By Scarlet Pruitt on June 11th, 2007
If there was such thing as a Firewall Outlet Mall you would see shelves filled with scores of products, from simple routers to security appliances of all shapes, sizes and capabilities. Perhaps there would be a sprawling enterprise software demo, with hundreds of clients connected to a server running the latest version of Microsoft Corp.’s ISA Server. Third-party service providers would setup stands to advertise their wares, and price tags would hang in the air, ranging from next to nothing, to hundreds of thousands of dollars.
The current firewall market has evolved in response to new threats, growing network complexity, and a desire to consolidate security methods. The next wave of products looks like they will be driven by deeper integration, specialization and virtualization.
The firewall market has already started to embrace all-in-one security solutions that adopt or adapt features from the variety of existing products. IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention System) technologies are a great example of integrated technologies. Neither IDS nor IPS lived up to expectations as standalone appliances, yet current firewall products benefit from the technologies they use.
Before the integration, some firewalls offered intrusion prevention technologies that monitored traffic for known attack and vulnerability signatures so they could be blocked. The trouble with these signature-based technologies was that it took time for new threats to be identified, leaving systems open to attack. Furthermore, most intrusion prevention systems didn’t start to record an attack until after an alarm had been triggered so the original threat was not always identified.
Firewalls in general were designed to look at traffic entering the system and didn’t detect potential threats in the internal network, even with intrusion prevention. Limitations such as these left organization looking around for supplementary security solutions.
When IDS and IPS systems started to takeoff in the late 1990s, they appeared to be the right tools to illuminate firewall blind spots. The reason for this optimism was that IDS and IPS products go further than firewalls in detecting malicious traffic and computer usage by watching for attacks from inside the network, sending alarms, and evaluating intrusions once they have happened.
Although IDS products are considered to be passive (they warn of potential security breaches but do not take steps against them), IPS products are reactive and can respond to potential threats by resetting the connection or reprogramming the firewall to block traffic. Both systems essentially act like burglar alarms, using sensors to generate security events.
IPS and IDS offered a lot of promise to organizations looking to improve their warning systems, but when it can to offering comprehensive protection against threats, many IT professionals were disappointed. Some complained that the systems burdened them with alerts and gave them little or no information on locating attacks.
In 2003, IT research group Gartner Inc. even went so far as to declare that the IDS/IPS systems were market failures. This was despite the fact that the Computer Security Institute/FBI Annual Computer Crime and Security Survey said that by 2002 72% of organizations had purchased an IDS or IPS system.
Although they racked up a lot of sales as standalone appliances, the real success of IDS and IPS systems came with their integration into comprehensive firewall-based security solutions.
Modern firewalls employ deep packet inspection to detect potential threats and IDS/IPS technologies sound alarms and record suspicious activities.
IT experts now believe we can take this integration further by using the IDS sensors to monitor appliances that are not monitored by the existing system framework. The system monitors can also be used to perform threat “forensics,” offering network administrators a greater understanding of what happened after an event.
IDS/IPS is just one area of technology integration that will benefit next-generation firewalls. Device support and VoIP (Voice over Internet Protocol) security are other in-demand functions that are being bundled into all-in-one solutions.
Comprehensive solutions not only offer multiple layers of security, they also offer convenience. All-in-one products eliminate duplicate security functions and cut down on unnecessary administrative tasks so network professionals can concentrate on serious threats.
While holistic solutions look promising, the firewall market is also moving in the opposite direction: specialization.
Present day firewalls can perform a dizzying array of functions, but when it comes to filtering a specific technology or protecting a particular application they can fall short. This is where the specialized firewall comes in.
One example of a technology-specific firewall is an XML (Extensible Markup Language) firewall, often used by large e-commerce companies. XML is a way to create common information formats and share them on the Web. The whole job of XLM firewalls is to safely exchange XML messages with other computers. These firewalls often come in aptly named “XML appliances” that sit outside an organization’s main computer system.
There are also application-specific firewalls, such as those for Web applications. This type of firewall would complement the existing network security system by serving the particular functions of a Web application. A Web application firewall could be used to improve load balancing in the Web server pool, accelerate SSL (Secure Socket Layer) encryption, and route IP addresses, for example.
Specialized firewalls are particularly useful in protecting mission-critical applications, and as these applications evolve, specialized firewalls are likely to follow.
The third and perhaps most exciting firewall trend is virtualization. Virtualization refers to a software program that emulates a hardware environment, allowing an application or operating system to behave as if it was on a separate computer.
Each application runs as a virtual machine on a “host” hardware system. Companies that run a variety of software already use this technology to consolidate applications on servers.
With virtualization, organizations can now run and manage multiple firewalls on one physical machine. If they choose, they can also do away with their security appliances. Instead of finding space and power outlets for security appliances, companies can run firewall software as a virtual appliance on a shared server.
Virtualization is also a boon for third-party firewall providers who can use the technology to support and segregate multiple customers on one machine.
Hardware consolidation is one aspect of virtualization, but there are other unique benefits of running a virtual firewall. Virtual appliances can do things that hardware can’t, such as integrate software running on a separate system. A firewall with a GUI (Graphic User Interface) can be used to generate a read-only virtual appliance that runs the firewall software, for instance. The advantage of this function is that the system runs a smaller application, yet changes can still be made through the GUI.
With virtualization still evolving, experts see numerous opportunities to integrate new firewall functions while effectively utilizing system resources.
Even as we’re looking at the future of firewalls, some are claiming that firewalls have no future – at least with respect to Web 2.0. They argue that corporate workers are being blocked from exciting new business applications offered by companies such as Google Inc. and Skype Ltd. because these applications aren’t being allowed through the company firewall.
Even Web services recognized for their security and productivity are getting the slow nod from network administrators. The risk is that consumer technology will race by enterprise technology, leaving companies to play catch up. Our hyper focus on network security is in essence locking down corporate desktops and blocking users from the real potential of the Web-based technologies, some argue.
Tough security policies can also slow the rate of adoption of new technologies, leaving us with less innovation in the workplace.
For IT professionals who work night and day trying to protect networks from a seemingly endless onslaught of threats, these arguments may be hard to swallow. Although a few companies have loosened the reins on Web access, most are standing behind their security policies and investments.
This situation has left it up to the Web companies to find a workaround using new technologies such as AJAX, which is a technique for creating interactive Web applications. Google, for example, has used AJAX to integrate productivity tools into browsers so employees don’t have to download any software onto their computers.
The tension between Web-based innovation and strict network security is sure to continue. As Web 2.0 services become more compelling, it will be interesting to see if corporate policies change and how these changes flow into our firewalls.
Although some may see firewalls as obstacles, it’s unlikely that we’ll be unplugging them anytime soon. A more likely scenario is that they will continue to evolve, and if we’re lucky the trends toward integration, specialization and virtualization will make it a little easier to shop at the Firewall Outlet Mall.
Firewalls Resource Center