As recently as a few years ago, IT personnel were trained to harden their network perimeter, barring outsiders entirely. In contrast, today’s security environment is far less clear-cut — and the role of firewalls is expanding.
Corporate IT managers face two contradictory demands when purchasing firewalls for the enterprise. On one hand, today’s firewalls must serve as a tougher line of defense than their predecessors, more closely scrutinizing incoming traffic to filter out an increasing array of viruses and other security risks. On the other hand, these same firewalls must be porous, allowing a free flow of network traffic to and from employees who work outside the enterprise’s physical perimeter, as well as from an increasingly Internet-enabled customer base.
Such an environment can be a breeding ground for confusion when it comes to making a firewall purchase decision. But armed with an understanding of firewall trends and key features, CIOs can determine which product is the right one for their specific enterprise.
New Hazards, New Trends
One growing trend is that more employees are working remotely, rather than at corporate headquarters. Therefore, today’s firewalls, though built to guard against remote access, must also be sophisticated enough to allow the right kinds of remote access, Yankee Group network security analyst Eric Ogren told the E-Commerce Times.
Specifically, in order to be protective yet porous, firewalls must incorporate encryption technology, enabling remote employees to use virtual private networks (VPNs) to connect to corporate servers from afar. A VPN allows data to be transmitted securely over public networks, such as the Internet, by encrypting the data at the sending end and then decrypting it at the receiving end. Data that is not encrypted in the specified manner cannot pass through the firewall, creating a “tunnel” that keeps out intruders.
Stephen Philip, director of product marketing at firewall vendor NetScreen, confirmed this trend, telling the E-Commerce Times that the need for firewall and VPN integration is increasing. “[For example], you might deploy one of our devices as a corporate firewall and then decide you want to connect to 1,000 branch offices using VPN technology,” he said. “The ability to turn that on … is a key benefit.”
Need To Compartmentalize
Another major trend is the disappearance of trusted networks, Philip added. “There’s no real trusted component [in] a network anymore. It used to be that you connected an untrusted [setup] to the Internet, and everything behind the firewall was trusted.”
Clearly, that has changed. For example, if an enterprise installs a wireless LAN behind a firewall and does not secure it correctly, intruders can access the corporate network and then attack it from within. Likewise, extranets that bring business partners into corporate networks, as well as the presence of consultants on-site, have caused corporations to question the concept of trusted networks. The solution, according to Philip, is to compartmentalize enterprise networks.
Firewalls have evolved to respond to these new needs. “A lot of new developments are going on at once,” Richard Stiennon, Internet security research director at Gartner, told the E-Commerce Times. “There’s a trend towards higher speed, higher throughput, and central firewalls that can handle many connections, so [administrators] can segment a network into many zones and apply security policy [variably across] the zones. The most important trend is the need to do better defense of application servers behind the firewall.”
As part of this shift, stand-alone firewalls are becoming relics of the past, Ogren said. Instead, firewalls are increasingly being integrated into an overall security infrastructure, whose various components are fully interoperable and allow for clear, simple management. One example of this trend occurred in September 2002, when Nortel Networks, Cisco Systems and Check Point Software announced an initiative to integrate their network security products into a single offering.
In a similar vein, Stiennon said IT managers should focus first on manageability when evaluating firewall offerings. “Most firewalls today provide adequate security if configured properly, so the critical factor is making sure [that is easy to do],” he noted. In addition to user interface, large enterprises should look for the ability to manage multiple firewalls from a single console.
Overall, he said, a large enterprise’s best bet is to go with one of the three market leaders — Cisco, Check Point or NetScreen.
Port 80 Lockdown
In addition to ease of installation and management, the best firewalls also include at least two additional features.
One key concept is known as Web application security. Stiennon noted that many firewalls in use today allow port 80 (Web-based) requests to pass through a network’s perimeter (in order to reach a Web server) with just rudimentary protocol checks. This is a vulnerable setup that can allow malicious code to slip through the barrier. “As we move forward, especially with .NET services and XML, there will be more and more need to be able to [review] those transactions as they go through the firewall and make a decision on whether to allow or deny them.”
According to Stiennon, today’s top firewall vendors will have to scramble to offer this capability. In the meantime, several smaller vendors, such as Tipping Point, NetContinuum and IntruVert, already are developing and offering technology to ensure port 80 security. He said these firms’ products use hardware acceleration, enabling them to handle larger volumes of data — on the order of multi-gigabit traffic. Unlike traditional firewalls, they also can examine entire data packets, rather than just the headers, to determine if a packet contains malicious code.
Total Intrusion Detection
The other key feature that advanced firewalls include is sometimes referredto as the security service switch. When a firewall intercepts the individualpackets that comprise a message sent over a network, it reassembles them tocheck for protocol validity. If that firewall includes a network security switch, it not only reassembles the packets, but also scans each message forviruses, providing a total intrusion detection package.
“You will start seeing more firewall applications that operate this way,” the Yankee Group’s Ogren said.
According to NetScreen’s Philip, CIOs mulling over a firewall purchase should ask themselves several questions:
The Pricing Factor
Although IT buyers need to consider ease of use and other features when choosing a firewall, price is also a factor. “Standard pricing is about $20,000 for an enterprise-level firewall, including hardware and software,” Stiennon said. However, he noted, a firewall that enables high throughput and can serve a large network could cost $50,000 or more.
Philip said NetScreen’s offerings range from approximately $500 for a small office platform to more than $200,000 for the highest-end solution. In between are several price points. The NetScreen-204, a 400-meg firewall with four ports, starts about $10,000.
A higher-end offering, the NetScreen-500, provides modular interfaces and enables more segmentation, as well as “multiple separate firewalls running on the same hardware platform. The price point for that starts at around $25,000,” Philip said. “And then we have the 5000 series platform, which is a multi-gigabit platform … that can range from approximately $8,000 to over $200,000, depending on how [it is] configured and deployed.”
When all is said and done, if the cost of firewalls seems steep, an IT manager might do well to consider the potential impact of catastrophic data loss.