The has not been much innovation in the firewall market for some time. Sure, they are stateful and performs deep inspection etc but due to the fact that most of them still look at TCP and IP protocol headers for identifying traffic and applications they have too many flaws to be considered a security device. I consider firewalls to be more of a networking device than a security device, since it’s main purpose is to connect untrusted and trusted networks, but not to secure the connections.
There are two basic flaws with common firewalls that makes them unsuitible for calling a security device. IP and Port-number-centric firewalls are flawed since:
- IP-adresses doesn’t properly identify a single user or even a single machine. Current trends of virtualisation makes this even more true. Having IP:s as source and destination-variables isn’t granular enough.
- Port numbers doesn’t properly identify a protocol. There was a time where port 80 was used by HTTP, but today many applications use port 80 for their traffic. One example is Skype. Having port numbers as protocol and application identifiers isn’t granular enough either.
Future firewalls that live up to the requirement of properly identifying users and applications are however to some degree already here. One innovative company is Palo Alto Networks whoms “Next generation firwall” uses a technology they refer to as App-ID
App-ID is a revolutionary traffic classification technology that enables administrators to see exactly which applications are running on their network-irrespective of port, protocol, SSL encryption or other evasive tactics. Architected to address security evasion tactics such as the use of non-standard ports, dynamically changing ports and protocols, emulating other applications, and tunneling to bypass existing firewalls, App-ID gives administrators newfound powers of control over their application traffic.
I like this because allows firewall policies to be described in terms of applications, such as Skype, Bittorrent, HTTP or SMTP instead of service objects that rely on port numbers and header information. There are open source projects that develops similar technology to App-ID, such as L7-filter
L7-filter is a classifier for Linux’s Netfilter that identifies packets based on application layer data. It can classify packets as Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus, eDonkey2000, etc., regardless of port.
Besides being application-aware, Palo Altos firewalls integrate with Active Directory to tie users to IP-adresses. Juniper Networks also does that - and much more - in their Unified Access Control-concept (pdf). In that concept the firewall policies uses the user identity instead of IP-adresses, among other things.
Update:
A good interview with founder of Palo Alto Networks, Nir Zuk.
“I think that a more important trend in network security today is the
move from port-centric to application-centric classification
technologies. This will make most of the existing products obsolete,
similar to the way stateful inspection has made its predecessors
disappear from the world…”
A post at the Snort-users mailing list took me to the “best intrusion detection/prevention solution”-competion at SC Magazine. First, is it actually a competition? Deciding something by voting is what I call an election?
NSS has the closest thing to a good evaluation standard of IDS/IPS-system. Not perfect though, but I hope people look, and pay, for those reports instead of making decisions on the results of crappy “competitions”.