Application-layer
firewalling: Raise your
perimeter IQ
Joel Snyder
Opus One
Acknowledgements
• Products from Check
Point, Cyberguard,
NetScreen, Nortel
Networks, Symantec,
Secure Computing,
Watchguard
• Support from Andy
Briney, Neil Roiter at
Information Security
http://infosecuritymag.techtarget.com/
Firewalls have been around for a
very long time
“[AT&T’s gateway creates] a sort of crunchy shell around a
soft, chewy center.” (Bill Cheswick, Design of a Secure
Internet Gateway, April, 1990)
First firewalls
deployed in
Internet-connected
organizations
TIS toolkit
commonly
available
“Firewalls and
Internet Security”
published
Cisco buys
PIX (Network
Translation)
CheckPoint
revenues
cross $100m
WatchGuard
introduces 1st
FW appliance
1989 1991 1993 1995 1997 1999 2001 2003 2005
Surely firewall makers have
been busy since 1999 ?
Clear market trends
• Faster
• Cheaper
• Smaller
 New Guard:
NetScreen (Juniper),
Watchguard,
SonicWALL
 Old Guard: Cisco,
Check Point
Clear product trends
• Add VPN features
 Site-to-site
 Remote Access (?)
• Add policy-based
URL control
 Websense-type
• Add interfaces
 No longer just inside,
outside, DMZ
Shirley firewall makers have
been busy since 1999 ?
Clear market trends
• Faster
• Cheaper
• Smaller
 New Guard:
NetScreen (Juniper),
Watchguard,
SonicWALL
 Old Guard: Cisco,
Check Point
Clear product trends
• Add VPN features
 Site-to-site
 Remote Access (?)
• Add policy-based
URL control
 Websense-type
• Add interfaces
 No longer just inside,
outside, DMZ
Incremental improvements are
not very exciting
• Smaller, cheaper, faster: that’s great
• VPNs, more interfaces: that’s great
• But what have you done for me lately?
• To answer that, we need to digress to the
oldest battle in all of firewall-dom: proxy
versus packet filter!
Arguments between Proxy and
Stateful PF continued
Proxy
• More secure because
you can look at
application data
stream
• More secure because
you have independent
TCP stacks
•
•
•
•
Stateful PF
Faster to write
Faster to adapt
Faster to run
Faster also means
cheaper
Proxy-based firewalls aren’t
dead… just slow!
Proxy
Process
Space
RTL
TCP/IP
Inside network =
10.1.1.0/24
Outside net =
1.2.3.4
Src=1.2.3.4
Dst=5.6.7.8
Src=10.1.1.99
Dst=5.6.7.8
Packet Filtering
Kernel
Firewall Landscape:
five years ago
•
•
•
•
•
•
•
•
IBM eNetwork
Secure Computing
Altavista Firewall
TIS Gauntlet
Raptor Eagle
Elron
Cyberguard
Ukiah Software
•
•
•
•
•
•
•
•
NetGuard
WatchGuard
SonicWALL
Check Point
Livermore Software
Milkyway
Borderware
Global Internet
Stateful Packet Filtering
dominates the market
Check Point
Cisco
NetScreen
SonicWALL
Freeware-based
products: Ipchains,
IPF, Iptables, IPFW
FW Newcomers:
Fortinet, Toshiba,
Ingate, Enterasys,
many others
IP
Stateful Packet Filtering
Kernel
But… the core argument was
never disputed
• Proxy-based firewalls do have the
possibility to give you more control
because they maintain application-layer
state information
• The reality is that proxy-based firewalls
rarely went very far down that path
 Why? Market demand, obviously…
Firewall Evolution:
What we hoped for…
• Additional granular
controls on a wide
variety of applications
• Vastly improved
centralized
management systems
• Intrusion detection
and prevention
functionality
• More flexible
deployment options
Firewall Evolution:
What we found…
• Additional granular
controls on some
a wide variety of
applications
• Limited intrusion
detection and
prevention
functionality
• Vastly improved
centralized
management systems
• More flexible
deployment options
Why? Market demand,
obviously…
Additional Granular Controls
focused on a few applications
• Everybody loves
HTTP management
 Header filtering
 File type & MIME type
blocking
 Embedded Data
blocking (Javascript)
 Virus scanning, URL
Filtering
• Other applications are
piecemeal
 FTP
 SMTP
 VoIP
 File Sharing
HTTP-oriented features
served “pressure points”
HTTP Action
Controls
Filename &
MIME type
blocking
Header
Filtering
SOAP
controls
URL
Translation
Post/Put/
Delete
Filename; no
MIME blocking
Full
Basic
Yes
Netscreen
None
Filename .EXE
& .ZIP; no
MIME blocking
No
No
No
WatchGuard
Post
MIME blocking
Limited Set
No
No
ActiveX, Java
ActiveX, Java,
Cookies
CyberGuard
Symantec
Can block
'upload' only
Filename &
MIME type
blocking
Filename
blocking by
extension
Check Point
Get/Post/
Put/Head
Filename by
wildcard; no
MIME blocking
SecureComputing All
Can Block
within
HTTP…
ActiveX, Java,
Javascript,
VBScript, XML
Virus
detection
URL filtering/
blocking
Yes, external
server
WebSense
Yes, internal
or external
server
WebSense
plus local URL
list
None
Local
scanning, 2
types
(signature/he
uristic)
WebBlocker
Full
Block/Allow
No
ActiveX, Java,
Javascript,
VBScript
No
No
No
WebDAV,
DCOM
Local
scanning
Smartfilter
and local URL
list
Rating system
and local URL
list
Yes
ActiveX, Java,
Javascript,
Vbscript
Yes, external
server
OPSEC and
local URL list
Full
Basic
Advanced Controls
are diverse across products
FTP H.323
Product
•
•
CyberGuard
•
Netscreen
•
WatchGuard
•
Secure Computing •
•
•
Symantec
•
•
Check Point
HTTP LDAP NNTP RealAudio
•
•
•
•
•
•
•
•
•
•
•
SIP SMTP POP DNS IMAP Socks
•
•
•
•
•
•
•
•
•
•
•
•
•
SNMP CIFS
•
•Differentiating between “advanced” controls and
“basic” controls was easy to do.
•Proxy-based firewalls proved to be almost
undistinguishable from their “insecure” stateful packet
filtering brethren.
•Vendors appear to be reactive, not proactive.
•
•
Virus Scans and Policy Controls
are simple, right?
• No! Some firewalls
insisted on having
virus and/or URL
scanning happen “off
box”
• No! Some firewalls
can’t configure where
you scan for viruses
• No! Some devices
don’t have virus
scanning
• No! Some firewalls
don’t support a local list
of blocked URLs
Conclusion: it’s not
simple
We’ve learned how to write good
GUIs, haven’t we?
• Not in the firewall
business, we haven’t
• Additional granularity
means additional
thinking about
resources
• Products are …
disappointing
The firewall people
have a lot to learn
from the SSL VPN
people
Centralized management has
improved a bit
• Folks who had it are
doing slightly better
than they were
• Folks who didn’t have
it now generally have
something
We’re still missing a general policy
management system for firewalls
Many of the centralized management
tools have very rough edges
“Intrusion” is the new buzzword
in security
Rate-based IPS
Content-based IPS
technology
technology
• In firewalls, means
• Based on IDS-style
“SYN flood protection”
thinking
• May be smart (NS)
• May have small
signature base (NS,
• May include shunning
CP)
(SecComp, WG, CP)
• May be an “IDS with
the IPS bit on”
(Symantec)
So what’s going on in the
firewall business?
• Products are diverging, not converging
• Personalities of products are distinct
• IPS is a step forward, but not challenging
the world of standalone products
• Rate of change of established products is
slow compared to new entries
What does this mean for me and
my firewall?
• Products are
diverging
• Personalities are
distinct
• Matching firewall to policy
is hard; change in
application or policy may
mean changing product!
• IPS weaker than
standalone
• Change rate
slow
• Aggressive adoption of
new features unlikely in
popular products; need
new blood to overcome
product inertia
Application-layer firewalling
Joel Snyder
Opus One
Member, Information Security
Magazine test alliance
jms@opus1.com
Questions
Submit your questions to Joel by clicking on
the Ask a Question link on the lower left
corner of your screen.
Thank you
Thank you for participating in this
SearchSecurity webcast. For more
information on firewalls and an article by
Joel, visit our Featured Topic. A copy of
this presentation will be posted within the
next 24 hours.
http://searchsecurity.com/featuredtopic/firewalls