Traditionally, every enterprise deployment has a firewall as the first line of defense, protecting assets from common Internet-sourced threats.
In most firewall deployment scenarios, firewalls act as gatekeepers, limiting access to only those services over the Internet that the enterprise feels are necessary. At a basic level, access is controlled by rules, which list the asset, and by the service that is permitted to be accessed from a specific location. These rules are determined based on the function of the asset.
Typically, enterprises have followed a split-architecture design with Internet-accessible servers separated from the corporate assets in a particular isolated network segment. This segment is traditionally known as a "demilitarzied zone" (DMZ). The isolation is achieved by dedicating a network interface of the firewall to these servers. Direct access to assets outside of those hosted in the DMZ is not permitted. These assets typically include corporate workstations, critical server components like domain controllers, email servers and enterprise applications. Assets hosted on the DMZ segment typically include Internet-accessible applications, such as Web interfaces, mail exchanges, mail relays and public drop boxes, among others. Access between assets on the DMZ and corporate segments is strictly controlled.
Compare this architecture to that of an enterprise's hosted environment and you will notice many similarities in the approach to access control. An example of a hosted environment could be an enterprise's e-commerce platform, hosted by a third party. Such deployments typically have a DMZ segment hosting the Web heads (Web servers in a three-tier architecture that includes Web, application and database servers). For high-traffic environments, a load balancer handles all connection hand-offs from the firewall's Internet interface, directing traffic to the Web server with the least load. The application and database servers are hosted on separate segments with access rules restricting access between the Web, application and database tiers.
In both these environments, the firewall serves as the primary defense mechanism, controlling which assets are accessible while providing rudimentary protection against attacks at the network layer. The firewall in this traditional form is not sufficient to offer protection against some of the more pervasive types of security threats, which typically involve weaknesses within applications (layer 7) rather than weaknesses in the realm of the network (layer 3) that traditional firewalls are designed to protect. To cope with these threats, traditional firewall products at corporations and hosted facilities have been augmented with products that specifically target application attacks and malware threats.
Below, let's explore a few contemporary types of firewall deployment scenarios that are designed to thwart application attacks and emerging malware.
Firewalls for outbound traffic monitoring
In corporate environments, though, where firewalls are designed to control access into and out of the environments, traditionally outbound Web access is permitted uncontested. This opens up the corporation to malware due to client-side threats targeting a user's browser. To counter this threat, most traditional firewall products have been augmented with Internet access management features (inline or proxy-based) that specifically monitor outbound access. This is because, though the firewall can control which ports users are allowed to access from within a corporation, they are insufficient at controlling the content that is accessed. With client-side exploits being a major threat in corporations, such updated protection is crucial.
Application-layer content inspection
Traditional firewall vendors are now offering appliances that provide application-layer content inspection combined with antivirus -- malware detection capabilities co-existing with a traditional firewall, all on the same chassis. These devices, in addition to monitoring traffic for malicious content, also block access to sites hosting questionable content. Of course, these products should not be considered a replacement for traditional host-based protection mechanisms like antivirus, antispam or any other endpoint security solution.
Web application firewalls
In the hosted environment specifically, Layer-7 monitoring could take the form of Web application firewalls, which specifically focus on application-layer attacks that target Web and application services. In addition to protecting against traditional Web attacks like cross-site scripting and SQL injection, these devices have the ability to understand traditional client behavior (i.e., users who interact with the site), and can track and prevent behavior that deviates from the norm. Web application firewalls are currently available as add-on modules to the traditional firewall chassis to offset any performance shortfalls of added Layer-7 traffic monitoring. This is not to say a Web application firewall can replace the traditional firewall in a hosted environment; traditional segmentation of the various tiers is still crucial.
Virtual firewall deployments
This approach can be extended to virtual hosted platforms as well. Without going into details (a topic in itself), segregating virtual platforms requires firewall separation to be enforced at the hypervisor, thereby controlling access to different virtual instances on the same physical platform. This VM-to-VM security enforcement can be further augmented with a combination of traditional and Web application firewalls. In such deployments, the traditional firewall will still have a part to play, though at a more macro level, enforcing separation/protection between farms of virtual servers. Layer-7 protection can then be enforced on those segments deemed sensitive or critical to the business.
In conclusion, given the threat landscape, designing a secure hosted or corporate environment should include augmenting firewalls' traditional network-specific defense with a combination of host and network-based protection focusing at the application layer: Having only a layer 3 device protecting critical portions of the network is no longer sufficient.
About the author:
Anand Sastry is a Senior Security Architect at Savvis Inc. Before joining Savvis, he worked for clients in several industries (large and mid-sized enterprises in financial, healthcare, retail and media) as a member of the security services group for a Big 4 consulting firm. He has experience in network and application penetration testing, security architecture design, wireless security, incident response and security engineering. He is currently involved with network and web application firewalls, network intrusion detection systems, malware analysis and distributed denial of service systems. He tweets at http://twitter.com/cptkaos.