This article can also be found in the Premium Editorial Download "Network Evolution: Adopting an application-centric architecture."
Download it now to read this article plus other related content.
Firewalls have been the predominant form of security for Internet-connected networks for some 25 years now. While the technology remained largely unchanged for much of that time, more recently a new generation of "application-aware" firewalls has emerged to deal with today's application-centric threats.
During this last quarter century, attackers have moved from targeting operating systems to targeting the applications that run on them, moving up the protocol stack to use protocols such as HTTP and XML to launch sophisticated attacks. These attacks are designed to circumvent the traditional access control policies enforced by perimeter firewalls. In turn, firewalls have added more functionality to be able to operate on all layers of the protocol stack, from layer 2 to layer 7, inspecting traffic and analyzing protocols to thwart the latest attack techniques.
Firewalls have traditionally been based on a "block or allow" model: "Bad" packets are blocked by the firewall, and any packets that don't violate rules are deemed "good" and allowed to pass through. However, today, with the emergence of Web 2.0 technologies, organizations needs a firewall that is able to distinguish between different risks within a website's features and content, and apply policies accordingly.
Many organizations resort to restricting employees' use of certain Web applications altogether, losing out on the potential benefits of Software as a Service (SaaS) and other cloud and mobile apps. These decisions often arise because of installed firewall technologies not being able to effectively enforce security policies as they can't put content into context.
The new generation of firewalls, such as SonicWall Inc.'s E-Class and McAfee Inc.'s Firewall Enterprise, are far more context-aware, enabling network administrators to fine tune network traffic rules. The key features include:
Real-time visualization: Create effective rules that perform as intended based on real-time information and observations, such as bandwidth utilization or sites visited by a user. Monitor how rule changes affect productivity and security and really understand how your network is being used.
Greater levels of granular control: Apply rules to specific applications rather than trying to rely on generic port or protocols. Ensure critical applications such as Microsoft SharePoint and Salesforce.com get the bandwidth required and review the impact of rule changes via live graphs.
Easy implementation of complex rules: Avoid draconian "block all" rules and use more flexible ones, such as "Facebook but no Farmville," and "Facebook can only use less than 10% of connections and bandwidth during business hours." Also restrict access to certain applications to specific groups or users.
Automatic signature updates: Block dynamically changing applications such as P2P, designed to evade firewall rules, with automatic updates of application signatures regardless of the port or protocol being used.
- Control data transfers: Warn users with messages whenever they try to transfer specific files and documents that conflict with policy.
The introduction of real-time visualization makes implementing and regulating such specific rules much easier. Visualization of network traffic makes it easier to create effective rules that perform as intended based on real-time information and observations, such as bandwidth utilization or sites visited by a user. Rules can be applied to specific applications rather than trying to rely on generic port or protocols and the business impact of rule changes can be reported back via live graphs.
Application-aware firewalls: Can they do it all?
These next-generation capabilities of enterprise application-aware firewalls work alongside the standard gateway antivirus, antispyware and intrusion prevention features of standard firewalls or UTM appliances. It takes a lot of processing power to be able to deliver this level of insight and control, evaluating traffic payloads in real-time as they enter and exit the network. It takes a lot of processing power to be able to deliver this level of insight and control, evaluating traffic payloads in real-time as they enter and exit the network. Even though these firewalls run on multi-core processors, it's important to ensure they will be able to handle your current and future network traffic loads.
For high-volume networks, it still pays to install firewalls that specialize in different layers. Network firewalls can filter large amounts of traffic, catching the port-scanning, denial-of-service and other low-level network attacks, leaving the application-aware firewalls to control acceptable use of today's complex Web applications. This way, the right balance between performance and in-depth analysis can be achieved from an organization's firewall infrastructure.
About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Cobb serves as SearchSecurity.com's contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com's Security School lessons.
This was first published in January 2011