Tuesday, March 23, 2010

Revisiting the Firewall

I saw an interesting conversation start on Twitter today... it started by a simple question - "How relevant is the firewall in today's IT infrastructure?" ...the answer is ...well ... it depends!

Some of us still think about the firewall as that CheckPoint v3.0 on the Nokia IP440 running IPSO you installed way, way back in 1999.  You know who you are.

There are many arguments, facts, and fallacies on firewalls - and I think it's time we took another look.

The firewall has evolved over time, from a piece of purpose-built hardware, to software-on-generic-hardware, to system-infused firewalls like you have on the modern Windows, Solaris, and Linux operating platforms.  We recognize the names: CheckPoint, Cisco, Astaro, NetScreen, and many others.  We've also used "firewall agents" like the old-school NetworkICE "BlackICE" product (before ISS bought and f'd that up) and many other similar copy-cat products.  Today, firewalls are a matter of IT life.  Odds are if you've installed an [inappropriately named] "Anti-Virus" package lately you have a personal firewall installed ...or you're using the one built into Windows, or Linux, or whatever.  If you're building a network segment you'll be separating it from the big, ugly Internet via a firewall, of that there is no doubt.  There is a problem, however, as questions arise of the real value of the firewall in today's IT climate.

Questions arise as today's firewalls go to get deployed.  Some of the main questions I've heard lately are...
  • Aren't these [firewalls] obsolete now that nearly every OS has its own firewall built in?
  • Why do we need firewalls with all these all-in-one devices (UTM devices)?
  • I need a WAF? But I already have a {insert vendor here} firewall!
  • So what about this "vanishing perimeter I keep hearing security people talking about?
  • ...and there are more
- the point is that there are many types of firewalls out there today, and many devices that mislabel misrepresent and confuse the buyer.  In the spirit of simplicity I think I'd like to take all these different "types" of firewalls and consolidate them into something more simple to understand.  Let's see if I can get any agreement here.

Firewall Types (as I see it)

  • Basic - You know these best as packet filters.  These firewalls are typically the older-school devices which look at things like state, sequence, port, protocol, directionality and either allow a packet or don't.  They don't much care for looking inside the packets ("deep packet inspection") and at payload re-assembly, rather, tend not to care much for the full conversation stream.  These are extremely mature products, and have started to go the way of the honest politician (extinct).  The good news is that if you need to segment one network from another in a very basic way - this is the most efficient way to do it.  Basic firewalls are blazingly fast due to their relative low complexity which means for extremely high-speed environments this may be the way to go.
  • Stack-Aware - The next option that seems to have evolved over the last several years (probably most pronounced from 2001 onward) is the stack-aware"firewall".  These are most commonly installed on the host itself and they're "shimmed" into the TCP stack.  These types of firewalls understand the content of packets (not merely their 'parameters/flags') and can even do some basic re-assembly of packet streams to figure out if you're getting a malicious payload.  This means that out-of-sequence packets, or "overlapping" packets can be re-assembled and analyzed by the device itself.  Of course, there are limitations in speed, buffer size (memory), and throughput but generally these things are pretty good at protecting at the operating system and stack levels.  I wouldn't go out on a limb and give them credit for anything above that in the network OSI model but they're pretty useful.  You'll find these embedded as value-add on your local CheckPoint box (I forget what the sandbox technology is called now...) and inside your local (again, mist-labeled) anti-virus client + firewall.  It's not super-sexy, or ultra-protective but the basic principles of firewall + stack awareness exist so this is a "level up" in protection.
  • Layer 7 Aware - This is the pinnacle of firewall evolution.  I would argue that firewalls that do this type of filtering shouldn't be your primary firewall or on heavily utilized links since there isn't enough hardware on the planet to understand several applications on a high saturation link.  Trust me, I've tried ...and failed big.  The major contender here is the "WAF - web application firewall", the biggest confusion to hit IT Security in many, many years.  First off the WAF isn't really a firewall - if you go by current definitions.  It is a layer-7 monster though ... so this is why I'm adding this new category on the evolutionary ladder.  Layer 7 awareness means that the firewall device looks at the packets differently than the other 2 categories.  The layer 7 aware device looks at packet content and understands the parameters of the conversation - and the endpoint for which the packet is bound.  If you're filtering a web application - the "firewall/WAF" understands the application-layer communications protocols (http, https) but also understands the layer above - the actual application.  It knows parameters, application logic (at some basic level) and bounds of inputs/outputs.  This should (but hasn't to my knowledge) be extended to things like DNS (which, let's face it, needs serious help) and other protocols too!
So, why have I decided to re-do the firewall evolutionary scale and add my own "Layer 7 Aware" category as the 3rd option?  Because I think it makes sense.  There are too many devices today that call themselves firewalls, too many software programs that claim "firewall" functionality but only perform basic capabilities.

So ... just how relevant is the firewall in today's IT infrastructure?  I think the answer is now, more than ever, extremely relevant.  Without firewalls, at any of those 3 levels of maturity I mentioned above, we have open-chaos ...like many of the academic networks I've seen.  Firewalls don't have a prayer of enforcing "security" completely like we all thought they did back in '99 - but without them we're very, very screwed.  For those of you reading this on your linux machine thinking how crazy I am ... I'm willing to bet you have some client-side firewall running.  I dare say most modern OSes have a built-in firewall ... is it effective?  Maybe.  Does it do a job and serve some purpose? ... absolutely.

Before you disparage the firewall as a concept, make sure you've come to grips with the firewall's evolution, its long history, and the purpose it serves.


dre said...

The purpose of a firewall (especially IPS/WAF) is a doorstop.

All firewalls/IPSes/WAFs can and should be replaced by null routes and simple (usually non-reflected and stateless) router-based TCP/IP access-control lists.

Utilize null routes and TCP/IP access-lists as boundary filters (for segmentation purposes). Keep outbound [client] DNS traffic from going external by implementing reverse zone records for all IP prefixes in use by the organization.

NEVER EVER EVER purchase or waste your money on a firewall/IPS/WAF of any kind. They are pointless. Nobody is going to setup an ACK-based stateless TCP backdoor inside your network or scan you with Christmas packets. Even if they did, would you really care?

An adversary who can specialize in the delivery of custom nmap packets can probably also run the new version of Burp Suite Pro's Intruder and send a bespoke SQL, XPath, or JS/AS3/CSS/HTML injection that goes right on through any firewall, IPS, or WAF -- even with Marcus Ranum, Pedram Amini, and Ryan Barnett on staff to configure those annoying, big, clunky, kludgy, performance-killing, time-wasting, complex boxes.

How else better can I say it?

Unknown said...

you seem to be omitting that with some of the later available firewalls that you can integrate things like layer 7 logs from servers and xss filters and the like directly into the firewall/ips/ids etc as well so as upon an application noticing a faulty request it can nuke that ip before it gets a chance to try and try again, think fail2ban/csf etc here, granted, they are software, but nothing is stopping them being integrated into a global blocklist on a hardware level to specific services they have been attacking

also i put forth the question of what firewalls, if any at all, support handling of dnssec packets that are valid or not... the more we go the way of security the less they can read and understand, we are going to hit a wall here soon where we have to have it integrated so tightly into the actual applications because of the security wrappers we encase all our protocols in as we try to increase our security day by day

really, things are going downhill for a lot of hardware based solutions because of the need to integrate at a lower level and iv seen far too few products that even try to integrate down on lower levels of the stack around the software area rather than just being hardware monsters

personally i prefer software firewalls for the most part but at the same time i see the need for hardware firewalls, why software? integration... its simple, integrate directly into your app, see a problem query, log it, block the ip, keep an eye out for a similar query and connect the dots on how many proxies this attacker is trying to do along with alerting the administrator with whats going on...

if there ARE hardware products that fall into this category, by all means, give me a list, im interested in them, majorly, but nothing iv seen matches the software firewall's ability to realtime react to suspicious activities which is seriously wrong

Jack Daniel said...

Good post Raf. The evolution of the firewall is significant, but the evolution of attitudes towards the firewall often lags behind the technology.

Features such as protocol enforcement via proxies and packet analysis, WAF functions, bandwidth management and many other components available on various platforms make modern firewalls much more that a "security" appliance. Properly deployed, they can be significant network health and management devices as well.

(Disclaimer: I work for Astaro, a UTM/XTM vendor)

Beto_atx said...

I would rename the WAF a WAIPS, because a firewall blocks a port here, an IP there.

An IPS inspects and blocks types of traffic, same as a WAF, only the WAF focuses on 80, 443, etc.

good topic! :)

domglavach said...

Deciding whether or not firewalls are still needed is fruitless. Nearly all environments -need- some form of ingress/egress protection or policy enforcement. Most agree that protection (protection, not trust) should begin at the endpoint (host, service, web-app, etc) when the endpoint security is breached other methods i.e, firewalls are needed (arguing which protection mechanism is better is a whole different post).

Firewalls are designed to protect a tangible perimeter in a somewhat predictable environment. Firewall evolution must account for is what Rafal mentions as "vanishing perimeter". Devices, data, and availability are rarely at rest and are usually present in uncertain environments. Transparent www/https proxies (read layer-7 firewalls) performing application inspection to thwart malware installations/C&C or enforces policy are very effective when the proxy is in reach and not so good when the proxy is unreachable. Maybe cloud firewall will evolve (FaaS)

Rafal Los said...

@Dre- I'm not sure I would agree, or even put it so strongly... but I do appreciate that strong opinion.

@Cameron- You make excellent points. As protocols "tighten" you'll definitely see firewalls shrinking (integrating?) into the devices and code themselves ...great point as usual.

@Beta/Jack - Yes!

@Dom- Oh no you didn't ... "cloud firewall"?! I think I need an aspirin...or a box of them. :)

Scott said...

Disclaimer: I work for the company that sells "The Self-Defending Network". My comments are my own.

Consider the non-IT definition of a Firewall - "physical barrier inside a building or vehicle, designed to limit the spread of fire, heat and structural collapse". In other words, contain and compartmentalize your damage. This loosely analogous to the IT function of a firewall, which segregates and restricts network traffic so that compromise of one system does not lead to open access to another. To your questions:

Aren't these [firewalls] obsolete now that nearly every OS has its own firewall built in?
Not by a long shot. Companies have a hard enough time managing policy on centralized firewalls, distributed "firewalls" (running at layer 4) would add a tremendous layer of complexity that end users, developers, and non network/security IT staff would be unable to account for in their design or development.

On the other hand, I believe that the use of layer 3 network security policy in a distributed mechanism can have great benefit, particularly where policy can be applied to functionally similar systems.

Why do we need firewalls with all these all-in-one devices (UTM devices)?
Well, if your UTM device does firewalling, is it not a firewall? I think someone needs to read their UTM manual's feature list again.

I suspect you're saying that content filtering obviates the need to do network-level control. Hah. Get back to me when you've cleaned up your Conficker infections.

I need a WAF? But I already have a {insert vendor here} firewall!
Ahh yes, the elusive "layer seven" security solution. From the old days of the Raptor proxy/firewall to today's web app form-profiling proxies, there's always a gap to be filled when layers 3 and 4 can't block your attackers. Truth is, you may not need a WAF. However, it's extremely unlikely that you're doing enough log analysis (particularly against POSTed content) that you'd even know when you're under attack, without a WAF. Maybe your IDS will detect it, but definitely not if it can't inspect SSL content. And if the attacks make it to the app, is your app secure enough to deflect it? The statistics say "no" if your app does any significant database or user-generated content activity.

So what about this "vanishing perimeter" I keep hearing security people talking about?
The "borderless network" was upon us ten years ago, and no one acknowledged it. It's grown, twisted, and mutated itself into Extranets, Partner/Vendor Access, Outsourced Development, and now The Cloud(TM). No matter how you look at it, your "inside the Great Corporate Firewall" systems that everyone considers secure are actually the same systems that business managers want to expose to the outside world (in a limited fashion, of course!) Now that your perimeter is letting in people from the outside, how can you 1) detect, and 2) prevent intrusions? The first answer network security types will say is to take the systems you want to expose to the outside, and put them in a firewalled segment. That takes planning and work - your best bet is to account for the need for collaboration and external access when you implement these systems and place them in a protected segment in the first place.

In the case of The Cloud(TM), traditional firewalls don't provide any type of control. Everything is about Content - hopefully you're aware of technology that replaces Sensitive Content with metadata as it leaves your perimeter, and restores it when it comes back in. Wouldn't want the ASP that your Cloud Provider subcontracts with to lose your sensitive data, would you? Good luck suing Amazon or Google for that!

Rafal Los said...

@Scott - AWESOME reply. Thanks for the mind-share ... great to see people thinking!