from non-private data, so some organizations use firewalls to keep their in scope systems separate from the rest, although most organizations use network-level technologies to implement their segmentation.
In the security market, firewalls resides in the must have category along with anti-virus (AV). I’m sure there are organizations that don’t use firewalls to protect their Internet connections, but I have yet to come across one. I guess they are the same companies that give you that blank, vacant stare when you ask if it was a conscious choice not to use AV. The prevalence of the technology means we see a huge range of price points and capabilities among firewalls.
Consumer uses aside, firewalls range in price from about $750 to over $250,000. Yes, you can spend a quarter of a million dollars on a firewall. It’s not easy, but you can do it. Obviously there is a huge difference between the low end boxes protecting branch and remote offices and the gear protecting the innards of a service provider’s network, but ultimately the devices do the same thing. Protect one network from another based on a defined set of rules. For this series we are dealing with the enterprise firewall, which is designed for use in larger organizations (2,500+ employees). That doesn’t mean our research won’t be applicable to smaller companies, but enterprise is the focus.
From an innovation standpoint, not much happened on firewalls for a long time. But three major trends have hit and are forcing a general re-architecting of firewalls:
- Performance/Scale: Networks aren’t getting slower and that means the perimeter must keep pace. Where Internet connections used to be sold in multiples of T1 speed, now we see speeds in the hundreds of megabits/sec or gigabits/sec, and to support internal network segmentation and carrier uses these devices need to scale to and past 10gbps. This is driving new technical architectures to better utilizing advanced packet processing and silicon.
- Integration: Most network perimeters have evolved along with the threats. That means the firewall/VPN is there, along with an IPS, but also an anti-spam gateway, web filter, web application firewall, and probably 3-4 other types of devices. Yeah, this perimeter sprawl creates a management nightmare, so there has been a drive for integration of some of these capabilities into a single device. Most likely it’s firewall and IDS/IPS, but there is clearly increasing interest in broader integration (UTM: unified threat management) even at the high end of the market. This is also driving new technical architectures because moving beyond port/protocol filtering seriously taxes the devices.
- Application Awareness: It seems everything nowadays gets encapsulated into port 80. That means your firewall makes like three blind mice for a large portion of your traffic, which is clearly problematic. This has resulted in much of the perimeter sprawl described above. But through the magic of Moore’s law and some savvy integration of some IPS-like capabilities, the firewall can enforce rules on specific applications. This climbing of the stack by the firewall will have a dramatic impact on not just firewalls, but also IDS/IPS, web filters, WAFs, and network-layer DLP before it’s over. We will dig very deeply into this topic, so I’ll leave it at that for now.
So it’s time to revisit how we select an enterprise firewall. In the next few posts we’ll look at this need for application awareness by digging into use cases for application-centric rules before we jump into technical architectures.