My eight year old daughter asked me what a firewall was the other day. I had to think carefully about my answer. I wanted to explain it to her in such a way that she is not left confused even more. I told her that a firewall is something that helps protect the computer from the bad stuff and that the firewall is clever enough to distinguish the good stuff from the bad stuff and will only allow the good stuff in while keeping the bad stuff out.
I am not sure if I succeeded in my explanation in the end.
My answer got me thinking about the firewall and how relevant and effective they are in actually keeping the bad stuff out.
A firewall at its most basic level, controls traffic flow between a trusted network (a corporate LAN) and an untrusted network (the internet). Majority of the firewall deployed today are port based; they use source/destination IP address and TCP/UDP port information to determine whether or not a packet should be allowed to pass between networks.
For the port based firewall to be effective, applications need to use the ports that they are expected to use. For example the firewall would expect E-mail application to use port 25, FTP to use port 21 and web to use port 80. There are “well known” ports that have been assigned to applications and the static port based firewall expects all applications to stick to this rule.
Port based firewall relies on the convention that a given port corresponds to a given service/application. In other words, they relied on the simple equation that:
Ports + Protocol = Application
Port 25 + TCP = Email
They struggle to distinguish between different applications that use the same port.
In order for the firewall to continue to have relevance in protecting the network, it needs to be “more intelligent”; it needs to be able to do what the traditional firewall do today and much more.
Firewall need to evolve to be more proactive in blocking new threats. Enterprises need to update their network firewall and intrusion prevention capabilities to protect business systems as attacks get more sophisticated.
In the research note “Defining the Next-Generation Firewall,” Gartner states that “Changing business processes, the technology that enterprises deploy, and threats are driving new requirements for network security”. Gartner warns that “To meet these challenges, firewalls need to evolve into what Gartner has been calling ‘next-generation firewalls.'”
There are several attributes that the “The Next Generation Firewall – NGF” needs to have, they include:
- Ability to identify applications regardless of port or protocol
- Ability to identify users and not just IP address
- Ability to cope under heavy traffic (multi-gigs) without any performance issues
- Ability to use information from other sources outside the firewall to make blocking decisions
The NGFs should be able to distinguish between Skype and Facebook; it should be able to tell who is (and not an IP address) on YouTube and be able to support heavy traffic. A NGF should be able to use information from a directory service (e.g. Microsoft Active Directory) to tie blocking to user identity.
The leading firewall vendors have recognised the challenges of the traditional firewalls and several products have been released.
Cloud computing, Consumerization, Compliance and the Mobile workforce is set to continue to rise and this will only add to the Security pressure on the network.
I have since had another “firewall” conversation with my daughter. This time I was explaining to her what a next generation firewall is and surprisingly, it made more sense to her this time. Now every time she cannot access a website, she blames the firewall!