Next (Generation) Steps: Expanding Firewall Context




Wikipedia: “A firewall is a network security system that controls the incoming and outgoing network traffic based on applied rule sets.”

This generic firewall definition is independent of the technology used to control network traffic between trust levels. Firewalls deploy a variety of techniques and technologies to meet the goal of controlling network traffic. The “Future of the Firewall” will involve better “context” or situational awareness.

NGFW.fire

For starters, context can improve the confidence level of the security decision that allows the firewall to make more refined decisions. In that sense, contextual awareness is the “who, what, where and when” of security intelligence that enables a firewall to make better decisions in controlling network traffic.

On their own, with limited context, firewalls and IDS/IPS,(Intrusion Detection/ Prevention Systems) offer point-in-time block matches based on packet attributes or signatures. Combining firewall and IDS/IPS technologies is certainly a market trend and can provide more context, as popularized in current next-generation firewall (NGFW) devices.

However, what if a firewall had more information on the security state of the endpoint? And where could a firewall gain this context? Some potential sources are analytics or behavior analysis, NetFlow data from core network routers, SIEM (Security Information and Event Management systems), NAC (Network Access Control systems) and endpoint solutions themselves.

How might firewall policy change, based on this type of security intelligence? Resulting context could allow a firewall to adapt to a situation and/or gain fidelity into the purpose of the traffic.

Today this sort of context is emerging within firewall vendor solutions (using the same vendor’s firewall and endpoint). These single vendor solutions are more likely to be integrated to share context or intelligence than independent vendor products.

The next step is for these independent security devices and SIEM solutions is to share both context and security intelligence that will enable more accurate security decisions across the enterprise.

By lending this ability to broaden the context of intelligence available to firewall infrastructure, the future of the firewall represents something far more valuable than the devices we work with today.


My comments are my own and do not necessarily represent my employer’s positions or opinions.

Join The Conversation


We encourage you to share your thoughts, and we look forward to reading your comments. We invite you to subscribe to our blog to keep up with the latest posts of our new series.

Joe Dietz

About Joe Dietz

Joseph S. Dietz, Jr. – Network Security Architect – is a seasoned IT network security professional, with nearly twenty years tenure focused on network gateway security at large global telecom/ISP and hosting/cloud providers. Joe has held CISSP and SANS GCIA certifications for over ten years and earned his bachelor degree from Rochester Institute of Technology – Rochester NY, USA. Some of Joe’s initial experience with network security involved router ACLs along with the original Firewall Toolkit (FWTK), at the time considered the “state of the art firewalling”. In the mid-to-late1990’s, Joe also encouraged early adoption of the first stateful firewall technology. Joe has been investigating and implementing “Next Generation” firewall solutions since 2009. Current accomplishments include overseeing a large scale enterprise firewall migration to “Next Generation” firewall technology which included “identity” based firewall policies integrated with Microsoft’s Active Directory.

Future Considerations: Software Defined




If Software Defined Networking (SDN) becomes the open ubiquitous technology that I think it will, everything changes.

That sounds dramatic, but I believe that SDN will change many aspects of how we deploy and manage networks. It also creates a completely new paradigm for security enforcement and an opportunity to think differently.

I think it will be amazing for people, for the industry, and for everything we try to do in security. It will power an Internet of Things (IoT) and forever elevate the value of data anytime, anywhere. I see SDN as the next critical step that no one will ever know happened.

SDN

When is this amazing change supposed to happen, you ask? It’s already started and it will be ongoing for many years to come. It’s not something where you can just flick a switch and suddenly it’s all there and running; there’s still lots of work to do.

But we can flick the switch ahead of time when thinking about how to build SDN strategy, and ultimately a secure one. To do this, you have to drop all current expectations of the technologies that you’re running today and think about what SDN is meant to change at all levels.

To get in the right state of mind for this exercise, consider a situation where you’ve been running a library for many years. It’s stacked full of books, magnificent collections for anyone to access and read via a book tracking system that you’ve spent millions on, essentially putting the Dewey Decimal System online.

Then tragedy strikes one night and the entire collection, along with the building, burns. The insurance money comes in and we are left with a real question. Does it make any sense to rebuild a building full of books, knowing what we already know about technology? Is there still a place for this? Before, due to a long history of value, this option was assumed, but when presented with, or in fact forced to recreate the library, does the design and deployment of a building of books make any sense?

I ask this question because you have to go into SDN with just that frame of mind. Ask yourself if what you’re doing today makes any sense in this new design, then go a step further. Ask yourself what you need to do to empower SDN instead of looking at it from the perspective of how it might work based on how you do things today.

What It Takes

Let’s flick that switch now and consider how SDN is evolving the network by walking through an SDN-enabled infrastructure from network to application.

SDN extracts network intelligence directly from switches into a centralized controller. This controller contains all the objects in the environment, from switches to applications, and everything between. The controller can send commands like “put, get, forward, delete, etc.”, as well as take in data about the state of any forwarding tables (and that’s without getting into the technical details, which is another blog unto itself).

Consider a network where you can make forwarding decisions based on far more than IP data. I’m talking about simply knowing where the connection needs to be and forwarding it across any infrastructure to any application, against any security controls that you may need. Maybe you rewrite the IP header as it moves across physical connections, but that’s not even necessary to consider when working with SDN as the process is abstracted away from us.

Think about what you could do with the power to forward packets based on a myriad of possible scenarios from network to application, and being able to track and protect that flow on demand. Running out of CPU and memory in one datacenter? Send the flow over to another. That one getting tapped out? Push it out into a cloud infrastructure.

New version going online of your application? No problem, as the next flow will be directed to the virtual machine running the new code. Problem with the new code? OK then, the next flow goes back to the previous version service, all on demand and orchestrated. I can’t wait to see the creative things that people do with this level of program-ability and control.

The Security Perspective

How is security affected by all of this?

For starters, it’s simply abstracted to a service with policy eventually moving into orchestration of that service. Don’t get me wrong, security policy management remains relevant, but it moves from a dictated security policy to a monitored security policy, just not right away. And over time, traditional enterprise security policies will become less relevant. To show you what I mean, we can jump ahead to the concept of a monitored policy as part of this exercise.

Let’s say that an application request comes in the form of a network call to a Web service to return data for a custom application, perhaps a new wearable armband health application. The network then checks its table to see where to send the connection, tags it accordingly, and forwards it on. In turn, the controller knows an application request is on its way for this particular service, and most likely already has a server up and running, ready to service it.

Since the controller knows how many clients it can service per virtual machine, with defined CPU and memory, it keeps spinning up new virtual machines and redirecting traffic accordingly. To include security in this process becomes a simple task. There’s no need to deploy hardware and create choke points as security simply becomes another application to the abstracted network.

For example, we can forward the data based on any decision, not just the network setup, and offload a copy for traffic validation; essentially run an on-demand security scan on the same flow and let the controller know if there’s a problem. Based on the orchestration decisions, the controller can have the traffic flow quarantined, blocked, redirected or just plain dropped; how and why will be tied to the value and risk of the service.

This is the point where we move from security policy management to security policy monitoring. As applications are defined and brought online, information will be collected on what data is handled by which users and corresponding threat scanning can scale up or down accordingly. It will be this on-demand delivery of security services that will enable rapid scaling of new applications.

While excited about all these the possibilities, I’m fearful of the potential nose dive that could occur if vendors try to create some form of lock in. SDN as a technology can’t be stopped by this and will emerge no matter what, it’s just a matter of how long it takes. Being realistic, it’s just going to take a few generations of equipment to get there.

However, if we truly enable SDN from networks, along with security, and into the application, many of our current challenges go away. Not to say we won’t have new issues to consider, but I’ll save that discussion for another time.

Join The Conversation


We encourage you to share your thoughts, and we look forward to reading your comments. We invite you to subscribe to our blog to keep up with the latest posts of our new series.

Kellman Meghu

About Kellman Meghu

Kellman Meghu is Head of Security Engineering (Canada and Central US) for Check Point Software Technologies Inc. His background includes almost 20 years of experience deploying application protection and network-based security. Prior to joining Check Point, Mr. Meghu has held various network, VoIP and security engineering roles with European telecommunications giant Alcatel, Electronic Data Systems (EDS), and as a private consultant.

Viral Video: Of Access Control, Hyper-Segmentation and Vendor Viability




Even after a handful of insightful blog posts from a wide range of experts, along with some related research, the question still looms large: what is the future of the firewall?

In this installment of the series we switch over to podcast/video mode, with FireMon Founder and CEO Jody Brazil joined by leading industry expert and Securosis Analyst Mike Rothman to discuss and debate the matter at hand. (Click link to view video)

Will firewalls break out of the box? How will the trend toward hyper-segmentation influence the process? And where does the added capability of the NGFW model factor into it all? Importantly, will the leading firewall providers of today advance their capabilities to address tomorrow’s requirements, or be replaced by someone else?

These are just a few of the issues that Jody and the ever-outspoken Mr. Rothman bring to the table.
After you’ve watched the video on YouTube, we hope that you’ll head back to the blog to offer your comments or contradictions.

Do these guys have the answers or does the debate introduce even more questions to consider?

Join the discussion!

Join The Conversation


We encourage you to share your thoughts, and we look forward to reading your comments. We invite you to subscribe to our blog to keep up with the latest posts of our new series.

Matt Hines

About Matt Hines

Matt Hines leads product marketing efforts at FireMon. Prior to joining FireMon, Hines held similar roles at TaaSERA, RedSeal Networks and Core Security Technologies, and worked for over a decade as a journalist covering the IT security space for publishers including IDG, Ziff-Davis, CNET and Dow Jones & Co.

Stated Inspection: The Future of the Firewall




What’s the future of the network firewall?

While at first glance this may not seem like the most cutting-edge or controversial question facing the IT security industry, further inspection (forgive the pun) reveals that future evolution of the firewall remains one of the most significant issues we face.

For evidence of how central firewalls remain within enterprise security strategy, consider that Gartner reports that roughly 51 percent of the 1,500 network security calls received by their analysts during the first half of 2014 were directly related to firewalls – on topics ranging from platform migration to policy management, to adoption of next generation devices.

In July, Ellen Messmer filed this piece in Network World which debates the evolution of firewalls related to cloud computing and quotes a wide range of industry experts, serving as further proof of the topic’s relevance.

For over 20 years, the firewall has served a central component of information security, representing a first line of defense in controlling access to limit risk. To this day, it remains the most successful “whitelist” security solution ever deployed, designed to permit acceptable traffic and stand as a default in denying everything that is not.

Continue Reading →

About Jody Brazil

As Founder and CEO of FireMon, Jody Brazil is a seasoned entrepreneur with more than two decades of executive management experience and deep domain expertise in all aspects of networking, including network security design, network security assessment, and security product implementation. Before joining FireMon in 2004, Brazil spent eight years at FishNet Security, serving as Chief Technology Officer, where he was responsible for providing direction for solutions to their customers. Previously, he was president and founder of Beta Technologies, a Network Services and Internet Application Development company. A few of Brazil’s major accomplishments include his implementation of the first load balanced deployment of Check Point firewall software in 1997. A year later he engineered the security solution that allowed, for the first time, the transfer of criminal history data over the Internet as approved by the FBI. Brazil then released the first ever graphical firewall policy change view in 2001 and the first ever firewall rule usage analysis application in 2004.

Configuration Confrontation – Network Security’s Biggest Challenge




As numerous breach incidents have emphasized, the inability of organizations to properly configure existing defenses remains arguably their most significant network security challenge.

With the Target breach standing as perhaps the best example – as attackers subsequently infiltrated the retailer’s point-of-sale data after gaining access to other areas of the network – the problem has been reinforced in a number of high-profile incidents.

R7.blog.logo

This week, noteworthy vulnerability researcher H.D. Moore, perhaps best known as founder of the Metasploit pen testing platform, brought even greater attention to this issue, releasing new findings regarding a previously unreported firewall configuration issue that could expose many organizations to potential compromise.

The research, which affects organizations using devices made by Palo Alto Networks, a leader in the space, further highlights the fact that it is the challenge practitioners face in properly configuring such defenses – not vulnerabilities in those products – that remains so pervasive and troublesome.

As first detailed by Moore in a blog post and reported in news outlets including the U.K.-based Register, the issue involves misconfigured user identities set up for Palo Alto Networks firewalls that “leak” information onto the Web, exposing underlying services.

Continue Reading →

Matt Hines

About Matt Hines

Matt Hines leads product marketing efforts at FireMon. Prior to joining FireMon, Hines held similar roles at TaaSERA, RedSeal Networks and Core Security Technologies, and worked for over a decade as a journalist covering the IT security space for publishers including IDG, Ziff-Davis, CNET and Dow Jones & Co.

Black Hat 2014: RSA in the Desert?




I’ve been attending the Black Hat Security Conference in Las Vegas for almost a solid decade now, and if there’s one thing that’s for sure, it’s that the conference continues to evolve.

Given, when I first started attending Black Hat those many years ago, it was not as a marketing rep for a security software vendor, but as a reporter attempting to get my head around the emerging threat/exploit landscape.

black.hat.2014

However, even if my time is no longer spent attending sessions, and trying (with varying degrees of success) to understand what is being presented, a walk across this year’s show floor clearly evidences the continued shift towards a more business-centric audience.

This is nothing new, of course, as hardcore Black Hat attendees have been decrying the show’s evolution into more of an “RSA in the desert” for years. However, it’s clear that with each passing summer this change becomes ever more the reality.

When I was working for pen testing specialists Core Security in 2008, it was clear that ethical hackers, primarily researchers, still made up a huge swath of the Black Hat audience; this no longer would appear to be the case.

Certainly it has a lot to do with spending more time in the vendor exhibition space, but with each year I see more corporations and government agencies listed on attendees’ badges, and fewer humorous attempts to dodge identification (though we do have several “ninjas” and at least one “director of rainbows and unicorns” listed among our 2014 badge scans).

As I was discussing this phenomenon with longtime industry guru Alan Shimel (currently of the CISO Group and Security Bloggers Network) we were debating the potential upsides and downsides.

First off, neither of us would debate that there’s still a wealth of extremely valuable research on the Black Hat schedule, and I can’t even make the claim in recent years of attending many of these sessions.

Another key component to consider is that there are the sister DEF CON and parallel B-Sides Las Vegas shows, which cater directly and almost exclusively to ethical hackers and focusing almost solely on research, allowing Black Hat to grow more… corporate.

You also have the phenomenon of people who started out as Black Hat researchers who are now focused more on the business side of things, having built vital companies out of the expertise they used to share as conference presenters (the guys from White Hat Security are a fitting and high-profile example).

As noted above, one of the other significant changes in Black Hat attendance is the ever-increasing number of government attendees. In years past there may have been a lot of Red Team/Blue Team types – and likely still are – but today, there’s an overwhelming number of state and federal security officials in attendance – with their names and titles displayed openly on their badges (another notable shift).

My impression is that many of the people who first came to Black Hat – and now may spend more time at Def Con or B-Sides – may disparage the show’s change in interests, arguing that the event is now too focused on the business side.

However, for companies like FireMon this shift has obviously made the event even more valuable, providing us with another fantastic opportunity to connect with existing customers and new prospects to tell them more about what our solutions can do.

Is the change good? Is it bad? That’s for each individual to decide on their own, but as Alan and I eventually agreed, it’s really just a natural evolution as hacking and ethical research continue to mature and become an even bigger element of enterprise security.

No matter how you slice it, Black Hat continues to serve as an ideal venue for numerous elements of the security community to connect. No matter what changes come it’s always a pleasure to be there.

Matt Hines

About Matt Hines

Matt Hines leads product marketing efforts at FireMon. Prior to joining FireMon, Hines held similar roles at TaaSERA, RedSeal Networks and Core Security Technologies, and worked for over a decade as a journalist covering the IT security space for publishers including IDG, Ziff-Davis, CNET and Dow Jones & Co.