BOSTON (06/05/2000) - The firewall has traditionally served as the sentry between the outside world of the Internet and the internal corporate network.
But the next generation of firewalls will be inside the corporate network's perimeter on Web servers, PCs, modems and silicon chips.
They're known as distributed firewalls, and they're the next line of defense against hackers who breach traditional firewalls guarding the edge of corporate networks by exploiting open firewall ports as well as e-mail servers.
Distributed firewalls, still in their infancy in terms of reporting, configuration and management capabilities, are gaining more attention. However, there's much debate among security vendors and analysts on their intrinsic value.
Added firepower
Network managers tend to see distributed firewalls as added firepower against an implacable foe, the hacker.
"It's a dual protection," says Rick Shantery, senior network engineer at Intellinetics, a document management firm in Columbus, Ohio. He added CyberWallPlus embedded firewall software, a product from Network-1 Security Solutions, to his internal servers after he reached the painful conclusion that hackers occasionally made it though the WebRamp Internet access and firewall box Intellinetics uses.
"I could see from the log data they were coming in," he says. "These deliberate hack attacks happen daily, along with SYN floods. If they make it through, the embedded firewall in the server is there to stop them. You don't really have to have the perimeter firewall."
However, many would argue that point.
"The perimeter firewall is a necessity," says Raphael Reich, product marketing manager at Check Point Software Technologies Ltd., which has augmented its Network-1 perimeter firewall line with two types of distributed firewall software. The first is Secure Server software, which is a distributed firewall for Windows NT or Unix; the second is Secure Client, a desktop firewall.
"The perimeter firewall doesn't protect you from the bad guys inside the network," Reich says. "But people should not be replacing perimeter firewalls with distributed ones."
Drawbacks to the conventional firewall have been given greater scrutiny of late by some of the top firewall experts.
In the paper "Distributed Firewalls," Steven Bellovin, an AT&T Corp. Labs researcher and author of the classic "Firewalls and Internet Security," casts a critical eye on the traditional DMZ-style firewall guarding the Internet zone.
He calls such firewalls network chokepoints that do little to stop inside attacks.
"On the other hand, distributed firewalls can reduce the threat of actual attacks by insiders, simply by making it easier to set up smaller groups of users. Thus, one can restrict access to a file server to only those who need it, rather than letting anyone inside the company pound on it," Bellovin states in his paper.
In Bellovin's view, the distributed firewall on servers and desktops should provide a mechanism for policy control administered through systems management tools, augmented with intrusion detection and preferably, IP Security-based encryption.
Falling short
However, the products available today fall far short of that vision. Network-1 CEO Avi Fogel acknowledges the CyberWallPlus line for server and desktop firewalls has no reporting capability. Check Point's personal desktop firewall also can't be reconfigured. "Today, it's one policy for all," says Greg Smith, Check Point's director of marketing.
Axent Technologies, which markets the Raptor perimeter firewall, has had a personal desktop firewall out for about three months. There's no central way to manage it, though that's expected to change in a future release.
Some security vendors have mixed feelings about distributed firewalls.
Network Associates Inc. bought the company Signal 9 six months ago for the firm's personal desktop firewall, and the company is now adding alerting and reporting to it so the next release will be an integrated intrusion-detection, firewall and VPN product.
But Mark McArdle, a vice president in Network Associates' managed security services division, questions the value of running firewall software directly on the Web server. The traditional method involves placing a firewall on a separate box in front of the server for departmental LANs or at the perimeter.
"Applications on servers are usually managed by different people than the ones who manage firewalls," McArdle says. "Application servers tend to be changed with a little more of a cavalier attitude, which could affect the firewall on it."
In addition, having the firewall on the server rather than in front of the box might make it harder to filter attacks.
John Pescatore, research director for network security at the Gartner Group Inc. consultancy, concurs.
"The problem is the Webmasters control the Web server," Pescatore says, noting that when they make wholesale changes, it could destroy the efficacy of the firewall software on it. "There's no chance firewall software will survive on the server. Web server firewalls won't be widely used."
Pescatore is bullish on the idea of embedding firewalls in silicon, something that Secure Computing is undertaking with 3Com Corp. in the Typhoon network processor and WatchGuard is trying to do by licensing its Firechip silicon for modems. Hardware will support faster packet processing than software, he says.
Expressing a view shared by many others, Pescatore doesn't advise ditching the perimeter firewall for host-based firewalls.
Framingham, Massachusetts, market research firm International Data Corp. says approximately $1 billion worth of firewall gear was sold worldwide last year.
The organization notes that demand for personal firewalls will increase as more corporations adopt DSL and cable modem connections for branch offices and telecommuters.
With these high-speed services always "on," end users' computers are more vulnerable to port scans and attacks. But some observers believe hardware-based firewall appliances, perhaps embedded in modems, may trump host-based software firewalls because they can be better managed at present and provide better protection.
There's one point nobody seems to debate: Corporations will likely spend more money to fortify their networks with the new generation of distributed firewalls.
"It does cost more money than just having a perimeter firewall," Intellinetics' Shantery says.