In a recent SearchSecurity webcast, speaker Joel Snyder, Senior Partner for Opus One, addressed technological developments in application-layer firewalls based on his research for sister publication Information Security magazine. Here he answers a few of the user-submitted questions he didn't have time to answer during the broadcast. If you missed our webcast, Application-layer firewalling: Raise your perimeter IQ, or would like to review it, you may listen to the webcast on-demand or download Joel's presentation without audio.
Why aren't firewalls blocking spyware?
Well, depending on your definition of spyware, they are. Firewalls give you the granular control you need to block incoming and outgoing traffic. The products we reviewed go deeper into the protocol and can block things that look like HTTP but aren't. Look at the table with the Information Security magazine article for features such as "HTTP Header Filtering," for example.
I thought that proxy makers didn't just claim more control but more security (even in the absence of more control), because of RFC enforcement and other things that they can never seem to explain. Please comment.
They do continue to make this claim. What has not happened is a consensus on whether the additional security is useful or not. Taking an example from the physical world, if I put a safe inside of another safe, it's more secure, isn't it? But is that second, inner safe needed? Is the cost/benefit ratio there? I think that this debate has continued and will go on forever. For some enterprises, the cost/benefit ratio is there; for others, it's not. In general, the marketplace has voted with its dollars in favor of products based on stateful-packet filtering over proxies. But the proxies still have a significant market. Folks like Secure Computing and WatchGuard and CyberGuard are all still in business.
MORE INFORMATION ON FIREWALLS:
What capabilities exist in the latest firewall products to break and re-establish SSL encryption so application scanning of encrypted HTTP is possible?
None in the products I tested, but I don't know about all firewalls out there. The companies I spoke with were more than circumspect about that -- they think that even if they have the capability to decrypt encrypted SSL that this may not be a good idea. It may be a more dangerous tool than should be given to most companies.
Your question is actually a bit different. You're asking about possibly setting up two SSL sessions. That's very common -- all the SSL VPN vendors are doing that already. But I'm guessing you're more interested in maintaining end-to-end integrity and decrypting the data on the fly.
Do you think that this is an important feature? Are you concerned that your SSL-based Web server is vulnerable to attack? Or are you worried about end users going out on the Internet using encrypted traffic that you can't evaluate for proper policy compliance?
Have any firewalls added intelligence to evaluate or alert on poor firewall rule sets?
Not the ones I looked at. I would be a bit surprised if the firewall itself had done that. But I've been surprised before.
What do you think of the DoD common criteria process?
At the high end, having certification is generally a waste of time and money. It becomes largely a paper chase of getting certification for operating at some level below where you already are. Thus, high-end products go far beyond the basic common criteria. However, at the low end, there are products that cannot meet the basic levels required not just in DoD, but in all sorts of other certification programs. So it is a reasonable barrier.
My impression is that every high-end product vendor gets these certifications because they are required as part of the purchasing process by some large customers, but that most consider it a waste of time. On the other hand, it does keep the riff-raff out. So it's both good and bad, in my opinion.
