Getting Firewalls to Play Nice With One Another
Home computer users and small-business entrepreneurs usually know enough about broadband Internet security to protect their data with a firewall. In most of these cases, a single firewall at a point of entry to the computers or network is sufficient.
Sometimes, though, using multiple firewalls is the smarter option. The bigger the business, the more likely its computers are exposed to the Internet on more than one front. The more points of exposure, the more firewalls should be there for protection.
While multiple firewalls makes good security sense, keeping an arsenal of firewalls properly updated and configured can add to the burdens already causing pain to an IT staff. Thus, a marketplace is growing around products that help IT managers automate the process of making firewalls play nicely together.
"Over the last 18 months, firewall management in general has become a priority for IT managers. The most important thing is to maintain availability. The challenge people are facing with firewalls is they [firewalls] are getting out of hand. Managing the firewalls is happening without much oversight, and personnel changes cause a rat's nest in the firewall," Tom Rabaut, director of product management for RedSeal Systems, told TechNewsWorld.
The strategy of deploying multiple firewalls within an enterprise network is well established. The problem stems from getting the firewalls properly integrated. That used to mean manually setting the filters and the permissions.
Think of a multiple firewall situation as analogous to a large prison. Prison guards (firewalls) are strategically dispersed not only around the outer walls but also at key points through the prison's passageways. It is easy to see the security fallacy inherent in having guards only at the perimeter.
In order to control who is allowed to move about various locations inside, locked doors or gates open and close in series to permit safe authorized access within the facility. If a master key were issued to every employee of the prison to roam about at will, the safety of everybody would be a sham.
Internet security through multiple firewalls is much like that. The access firewalls provide must be coordinated across the entire network.
"It's no longer a simple process. One of the most glaring reasons is that people no longer access networks through one or two points. Now we have multiple DMZs (demilitarized zones), remote users, partners, access from around the world, etc. Everything is interconnected," explained Rabaut.
Is More Better?
Why use more than one firewall? Companies deploy multiple firewalls for at least three reasons, according to Ken Pappas, security strategist with Top Layer Security. Perhaps the most inclusive reason is that no single firewall does everything exceptionally well.
Another reason is that multiple firewalls determine which model should be on top doing the heavy lifting. Also, users do not necessarily want to put all their trust into a single firewall technology, he explained.
"Let's face it, no two firewalls on the market today are alike. Some are very good at DDoS (dedicated denial of service) protection, while others can handle rate-shaping or packet inspection better than the other," Pappas told TechNewsWorld.
So depending on the application customers use and their traffic needs, a different firewall brand might be in order. Pappas cautioned users of the dual or quad firewall topology, because the more firewalls put into a network, the more difficult it becomes to troubleshoot.
The Demands of Change
The workplace is a dynamic environment. That impacts network security. Over time, new systems get added. Corporate acquisitions and mergers force networks to be integrated to some degree. Added to all of this are new business partners.
Any one of these changes can require numerous adjustments to the access permissions within the corporate network. Whether these changes are maintained by one person or departmentally, keeping all of the firewalls tweaked becomes a monumental task.
"Some organizations conduct hundreds and thousands of changes per year. We figured out that 20 to 30 percent of these changes are not needed. The people make the changes because they are not aware that traffic they want to regulate is already allowed. Instead, they make constant changes to the firewall policies. This makes the firewall operation slower and more costly," Yuval Baron, CEO of AlgoSec, told TechNewsWorld.
These changes can be costly and time consuming. They take time to plan and to coordinate with other aspects of the network. A second aspect of the problem is how to make the networks secure with the added level of complexity multiple firewalls bring, according to Baron.
"There are many interfaces and security zones, several DMZs and overlapping architectures. Deciding what type of traffic is risky and what is not is very complex, especially in a multi-layered environment," he explained.
More Means Menagerie
While more firewalls may create better security, it also poses inherent risks if not configured properly. Keeping a managerial eye on access control is important.
"Multiple points of entry through the corporate perimeter for multiple business reasons translates to multiple perimeter firewall configurations. With this, it is important to maintain a single point of view for the entire perimeter to ensure that the collection of settings is maintained across the board," Sean Martin, Certified Information Systems Security Professional (CISSP) and vice president of marketing for SkyRecon Systems, told TechNewsWorld.
Doing this will enable secure business transactions regardless of who is connecting, when and from which location. It will also coordinate which systems are connecting and which network type/method is being used to connect, such as wireless, SSL/VPN (secure sockets layer/virtual private network), etc., he explained.
Large corporations often have very complicated network configurations, with multiple points of entry to the corporate network. All this can lead to a management nightmare, warned Dave Roberts, vice president of strategy for Vyatta.
"The problem isn't so much conflicting firewall settings as it is consistent firewall settings. The set of filtering that should be performed by any given firewall depends highly on where it is located within the network as well as the policies that the firm is trying to enforce," Roberts told TechNewsWorld.
For instance, large networks are often very dynamic with regard to configuration. As directly connected partner networks come and go, he explained, firewall rules have to be updated to enforce the correct behavior. Lack of legitimate connectivity is typically detected quite quickly.
"A bigger problem is convincing yourself that the current rule set doesn't leave an opening in the defenses. This is more difficult to deal with because you can't prove a negative," Roberts said.
As an alternative to manually manipulating a series of firewalls within a network, some companies have developed products to automate the management process. But do not view all of these software solutions as equal.
"Firewalls have existed for many years. While they have become increasingly sophisticated, the products that manage them have not," noted AlgoSEc's Baron.
His company offers AlgoSec's Firewall Analyzer (AFA) product suite to help customers understand what traffic is risky and what is not. AlgoSEc focuses on these two areas: efficiency and security.
"A lot of people need to go back to understanding access across an entire network," said RedSeal's Rabaut. "Sometimes people lose sight with what they are trying to accomplish and focus too much on the process or concentrate on only a single firewall."
RedSeal offers two ways to solve the multiple firewall management problem. Security Risk Manager (SRM) comes as a security-hardened appliance or as a software package that runs on the customer's hardware.
"We don't monitor networks or look at traffic. We're concerned about the access. You have to look at how the devices are configured. It's what you don't know about your network that a hacker will use to take it down. What's needed is a solution that analyzes the configurations," he explained.
Choices to Make
Relying on multiple firewalls can in some instances be too much like putting all of one's eggs in the same basket. Solutions exist outside the firewall.
"Yes, companies do need to maintain multiple firewalls within their networks for protection. Most companies need a combination of network firewalls, IDS (intrusion detection system) solutions, XML gateways and Web application firewalls in order to secure their networks and applications from attacks -- bad people doing bad things," Phil Dinesmore, general manager of Web Application Security for Protegrity, told TechNewsWorld.
However, he does not think there are severe conflict issues with the use of these different solutions.
"While there may be some overlap in functionality, each solution has a purpose and position within the flow of network traffic through the organization," he said.
Firewalls are considered older security technology, and newer technology like an intrusion prevention solution (IPS) is the logical replacement for it, according to Top Layer Security's Pappas. There are, however, firewall functions that an IPS still needs to deliver in order to become a full-fledged firewall replacement.
One mandatory feature is Network Address Translation (NAT), he said. Most firewalls today provide the NAT function an IPS does not, he explained.
For example, a drawback to firewalls today is port 80. With so many newer applications now running through port 80, it becomes impossible for a firewall to inspect it, assuming it is legitimate Web traffic. Instead, IPS systems inspect everything, according to Pappas.
"Because there is no device that can do everything equally, customers are settling for a layered defense. The need for multiple security technologies, and in some cases dueling firewalls, will continue while customers keep looking for that silver bullet -- one device that does it all perfectly," concluded Pappas.