I saw an interesting conversation start on Twitter today... it started by a simple question - "How relevant is the firewall in today's IT infrastructure?" ...the answer is ...well ... it depends!
Some of us still think about the firewall as that CheckPoint v3.0 on the Nokia IP440 running IPSO you installed way, way back in 1999. You know who you are.
There are many arguments, facts, and fallacies on firewalls - and I think it's time we took another look.
Background
The firewall has
evolved over time, from a piece of purpose-built hardware, to software-on-generic-hardware, to system-infused firewalls like you have on the modern Windows, Solaris, and Linux operating platforms. We recognize the names: CheckPoint, Cisco, Astaro, NetScreen, and many others. We've also used "firewall
agents" like the old-school NetworkICE "BlackICE" product (before ISS bought and f'd that up) and many other similar copy-cat products. Today, firewalls are a matter of IT life. Odds are if you've installed an [inappropriately named] "Anti-Virus" package lately you have a personal firewall installed ...or you're using the one built into Windows, or Linux, or whatever. If you're building a network segment you'll be separating it from the big, ugly Internet via a firewall, of that there is no doubt. There is a problem, however, as questions arise of the real value of the firewall in today's IT climate.
Questions
Questions arise
as today's firewalls go to get deployed. Some of the main questions I've heard lately are...
- Aren't these [firewalls] obsolete now that nearly every OS has its own firewall built in?
- Why do we need firewalls with all these all-in-one devices (UTM devices)?
- I need a WAF? But I already have a {insert vendor here} firewall!
- So what about this "vanishing perimeter I keep hearing security people talking about?
- ...and there are more
- the point is that there are many types of
firewalls out there today, and many devices that mislabel
misrepresent and confuse the buyer. In the spirit of simplicity I think I'd like to take all these different "types" of firewalls and consolidate them into something more simple to understand. Let's see if I can get any agreement here.
Firewall Types (as I see it)
- Basic - You know these best as packet filters. These firewalls are typically the older-school devices which look at things like state, sequence, port, protocol, directionality and either allow a packet or don't. They don't much care for looking inside the packets ("deep packet inspection") and at payload re-assembly, rather, tend not to care much for the full conversation stream. These are extremely mature products, and have started to go the way of the honest politician (extinct). The good news is that if you need to segment one network from another in a very basic way - this is the most efficient way to do it. Basic firewalls are blazingly fast due to their relative low complexity which means for extremely high-speed environments this may be the way to go.
- Stack-Aware - The next option that seems to have evolved over the last several years (probably most pronounced from 2001 onward) is the stack-aware"firewall". These are most commonly installed on the host itself and they're "shimmed" into the TCP stack. These types of firewalls understand the content of packets (not merely their 'parameters/flags') and can even do some basic re-assembly of packet streams to figure out if you're getting a malicious payload. This means that out-of-sequence packets, or "overlapping" packets can be re-assembled and analyzed by the device itself. Of course, there are limitations in speed, buffer size (memory), and throughput but generally these things are pretty good at protecting at the operating system and stack levels. I wouldn't go out on a limb and give them credit for anything above that in the network OSI model but they're pretty useful. You'll find these embedded as value-add on your local CheckPoint box (I forget what the sandbox technology is called now...) and inside your local (again, mist-labeled) anti-virus client + firewall. It's not super-sexy, or ultra-protective but the basic principles of firewall + stack awareness exist so this is a "level up" in protection.
- Layer 7 Aware - This is the pinnacle of firewall evolution. I would argue that firewalls that do this type of filtering shouldn't be your primary firewall or on heavily utilized links since there isn't enough hardware on the planet to understand several applications on a high saturation link. Trust me, I've tried ...and failed big. The major contender here is the "WAF - web application firewall", the biggest confusion to hit IT Security in many, many years. First off the WAF isn't really a firewall - if you go by current definitions. It is a layer-7 monster though ... so this is why I'm adding this new category on the evolutionary ladder. Layer 7 awareness means that the firewall device looks at the packets differently than the other 2 categories. The layer 7 aware device looks at packet content and understands the parameters of the conversation - and the endpoint for which the packet is bound. If you're filtering a web application - the "firewall/WAF" understands the application-layer communications protocols (http, https) but also understands the layer above - the actual application. It knows parameters, application logic (at some basic level) and bounds of inputs/outputs. This should (but hasn't to my knowledge) be extended to things like DNS (which, let's face it, needs serious help) and other protocols too!
So, why have I decided to re-do the firewall evolutionary scale and add my own "Layer 7 Aware" category as the 3rd option? Because I think it makes sense. There are too many devices today that call themselves firewalls, too many software programs that claim "firewall" functionality but only perform basic capabilities.
So ... just how relevant is the
firewall in today's IT infrastructure? I think the answer is now, more than ever,
extremely relevant. Without firewalls, at any of those 3 levels of maturity I mentioned above, we have open-chaos ...like many of the academic networks I've seen. Firewalls don't have a prayer of enforcing "security" completely like we all thought they did back in '99 - but without them we're very, very screwed. For those of you reading this on your linux machine thinking how crazy I am ... I'm willing to bet you have some client-side firewall running. I dare say most modern OSes have a built-in firewall ... is it effective? Maybe. Does it do a job and serve some purpose? ... absolutely.
Before you disparage the
firewall as a concept, make sure you've come to grips with the firewall's evolution, its long history, and the purpose it serves.