How will Cloud, virtualisation and SDN complicate future firewall security?

Vendors crave the "thumbs-up" from the influential Gartner consultancy or vie to beat competitors in technical evaluation tests

The firewall in decades past was mainly the port-based guardian of the Internet. Now vendors are vying to build so-called "next-generation firewalls" that are "application-aware" because they can monitor and control access based on application use.

In addition, more and more features have been packed into many firewalls that include intrusion-prevention systems (IPS), web filtering, VPN, data-loss prevention, malware filtering, even a threat-detection sandbox to try and uncover zero-day attacks. When it comes to the standalone IPS, it might be called "next-generation IPS" as well due to its application controls, such as the IBM Network Security Protection XGS 5000, or the McAfee NS-Series.

[SECURITY:How you are being watched?]

[Check Point, Juniper, Stonesoft shine in low-end network firewall test]

It's all part of the race among the firewall/IPS vendors to try and stay ahead of the pack as they also push for ever-higher throughput to satisfy the need for speed as datadentres, which have undergone virtualisation, making higher bandwidth in the firewalls a necessity.

Vendors crave the "thumbs-up" from the influential Gartner consultancy or vie to beat competitors in technical evaluation tests, such as those done by NSS Labs or Neohapsis Labs. But in the end, it's all to win the approval of buyers such as Rusty Agee, who's information security engineer for the City of Charlotte, N.C., which makes use of a wide array of firewalls.

"Firewalls have evolved," says Agee, and when it comes to function and speed in firewalls and IPS, "I'm always looking for more."

Data-center virtualization, the increased use of mobile devices and the prospect of the city adopting a "Bring Your Own Device" (BYOD) policy are some of the reasons Agee stays open to new possibilities to protect data at the various government agencies. The city's fire and police departments have started using tablets and smartphones and a BYOD migration policy is now being considered, he points out.

City employees that use mobile devices are making use of the Cisco AnyConnect client to establish a VPN-type connection back to the city's Cisco ASA firewall, according to Agee. Along with other Cisco firewalls and standalone Cisco IPS, the city also makes use of Check Point firewalls and standalone IPS to cordon traffic to critical servers, data centers, Internet access and the city's wireless network.

But multi-vendor firewall/IPS in the city's network doesn't stop there. The city also has the Palo Alto Networks Next-Generation Firewall to monitor and control employee use of applications. Plus, the city uses the F5 Networks application firewall to look for attack traffic against Web servers. Agee says the city of Charlotte has centralized log management for these security devices with LogRhythm's security information and event management.

"Our firewalls dump hundreds of thousands of logs per day into LogRhythm," says Agee, who adds the city government also at times receives feeds related to security alerts from federal sources as well. Centralizing firewall and IPS log feeds, along with server logs, helps the city security staff determine from a single point what's a network-security issue that might involve an attack vs. an employee Web use issue that would be better handled by human resources or management.

Finding such a broad mix of vendor firewalls in one organization may be the exception, not the rule. Gartner analyst Greg Young, speaking at the Gartner Security and Risk Management Summit in June, said Gartner sees most organizations stay with a single vendor. And when it comes to next-generation firewalls (NGFW), for which Gartner has been a strong advocate, it's estimated that less than 8% of organizations use NGFW today, though that number is expected to climb well above 30% within five years.

Young also noted that it's apparent that SSL VPN is moving completely into the firewall and is fading out as separate standalone SSL VPN boxes.

Firewalls and IPS, in fact, seem to be able to live almost anywhere. One example is the Fortinet Secure Wireless LAN, which is basically a wireless-access point and switch integrated into a unified threat management device supporting firewall and IPS capability. According to Fortinet Vice President of Marketing John Maddison, it's popular in retailing in store chains where it's a cost-effective way to get wireless coverage and security combined.

Restaurant chain Jack-in-the-Box recently deployed 650 of the FortiWiFi-60CS devices that combine wireless access and firewall/IPS in hundreds of its restaurant chain locations. Jim Antoshak, director of IT there, says the older wireless points in the Jack-in-the-Box restaurants can now be retired, and the Fortinet gear will be a compact combination of wireless and security.

An argument?

One debate centers around two main questions: Is a multi-purpose firewall/IPS as effective as a standalone appliance? What about a security module in a switch or router?

HP, like Cisco and Juniper, offer security modules for firewalling and intrusion-prevention that can work in the vendor's switches and routers. But Rob Greer, vice president and general manager for enterprise security products at HP TippingPoint, says when it comes to intrusion-prevention, the main deployments HP sees are as dedicated, standalone appliances. And this is generally considered the best approach for the HP next-generation application-aware IPS in terms of performance and granular controls, he notes.

Mike Nielsen, senior director, network security and product marketing at Cisco, says the vast majority of what Cisco sells in firewalls and IPS are "dedicated security appliances." The ASA 5585-X Series in its Adaptive Security Appliance line is described as having 40Gbps firewall throughput which Nielsen says can be pushed to 80Gbps for IPS, which includes an application-controls feature. This is the main element that lets it be called a "next-generation firewall," according to the Gartner definition.

Jason Brvenik, vice president of security strategy in the technology research group, at Sourcefire, argues that "dedicated devices give you freedom as an organization to respond to the latest evolving threat."

Fred Kost, Check Point's head of product marketing, says customers that require high throughput and low latency typically decide on dedicated functionality. But he points out that the small-to-midsized business customers often find multi-purpose firewall gateways and the unified threat management devices adequate. Check Point, also jockeying for the "next-generation" title, recently added a "threat emulation blade" as a firewall module. It can safely "explode" files in a sandbox to try and uncover zero-day attacks. It tackles a similar problem that Palo Alto takes on with its Wildfire threat-detection in its next-generation firewall.

The sandbox idea is catching on. McAfee just acquired firewall/VPN/IPS vendor Stonesoft as well as ValidEdge for its sandboxing technology.

NSS Labs analyst Iben Rodriguez says tests of firewalls and IPS indicate there can clearly be performance and efficiency drawbacks to running multiple security services on a firewall. Neohapsis Labs head of research Scott Behrens sums up a common-sense approach to the question: "If I'm the buyer, I need to ask, "Does this bundle line up with what are my enterprise needs?"

In Utah's Weber County government, where Matt Mortensen is Ogden's information security officer, the firewall/IPS throughput needs are not more than about 10Gbps, and the multi-purpose Dell SonicWall Network Security Appliance E8500 models with IPS, URL filtering and anti-virus have been a good right fit in the mid-range to support the network used by the county's 1,200 employees, though there are plans to upgrade to the more powerful SonicWall 9400. The county also maintains a few Cisco ASAs, including the Cisco ASA 5505 firewall dedicated to connections with the wider world of law enforcement for things such as telecommunications wiretap data.

Some valuable uses for the SonicWall firewalls have been application controls to block Skype or sometimes Java in some cases for security reasons. Mortensen also uses SonicWall for bandwidth throttling.

"I also do geo IP filtering, not allowing users to go to certain places, such as Eastern Europe, South America or China," says Mortensen, pointing out the Utah county has no business need to, and blocks it for security reasons. The county also does inbound geo-IP filtering, too. Mortensen has also set up the firewall to do egress filtering to watch for signs of botnet activity.

The world of the Internet is now perceived as so dangerous, that even the most open-minded of universities feel they are forced to clamp down. That's what Massachusetts Institute of Technology decided last April as part of an overall revised security strategy in the wake of a fake bomb threat.

"Today, systems on the MIT network are subjected to thousands of unauthorized connections per day from nearly every country around the globe and, as a result, MIT sees more than 10 compromised user accounts each day," the MIT memo to its Academic Council said in April, explaining MIT was going to start block traffic originating from outside MIT's network based on firewalling infrastructure.

Will the firewall and IPS fall short in the future?

The firewall and IPS have proven versatile, available not only as hardware appliances but as software too, sometimes specifically designed to push security into virtualized desktop and server environments based on VMware, Microsoft HyperV, Red Hat's Kernel Virtual Machine (KVM) or the open-source Xen hypervisor (which Citrix recently donated to the Linux Foundation). VMware -- to the dismay of some firewall vendors -- has itself jumped in over the past few years with software-based virtualized firewalling controls of its own.

Check Point's Kost acknowledges, "Virtualization is creating a new challenge. What we're seeing is they need a lot more firewalls," noting the Check Point 21000 and 61000 represent Check Point's push to support VMware-based networks. VMware itself has "VCloud Networking and Security" that can be used to establish VM-based firewalls.

All of this raises the question who's in charge of firewalls and IPS these days anyway, points out Sourecfire's Jason Brvenik, vice president of security strategy in the technical research group at Sourcefire.

Virtual machine-based approaches to firewalling and IPS are growing

WatchGuard Technologies just last month introduced Hyper-V support to its XTMv unified threat management platform, for example. Karim Toubba, Juniper Networks vice president of products and strategy, is adamant in declaring "the firewall now has to be a virtual form factor, it can no longer be that box," noting Juniper's approach supports KVM and VMware. "The perimeter has become elastic, and in private cloud environments, we expect the firewall to be elastic."

Nielsen says Cisco has the ASA 1000-V Cloud Firewall.

Sourcefire, which shipped its first Next-Generation Firewall this spring called FirePower, has also developed a way to filter hypervisor traffic from Xen, KPM and VMware workload environments, says Brvenik. But he acknowledges there can be performance challenges in comparison with more traditional IPS.

Chris King, of Palo Alto Networks, says it's increasingly common to see customers simultaneously using both its physical and virtualized next-generation firewalls.

But NSS Labs analyst John Pirc cautions that hypervisor-based firewalls and IPS are considered to still be fairly new overall and one issue is that firewall/IPS vendors don't always support multiple virtualization platforms. NSS Labs will likely test virtual-machine-based security this year in its labs.

However, it appears that virtualized firewalls constitute less than 5% of the overall firewall market today, according to Gartner. Young says virtualized firewalls tend to complicate situations if only because of "boundary" quarrels over whether they will be managed by the network operations group or the server operations group. "There's complexity of who owns what in this virtualized version," he pointed out.

The rise of cloud-based computing as the enterprise sends data and the processing of it into the networks of cloud-service providers, whether they be platform-as-a-service, infrastructure-as-a-service and software-as-a-service, is also raising questions about the future of the firewall and IPS. Today, there's little cooperation with what you do in a service such as Amazon and what you do on premises, Young says. Today, the firewall and IPS largely remains on premise.

At the same time, the advent of Software Defined Networking and the use of CloudStack and OpenStack are being watched by the security industry as well.

"It's a disruptive shift," acknowledges Toubba, but says Juniper believes software-based firewalling, among other security services, can be adapted to SDN and cloud technologies.

Simon Crosby, founder and CTO at start-up Bromium -- who was also founder and CTO at XenSource before it was acquired by Citrix -- scoffs at the idea that traditional firewalling and IPS (or "next-generation" anything) is the answer. He says public cloud technologies and OpenStack are among the forces pushing things to the breaking point.

The security industry is largely "bankrupt" and vendors "lie," Crosby declares, warning "anything that asserts it can detect an attacker is fatally flawed." He claim a  better approach to virtual machine security is going to be done through CPU-based protection and "hardware isolation" that make use of built-in Intel and ARM chip security functions in a novel way. Bromium's vSentry virtualization security works like a VM within a VM to isolate and then "throw away" attack code targeting Windows.

Whether newer ideas such as these catch fire remains to be seen.

SDN, an upcoming technology, doesn't mean physical switches are going to go away, says Gartner's Young, noting this still immature form of networking will mean new ways to orchestrate applications and automate service chaining through controllers. The problem, however, is that it will certainly impact what is done with firewalls today and at this point there really doesn't appear to be a solid security model for SDN. "Current SDN security mechanisms are effectively non-existent," Young said.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com.

Read more about wide area network in Network World's Wide Area Network section.

Tags Data Centervirtualizationmcafeehardware systemsConfiguration / maintenanceWide Area NetworkFirewall & UTMStonesoft

Show Comments