Is it time to fire your firewall’s lazy, no good butt?
Imagine if one of your employees who reports to you became lazy and no longer did their job very effectively. You’d more than likely fire him or her. Did you know that your firewall has ceased to do its job, yet you probably haven’t fired it, right?
Before you think I am crazy… let me explain.
We’re going to go on a journey back to about 1994 when firewall technology was relatively new. The firewall was designed to control access to applications. It was the all-important gatekeeper controlling what applications users could use. But, of course, things were simpler back then. Those were the days when users typically were identifiable by an IP address and applications were identifiable by a port number. Web applications for instance used port 80; email applications used port 25 and terminal type applications used port 23. A brilliant concept for its time and the firewall became an instant success. Today almost every organisation on the planet would have a firewall.
Over time, application vendors grew tired of the increasing number of support calls stating that their applications were not working. In fact it was not a case of the application that failing to work, but the firewall was configured to block access to the application. Application vendors became wise to this and started making applications that evaded firewalls. Today we have two types of firewall evading applications:
- Those which use a port like 80 or 443 which is almost always allowed to pass through the firewall.
- Those which use port hopping to discover any open port and find a way to pass through the firewalls.
Popular applications such as Mediafire, Facebook, Twitter, Salesforce, BitTorrent, Skype, AIM and KaZaA fit into one or both of these categories. Now here comes the dilemma. If you try to block Skype for instance with your firewall, you would end up blocking all of these applications as well as email and web browsing. It very much becomes an all or nothing scenario now with regards to using firewall to control access to applications. Organisations want flexibility. They want to select which applications are allowed and furthermore what features within applications can be used. How many times has your organisation wanted to allow access to say Facebook, but not wanted employees posting corporate secrets on Facebook or playing games on Facebook during business hours? We no longer live in a black or white deny or allow world these days, so the firewall with its basic overly simple deny or allow policies, I am sorry to say needs to be FIRED!
Some organisations have become more dependent on their intrusion prevention system for better detecting applications, but it pays to keep in mind that this is not its job. Its job is to detect and prevent threats from traversing the network. Don’t try to make a square peg fit a round hole!
Add to this the other issue of identifying users. Users tend to have changing IP addresses so it is essential to identify a user is by username and password. Only then can we effectively track users and when combining this with true application detection we have the power once again to have a gateway that controls user access to applications.
What is required to solve these problems of identifying applications and users today and applying policies that reflect whether specific features within an application can be used is the replacement to your tired, old fashioned, lazy firewall – a next generation firewall.