The firewall industry split into two camps in the early '90s. On one side was the traditional proxy-based firewall
gang; on the other were some upstarts, led by Check Point Software Technologies, looking for faster technology and greater flexibility with packet-filtering. The debates were furious, the mud-slinging intense, but the market eventually sided with Check Point. Today, stateful packet-filtering firewalls account for more than 90% of the market. The technology is so commonplace that packet filtering is built into $99 SOHO devices.
However, the proxy firewall folks haven't rolled up their tents yet. They continue to sell product because their basic argument holds true: Proxy firewalls, with two independent TCP connections for each application, can be more secure than packet filters. With no IP-layer packets passing directly between the inside and the outside, proxies are inherently immune to most kinds of reconnaissance and spoofing attacks. Proxy-based firewalls can easily do all kinds of application-layer validity checking, antivirus scanning and content filtering, as well as granular access control, because they are truly aware of the application data flow. This is particularly important given the rise in application attacks over port 80.
"For granular control, HTTP is the most important [protocol] to us due to application-level attacks," says Rob Leggett, senior security analyst for Chicago-based Clearing Corporation, which deploys CyberGuard firewalls to secure futures trading transactions by verifying matches between buyers and sellers. "Obviously, this becomes more and more important as our business grows, as the number of Web-based applications increase and as other attacks rise."
Packet filters excel at speed and scalability. It takes very little CPU power and not much memory for a packet-filtering firewall to run rings around a high-end, high-priced proxy firewall. While proxy-based firewalls were struggling to meet the needs of companies with their newfound Internet T1 lines, packet filters stepped up to the challenge and quickly dominated the market.
The trade-off between security and performance has been acceptable to many network managers. Nevertheless, proxy firewalls continue to have a following, especially in the most conservative and security-aware organizations: government, military, financial services and health care. Proxy firewall vendors, sensitive to their performance constraints, have added packet filtering where appropriate.
The sharp rise in application-layer security attacks has revived the debates. After years of considering simple access control "good enough," many security managers are demanding granular and powerful application-layer controls found in proxy firewalls to compensate for poorly written applications.
So, it's no surprise that packet-filter firewall vendors are building application-layer controls into their products, as we found in our testing. Although the products will never look like each other on the inside, they are moving to meet a common standard of security.