Channeling Excellence – FireMon’s DeBell Extends Win Streak

While at least one epic winning streak ended over the weekend as Kentucky lost its bid to conquer the NCAA Men’s Basketball Tournament, FireMon’s Ignite Partner Program and Vice President of Channels Todd DeBell continue to rack up the titles.

Earlier today, IT channel experts once again recognized DeBell for his industry-leading accomplishments in advancing FireMon’s […]

Numbers Don’t Lie – The Firewall’s State is Secure

As my view of network security is grounded in my experience as a real-world practitioner I’ve always sought to back opinions with qualitative research, even when the evidence seems perfectly clear.

That said, when we hatched the idea of launching a new survey aimed at discerning the views of today’s enterprise security professionals regarding the “State […]

Next (Generation) Steps: Expanding Firewall Context

Wikipedia: “A firewall is a network security system that controls the incoming and outgoing network traffic based on applied rule sets.”

This generic firewall definition is independent of the technology used to control network traffic between trust levels. Firewalls deploy a variety of techniques and technologies to meet the goal of controlling network […]

Network Operation: Developing a Smarter Security Framework

As any network operator can attest, the words “firewall” and “security appliance” carry multiple connotations; some of which are flattering and others that are… not.

That being said, developing scalable and feature driven security devices is a difficult task, especially while trying to provide the best performance at the most competitive price.

Over the past few […]

Future Considerations: Software Defined

If Software Defined Networking (SDN) becomes the open ubiquitous technology that I think it will, everything changes.

That sounds dramatic, but I believe that SDN will change many aspects of how we deploy and manage networks. It also creates a completely new paradigm for security enforcement and an opportunity to think differently.

I think it will […]

Viral Video: Of Access Control, Hyper-Segmentation and Vendor Viability

Even after a handful of insightful blog posts from a wide range of experts, along with some related research, the question still looms large: what is the future of the firewall?

In this installment of the series we switch over to podcast/video mode, with FireMon Founder and CEO Jody Brazil joined by leading industry expert and […]

Future of the Firewall: And Now… Hard Data

Over the past few weeks you’ve been reading a lot of different perspectives in this space regarding the “Future of the Firewall” (and if you haven’t please see the related archive).

In these posts authored by leading practitioners, analysts and industry experts, and those blogs that will follow, there’s been a lot said about the critical […]

Firewall Futures: Inspecting the Challenge and Opportunities

A blog series on the “Future of the Firewall”; that’s optimistic, as it implies that the firewall has a future.

For the record, I think that it does, I just hope we use firewalls more wisely in the future. I see both challenges and opportunities for the present and the future of the firewall; and, as is often the case in life, the challenges and opportunities are two sides of a single coin.

Modern firewalls have become much more than packet filters, and are much more powerful – if used correctly. The great advantages in versatility of NGFW, UTM, or whatever you use, do carry a burden of complexity.

A common challenge remains proper configuration; this is a challenge we have faced for years, and I do not see it disappearing any time soon. Not that early firewalls were exactly “user-friendly”, but with limited feature sets came a smaller range of things to get wrong.

I think that, in general, modern firewalls are easier to deploy and configure properly, but added features do add complexity. The race to add features and functionality to firewalls (or any technology) is also a race with usability and user experience, a race we don’t always win.

IPv6 presents a related threat to the effectiveness of firewalls. I know I’m not alone in having seen firewalls misconfigured down to being very expensive NAT devices. As worrying as that is with IPv4, at least most organizations rely on RFC 1918 addresses internally and thus have some protection with NAT.

The growing numbers of IPv6 deployments threaten to expose millions of devices directly to the Internet as enormous blocks of publicly routable IPv6 addresses are assigned to internal devices.

[…]

Advancing Firewall Evils to 10-Tuple

When I first started working with firewalls some 18-odd years ago, the revolution of “stateful inspection” was just starting to take hold. The explosion of Internet bandwidth (laughable now) to DS3-type speeds was driving everyone away from the proxy solutions they had in place to this awesome new security device.

All firewalling concepts were geared to the 5-tuple, situating the firewall firmly in the L4 space, but even then the market leaders defied that definition. Anyone that tried to pass active FTP without the properly CRLF formatting in the command channel was painfully aware of just how far up the stack the “L4 firewall” could go.

Of course, back then you made a good living knowing how to turn those security features off (probably not selectively) so you could make the network work again. Now, we’re all trying to figure out how to program the network properly so we can exert control over the 10-tuple, which eliminates the need for stateful inspection, right?

The answer to the question requires some thought regarding basic concepts. I start with wondering: “Why does the network exist? What’s its purpose?” For me, the answer is that the network provides nothing in and of itself, it exists to supply services to users of those services. With that in mind, we can start by wondering just what it is the firewall does for us.

Some past thought patterns would be, the firewall:

• Stops users from consuming unauthorized services (SSH, for example) – which seems like something the service should do, right? If my network can manage flows, why can’t my service manage who consumes those services?

• Prevents bad actors from exploiting misconfigurations and vulnerabilities on the network and overlying services – but isn’t the network intelligent enough to protect itself and the services that ride on top of it?

[…]

Natural Selection: The Future of the Firewall

When Jody Brazil and the folks at Firemon asked me if I’d write a post for this ”Future of the Firewall” series my first thought was, “if I had a nickel for every time someone told me the firewall was dead, I ‘d be rich.”

Yes, the good old firewall, the security technology everyone loves to hate, has been on supposed life support for years. But yet it’s a $9 billion market according to Gartner. We should all be that sick.

To be fair, today’s next generation devices bear little resemblance to those old Check Point boxes you may remember. It’s sort of like comparing a Model T Ford to a Tesla.

However, just as both cars can get you from A-B, today’s firewalls are doing the same things those old Check Point or Cisco Pix boxes did. While the speed, bandwidth, scalability and capability has increased, firewalls do the same thing now they did then, controlling ingress and egress.

Going into the future, firewalls will still perform this task.

I don’t want to leave the impression that nothing has or will change, though. Firewalls have evolved and collectively these changes have drastically shifted the model. For me, the biggest change is where the firewall lives; it’s no longer merely the drawbridge over the perimeter moat providing entrance to the castle.

A better analogy for how firewalls have changed might be found in comparing dinosaurs to birds. Just as the dinosaurs evolved into birds and took fight, firewalls have transformed. Initially they flew inside. One significant innovation was use of firewalls deployed inside the network to isolate segments, with highly sensitive data kept behind these internal systems.

Other firewalls evolved into big honking boxes sitting at the core of the network. Instead of perimeter devices, these firewalls performed ingress and egress monitoring/control at a critical choke point for all network traffic.

And just as some firewalls flew inside, other firewalls flew away altogether. Some flew to the cloud, where the servers were going, to protect the web servers and applications that serve as the interface for computing interactions.

[…]