Next-generation firewalls not ready to replace all legacy firewalls

Application-aware firewalls enhance network security by offering deeper visibility, but enterprises will hang on to old-style firewalls.

Next-generation firewalls, or application-aware firewalls, have enjoyed well-deserved hype from network engineers and analysts, but the technology is still evolving. Many enterprises are also holding onto their old port and protocol firewalls, at least for now.

Network systems engineer Mike Wade, an early adopter of next-generation firewalls from Palo Alto Networks, has deployed application-aware firewalls at the perimeter of his network at Summa Health System, a chain of hospitals and medical centers in Ohio. The Palo Alto boxes sit outside the DMZ of his network. Yet Summa still has traditional, stateful firewalls, Cisco ASA 5500s, on the inside of the DMZ. The two firewalls are deployed back to back at his primary data center and his secondary "hot site" data center.

 And each type of firewall serves different needs on both sides of the DMZ, Wade said. "The inside doesn't have the requirements that the outside has," he said. "The outside is under constant attack. The inside is limited to the traffic that is routed to it."

While the Palo Alto firewalls are scanning the applications that are hitting the data center, the Cisco ASAs are checking ports and protocols. The layered firewall approach is part of a security strategy that demarcates responsibilities, Wade said. He is in charge of the perimeter devices outside the DMZ, while a separate networking team manages the ASAs inside the DMZ.

"If someone is able to crack how I think and get my password or something else, they get through to the second firewall and have to deal with a completely separate type of personality [of the internal network manager] and a completely different device," Wade said. "The idea is to make it such a pain in the neck to get inside that [the attacker] will go away."

Although application-aware firewalls are getting all the hype these days, stateful port and protocol firewalls will continue to have a place in most networks, at least for the next several years.

Stateful firewalls caught at a crossroads of network evolution

For much of the last 15 years, stateful firewalls have been the first line of defense in network security. They are the traffic cops that sniff ports and protocols and take action to allow or disallow traffic based on the hundreds or thousands of rules that network engineers have programmed into them.

But the changing nature of the Internet has left this old firewall architecture behind. Websites have become platforms running countless individual applications on them -- chat, video, file transfer, and even enterprise applications like Salesforce.com. These applications are all going over the Web, so traditional firewalls perceive them as HTTP or HTTPS and Port 80 or Port 443. Hackers target their attacks at these ports because the traffic that crosses them is mostly invisible to the firewall and looks like legitimate Web traffic.

This weakness in the traditional firewall has led to a cluttered network perimeter with multiple network security appliances and software. Network engineers deploy a variety of products to fill in the gaps, from intrusion detection and prevention systems (IDS/IPS) and antivirus appliances to Web filtering and content filtering products.

Next-generation firewalls move up the stack

The new breed of next-generation firewalls, or application-aware firewalls, look at the application layer of the OSI model rather than ports and protocols to allow or disallow access based on policies for application usage. Nearly every firewall vendor on the market (with the exception of Cisco) has some kind of next-generation firewall. The depth of understanding that these next-generation firewalls have of applications varies from vendor to vendor. Some recognize traffic as coming from Facebook, while others see deeper and can distinguish between Facebook video, Facebook chat or simple Facebook status updates.

The differences lie in the stage of each vendor's evolution. Palo Alto Networks has been doing application-aware firewalls from its inception. Competitors, like Sonicwall and Fortinet, have incorporated their existing IPS/IDS technology into their firewall platforms to give them application awareness. Mike Rothman, analyst and president of security research firm Securosis, said the IPS/IDS approach is just the first stage of the evolution toward an application-aware firewall. Eventually, vendors that take this approach will have to do a "brain transplant" on their firewall, fundamentally rewriting how the products function. In part this is because IDS/IPS products are driven by signatures for malicious applications and websites while next-generation firewalls approach application awareness by picking out specifically those sites and applications that are allowed and disallowing everything else.

"Think of it as a positive versus negative security model," Rothman said. "If you look at it from the IPS/IDS bolt-on model, you have configured policies and rules to look for all these different kinds of malicious applications. That's a lot more complicated and a lot more processor-intensive on a device. Whereas in the positive security model, you can say, 'Here are the applications and functions I want to allow.'"

But the processor-intensive nature of application-aware firewalls will force many enterprises to stick with a multilayered approach to firewall deployments, according to Andreas Antonopoulos, senior vice president and founding partner at Nemertes Research.

"If your main goal is very, very fast 10 Gigabit-capable firewalls for segmenting internal VLANs, MPLS circuits and managing virtualized servers, that's not what [next-generation firewalls do]," Antonopoulos said. "I don't think that it's the best platform for connecting hundreds of different extranets and partner connections into a data center. It's probably no good for managing internally segmented, highly complex DMZs and server networks that are virtualized. But it is probably a good platform for dealing with the threats that come from Web and user traffic, something that traditional firewalls don't do very well."

Next-generation firewalls can eliminate sprawl at the perimeter

Prior to installing Palo Alto's application-aware firewalls at Summa Health System, Wade was protecting his perimeter with a Microsoft Internet Security and Acceleration (ISA) server array. The ISAs were doing their job until Summa upgraded its outward-facing Internet connection from 50 Mbps to 100 Mbps. The array was running a firewall, antivirus and content filtering.

"Suddenly, the ISAs became unstable," Wade said. "We had three outward facing servers [in the array] at the time. I expanded them to five, but they just wouldn't become stable. I had an open ticket with Microsoft. We modified the buffering on the firewall servers, which made it a little better. But it wasn't operating as effectively as it was before. Microsoft was telling us to expand the outward facing ISA array [further], which would have made the entire thing 11 servers. That just didn't seem practical."

When Wade started shopping for a new solution he wasn't necessarily looking for a next-generation firewall. In the past, he had worked with traditional firewalls from Juniper Networks, Check Point Software and Sonicwall. But while talking to the network security solutions provider FishNet Security, he was introduced to Palo Alto.

"We put [Palo Alto] in our environment and set it parallel to the ISA, doing port scanning so we could see all the traffic that was coming through the ISA," Wade said. "Our eyes were opened quite widely. Apparently, there was a fault in the content filter on the ISA. We were running a content filter that couldn't deal with IP addresses, so unless a host name is handed to the ISA and the ISA does the name resolution, it doesn't know what website you are going through. It just sees the IP traffic on port 80 and allows the traffic to flow," he continued. "People discovered that if they had a firewall client installed on their workstation and unchecked the auto-detect on the ISA, they could go out to YouTube, Facebook, porn. All kinds of stuff were basically skirting the content filter."

The Palo Alto products allowed Wade to set new application-based firewall policies. The firewall integrates with Microsoft Active Directory, which allows him to get granular with his policies.

"A number of the people in my organization need to do webinars. They need to take online classes and they do these things from various computers in the hospital," Wade said. "I can set a policy that allows certain users to use HTTP video and HTTP audio, but I can disallow the use of YouTube. I can't do that with an ISA or a Check Point. I can block the YouTube website, but users can still run YouTube video that's embedded here and there on other websites."

Enterprises should watch out for variation in next-generation firewall architecture

Because many vendors are selling application-aware firewalls that are essentially stateful firewalls with IDS/IPS functionality bolted on, network engineers should proceed carefully to make sure the firewall they choose will work in their environment, Rothman said.

"Over time, all vendors will evolve their architecture," he said. "The reality is that a lot of security products need a brain transplant. The question is: When will they do it? Companies are betting that [next-generation firewalls] are an early adopter capability and they can meet those needs with a bolt-on solution today and proceed with a brain transplant when it's ready. It's just the way technology rolls, but navigating that can be a challenge for an enterprise, especially if they don't have the right expectations."

Let us know what you think about the story; email: Shamus McGillicuddy, News Editor

Dig Deeper on Network security