Hardware Today — Next-Gen Firewalls Reach High

by Ben Freeman

Firewalls have come a long way since their humble beginnings nearly 20 years ago. We look at the latest trends and examine Fortinet and SonicWALL, two lesser-known players with unique products.

Firewalls have come a long way since 1985, when U.S. Department of Defense experiments spawned basic packet filtering technologies.

At their most simple, firewalls protect networks from other untrusted networks by filtering packets based on origin, destination, application type (FTP/telnet), and packet type (TCP/UDP). Some firewalls also provide proxy server technology.

The rash of virus and worm infestations that began in the second half 2003 altered the nature of organizations' firewall needs. This week, we look at how the latest crop of firewalls are fortifying enterprises with the addition of anti-spam, anti-virus, and anti-worm deep packet inspection capabilities. We will also spotlight two companies building firewalls with unique capabilities.

Today's Firewalls

Firewalls protect networks from other untrusted networks by filtering packets based on origin, destination, application type, and packet type.

Previous generations of firewalls were known as intrusion detection systems (IDSes). The main function of an IDS was to sound an alarm on detection of an intrusion. This was akin to, "having a fire alarm but no fire department," Gartner Research Director for Security and Privacy Greg Young told ServerWatch.

But change is afoot. Today, firewall improvements are replacing IDSes with a new baseline — intrusion prevention systems (IPSes), Young said. Some vendors have already introduced IPS functionality directly into firewalls. These products can detect a worm, for example, and allow other non-worm packets to travel by at functional speeds. Young describes this as a hand-in-glove fit because "firewalls typically block everything except things that are specifically allowed," whereas "IPSes allow everything except for the very specific [incoming data]."

The key question enterprises now face is whether to use an all-in-one firewall with IPS built in or pair an IPS device with a firewall at the network front-end. Young cited bandwidth, architecture, and technology refresh cycle concerns as paramount in this determination. He argues that an enterprise generally chooses a solution based on the environment's individual quirks and concerns.

"There are always real concerns about performance when you start turning on deep packet inspection on a firewall," he said. Evaluate carefully, as "latency can really vary considerably between vendors."

Sometimes, keeping the IPS and firewall functionality separate makes sense, as "it reduces some risk," according to Young. For example, with a stand-alone IPS, "if you're going with a vendor and latency becomes an issue, you can swap it [the firewall] out," whereas if you're using a combined IPS/firewall, "you have all your eggs in one basket."

On the other hand, "from a management perspective, it's great to have it all in one; you have one vendor to deal with," Young said.

It may be more a matter of semantics, however, as even when the devices are kept separate, "quite often the differentiation is just there's a cable between them, so it's effectively one security appliance," he adds.

Gartner predicts firewall, anti-spam, anti-virus, and other traffic management technologies will converge in the next 12 to 24 months to be present in a single security appliance. The IPS deep packet inspection on the firewall is just one component, and by 2007, Young believes such devices will have matured enough to be customized based on the market segment they target.

Management Takes Priority

Manageability drives the decision more often than price, according to Young, "People are looking at this total cost of ownership and realizing that the command line interface isn't cutting it for multiple devices." Thus, larger enterprises tend to standardize on homogeneous firewalls from the same vendor. Training requirements for also encourage homogeny. A management standard for firewalls isn't in cards at this time, as some firewalls still aren't using IPS technology and there is little incentive for vendors to standardize.

Enterprises looking to secure the perimeter more efficiently should look to IPS, as it covers patch management gaps. Young cites a 30-day to six-month window of heavy patch deployments after a vulnerability is announced. During this time, exploits that take advantage of the vulnerability may erupt quicker than patches are actually deployed. Firewalls coupled with IPS function as a "Bandaid on the way to the hospital — a really good strategy," Young said.

>> Fortinet, SonicWALL Fortify the Enterprise

Fortinet and SonicWALL Fortify the Enterprise

Gartner's Magic Quadrant matrix provides a graphical representation of a particular marketplace, positioning Leaders, Challengers, Niche Players, and Visionaries on two axes: Completeness of Vision and Ability to Execute. Cisco, Netscreen, and Checkpoint have traditionally occupied the Leaders quadrant in the IPS/firewall space, but they are now facing formidable challenges from new players.

One such challenge comes from Fortinet, a company that Gartner considers a Visionary its April Magic Quadrant for Enterprise Firewalls. There, the research firm describes Fortinet's 2003 growth as "tremendous." With this growth, Fortinet's combination product of firewall, VPN, and anti-virus tool has eaten into the bigger players' market share pie.

Fortinet's FortiGate 50, 60, 100, 200, and 300 firewalls are positioned at the SMB spaces. Philip Kwan, the company's Director of Product Management, describes these appliances as "ultimate all-in-one, real-time network protection solutions," adding, "organizations can now enjoy protection from the most damaging threats without penalties in performance, cost, or manageability."

The FortiGate 400, 500, 800, and 1000 platforms are designed with enterprises in mind. "With throughputs up to 1 Gbps; high-availability features, including automatic failover with no session loss; and multi-zone capabilities, units in the FortiGate Enterprise Series are the choice for mission-critical applications," Kwan said.

Fortinet also offers the even sturdier FortiGate 4000, 3000, and 3600 solutions, which include redundant, hot-swappable power supplies and fans, redundant failover, and high-availability firewall clustering. These firewalls, which are aimed at large enterprises and service providers, can be virtualized to function as up to 250 virtualized firewalls. They can also be set to push deep packet inspection with heuristic-based virus scanning by employing "complete content protection technology to reassemble and analyze content and behavior across hundreds or thousands of packets while maintaining real-time performance," Kwan said.

According to Kwan, SMBs tend to gravitate toward the 200 and 300 models, while enterprises prefer the 400 and 800 models.

SonicWALL is another praise-worthy player in the Gartner Magic Quadrant, falling into the Niche Player quadrant. The research firm notes, however, that the vendor lags in the deep packet inspection curve.

SonicWALL's PRO 5060, a firewall offering released in June, after the Magic Quadrant was published, may fill in these blanks. It offers a slew of deep-packet inspection features and add-ons, including anti-virus functionality, advanced wireless LAN features, and VPN support in a highly manageable solution.

"The ability to support layered security capabilities like deep-packet inspection is crucial to detect and prevent the new types of worms, Trojans, and other viruses prevalent today," SonicWALL Product Manager Scott Lukes said.

SonicWALL's TZ 170 series appliances suit the SMB, while its PRO series targets enterprises and larger midsize organizations. The PRO 2040 is universally popular due to its status as a "powerful yet affordable gateway," Lukes notes.

Both the PRO and TZ 170 lines offer wireless network management support, an area ripe for growth. "Businesses should try to ensure that they are able to secure both the wired and wireless network, and manage security policies for both from a single device," Lukes said.

Choose Wisely

Although enterprises cannot control their infrastructures with 100-percent certainty, firewalls and IPS systems cover many gaps and make it easier to patch against everything. Although, "not every vulnerability becomes an exploit, and not every one will result in the failure of your network," Young said, "if you don't take action some will."

So the choice should be not whether to deploy a firewall, but which firewall to deploy.

This article was originally published on Tuesday Aug 31st 2004
Mobile Site | Full Site