Firewalls should still be an integral part of any enterprise's cyber security strategy, and vendors of the hardware variety are redoubling their R&D to win more market share.
Firewall hardware is now evolving in line with two trends: one towards greater distribution of security across the enterprise with incorporation of intrusion protection, and the other tied to the growth of server virtualisation. This is blurring the traditional line between firewall hardware and software; and yet at the same time preserving some distinct niches for each.
Firewalls are the network security systems that control incoming and outgoing data traffic by analysing the packets and determining whether they should be let 'through' or blocked, based on rules set by IT security policies, for instance. The growing sophistication of its functions, whether in hardware or software, also means that the firewall itself is overlapping more with intrusion detection systems (IDS) and even higher level attack analysis. Firewalls are no longer just the first line of defence around the network perimeter deferring to IDS inside, but are also being deployed within the enterprise, although with the emphasis on protecting boundaries of some form.
Therefore we find firewalls now deployed between departments, segregating users according to internal policies, and also at points where the wired infrastructure meets wireless LAN (local area networks), which are more vulnerable to eavesdropping. And they are being used to protect branch offices, between application and database server farms in the data centre, and separating LAN switch ports from the Web.
In order to fulfil these functions firewalls have incorporated application-level filtering and DPI (deep packet inspection) to make decisions over which data, services or applications should be allowed 'through', and which blocked. They need to be able to implement policies that can be updated, for example, to limit the number of requests that can be made in a given time to servers as protection against growing DDoS (distributed denial of service) attacks, and to identify when an application protocol, especially HTTP (hypertext transfer protocol) over the Internet, looks suspicious.
HTTP now accounts for about 75 per cent of Web traffic and has to be allowed through, usually via port 80, so firewalls must be able to inspect it closely and identify features such as overlength HTTP headers that might indicate an attack is taking place, and then correlate that in real-time with other information.
These trends in turn dictate the course of firewall evolution and the ever-shifting balance between software running on general purpose CPUs and the hardware approach based on dedicated ASICs (application-specific integrated circuits) (see boxout, p70). Almost all vendors and firewall consultants, except those with axes to grind one way or the other, will tell you that each has pros and cons, and also that most enterprises are best served by a combination of both, along with some virtual firewalls in many cases which are something of a hybrid between the two. As ever, ASICs score in terms of performance but at the expense of being locked into a given function, with limited scope for upgradeability.
FPGAs (field programmable gate arrays) are an alternative to ASICs for firewall hardware, with greater scope for upgrading, but are less well-suited to most security functions. FPGAs tend to work best on problems involving high degrees of parallelism that can be split into many small components and be executed simultaneously, such as image processing and many scientific tasks, while ASICs and also general purpose multicore processors are better suited to most security-related functions.
Another debate concerning the hardware is whether it is desirable, and if so how, to integrate firewall functionality with the routers and switches responsible for data transport both within enterprise networks and across boundaries. The big networking vendors include firewall blades (modules) as options, such as Cisco's IOS firewall running on its integrated service routers, and the firewall services blade for its Catalyst 6500 Series network switches for campuses and large branch offices. By the same token some vendors that specialise in firewall hardware, such as Fortinet, incorporate router functionality in their systems.
It might sound like splitting hairs, but Fortinet's VP for strategic solutions Darren Turnbull argues that it was better this way round, because then the routing functionality is tied to the security policies of the firewall, avoiding conflicts between the two. "When adding dedicated hardware into a router you can find yourself in a world attempting to cross organisational boundaries as well as the technical challenges to provide a seamless integration," Turnbull says. Fortinet solutions include the firewall and router functionality within the same hardware, within the same operating system, and – critically – using the same management interface. Cisco's view, meanwhile, is that the firewall design should take account of the size and architecture of the given enterprise site, recognising four broad categories with more subtle variations within each.
The four segments are large enterprise main sites, large enterprise branch offices, small enterprises with in-house IT, and small enterprises that have largely delegated to the Cloud and have branches connected to it. Distinction is also made between the data centre and Internet edge for the large enterprises.
Protecting the Internet
For large enterprises Cisco's ASA firewall family provides the platform for most types of deployment, with the high-end 5500 CX model coupled with appliances for intrusion protection, email security and secure routers for customers that want to build their own gateway to protect the Internet edge. Slightly different firewall models that support intelligent clustering are suited for deployment within the data centre.
There are some similarities between configurations for small enterprises and branch offices of larger ones, in both cases supporting DSL broadband connectivity and in-built intrusion protection, moving towards unified threat management (UTM) in a single box. There is also, however, the option of Cloud-based firewall protection in these two cases, which is particularly recommended for offices where many employees use their own laptops or tablets.
Meraki MX is Cisco's latest firewall including IPS and Web security features. "For enterprises that have a lot of small offices connected to the Internet, but do not have a huge IT operation, a Cloud-based solution may be more appropriate," says Luc Billot, Cisco's security product line manager. "These businesses can look to use the Meraki MX devices that deploy behind their DSL modem-box-router, but will manage it directly from a Cloud management application."
One over-arching trend for the larger enterprise sector is the rise of firewall virtualisation, but this is not suitable for all situations. "There are three use cases that we see as well suited for the virtual firewall," reckons Brendan Petterson, senior product manager at firewall vendor WatchGuard Technologies. "The first is for protecting the internal edges between applications and between user communities by virtualising the traditional gateway firewall for unprecedented flexibility. This could, for example, protect the data in the corporate database from the messaging infrastructure, or confidential financial data."
The second category follows from the traditional virtualisation benefit, consolidating multiple firewalls onto single servers or clusters to save hardware costs and for operational efficiency. This model can also be deployed by cloud service providers spanning multiple enterprise clients. "These virtual firewalls are isolated from each other, so service level agreements (SLAs) can be guaranteed to each tenant, and a configuration change to one doesn't affect the others," Petterson says.
The third category, according to Petterson, related to the second, is driven by consolidation of branch servers, running file and print operations for example. "As larger branches and divisions consolidate local servers onto one box, a virtual firewall can be deployed on the physical server, insulating all traffic from the public Internet," Petterson explains. "A single VPN tunnel can provide a secure path back to corporate data centres or virtual private clouds, yielding cost savings at every location without compromising security."
Hardware versus software
In the context of virtualisation and the general trend towards unified threat management, the debate between hardware and software has largely been overtaken by events, according to Wieland Alge, VP and general manager EMEA, at network and security appliance vendor Barracuda Networks. "Most of the discussion is, in my opinion, irrelevant," Alge says. "Firewalls obviously always consist of hardware and software. There is some truth, however, in the discussion that firewalls with a loose coupling to hardware often suffer from lack of stability over performance and delay time, whereas firewalls with too tight a coupling to the hardware, such as ASIC-based ones, find it hard to expand their detection capabilities beyond what the hardware was designed for."
A similar line is taken by Palo Alto Networks: its systems engineering manager James Sherlow cites his company's branded Single Pass Parallel Processing architecture as an example of how to combine software and hardware for a high-performance UTM system incorporating traditional firewall functions. "Here traffic is analysed, inspected and firewall policy executed all in a single pass, as opposed to multiple passes required by other UTM firewalls," Sherlow explains. "The software is powered by dedicated processing for networking, security, content inspection, and management." The idea here is to use software for functions that may change and require flexibility, while using dedicated hardware for clearly-defined repetitive tasks.
It is becoming clear that firewall development is now inextricably entwined not just with IT security under the banner of UTM, but also by larger architectural trends, notably the rise of virtualisation. The era of standalone firewalls is almost over as a result, with the functions increasingly residing in virtual machines where they will be served largely by a combination of generic processors and commoditised network silicon. As a result, there will likely be a diminishing role for ASICs or FPGAs dedicated to firewall tasks.