Advanced Intrusion Defense Joel Snyder Opus One [email protected] Traditional perimeter technology is being… … Supplemented? A firewall is not just a firewall anymore Firewalls now have “advanced application intelligence” • Actually, they had that already, but the marketroids had to keep themselves busy. Firewalls now are “intrusion prevention systems” • Isn’t every firewall an intrusion prevention system? Firewalls now do virus scanning, content scanning, and ironing. Application-layer firewalls are needed to protect legions of inadequate Web programmers. A firewall is not just a firewall anymore, II IDS has been replaced by IPS. • (No, I don’t believe that, I’m just repeating awful rumors.) Worms now outnumber viruses in your e-mail by a factor of 20 to 1. Spam represents 50% to 75% of all e-mail you receive. Key Question: Do you need this? Do you need to buy (or upgrade) to a bigger, smarter, faster, more capable firewall? Do you need to buy an IPS? …an application layer firewall? …a smarter IDS? …an SSL VPN device? Do I want an all-in-one thing? Do I want individual parts? The answer you’ve been waiting for… is on the very next slide! Should I buy a lot of this new security stuff? And if I do buy this, what kind should I buy? And where should I put it? And which product should I buy? Answer: 42 I can’t tell you what is right for your network I can tell you what products are out there and what they are doing But the hard work remains yours I can also tell you what the trends are in these products So let’s look at what’s happening in the firewall business March, 2004: Information Security sponsors research on new firewall technologies Products from Check Point, Cyberguard, NetScreen, Nortel Networks, Symantec, Secure Computing, Watchguard Support from Andy Briney, Neil Roiter at Information Security http://infosecuritymag.techtarget.com/ Firewalls have been around for a very long time “[AT&T’s gateway creates] a sort of crunchy shell around a soft, chewy center.” (Bill Cheswick, Design of a Secure Internet Gateway, April, 1990) First firewalls deployed in Internet-connected organizations TIS toolkit commonly available “Firewalls and Internet Security” published Cisco buys PIX (Network Translation) CheckPoint revenues cross $100m WatchGuard introduces 1st FW appliance 1989 1991 1993 1995 1997 1999 2001 2003 2005 Surely firewall makers have been busy since 1999? Clear market trends Faster Cheaper Smaller • • New Guard: NetScreen (Juniper), Watchguard, SonicWALL Old Guard: Cisco, Check Point Clear product trends Add VPN features • • Site-to-site Remote Access (?) Add policy-based URL control • Websense-type Add interfaces • No longer just inside, outside, DMZ Shirley firewall makers have been busy since 1999? Clear market trends Faster Cheaper Smaller • • New Guard: NetScreen (Juniper), Watchguard, SonicWALL Old Guard: Cisco, Check Point Clear product trends Add VPN features • • Site-to-site Remote Access (?) Add policy-based URL control • Websense-type Add interfaces • No longer just inside, outside, DMZ Incremental improvements are not very exciting Smaller, cheaper, faster: that’s great VPNs, more interfaces: that’s great But what have you done for me lately? To answer that, we need to digress to the oldest battle in all of firewall-dom: proxy versus packet filter! Arguments between Proxy and Stateful PF continued Proxy More secure because you can look at application data stream More secure because you have independent TCP stacks Stateful PF Faster to write Faster to adapt Faster to run Faster also means cheaper Proxy-based firewalls aren’t dead… just slow! Proxy Process Space RTL TCP/IP Inside network = 10.1.1.0/24 Outside net = 1.2.3.4 Src=1.2.3.4 Dst=5.6.7.8 Src=10.1.1.99 Dst=5.6.7.8 Packet Filtering Kernel Firewall Landscape: Five years ago IBM eNetwork NetGuard Secure Computing WatchGuard Altavista Firewall SonicWALL TIS Gauntlet Check Point Raptor Eagle Livermore Software Elron Milkyway Cyberguard Borderware Ukiah Software Global Internet Stateful Packet Filtering dominates the market Check Point Cisco NetScreen SonicWALL Freeware-based products: Ipchains, IPF, Iptables, IPFW FW Newcomers: Fortinet, Toshiba, Ingate, ServGate, many others IP Stateful Packet Filtering Kernel But, the core argument was never disputed Proxy-based firewalls do have the possibility to give you more control because they maintain application-layer state information The reality is that proxy-based firewalls rarely went very far down that path Why? Market demand, obviously… Firewall Evolution: What we hoped for… Additional granular controls on a wide variety of applications Intrusion detection and prevention functionality Vastly improved centralized management systems More flexible deployment options Firewall Evolution: What we found… Additional granular controls on some a wide variety of applications Limited intrusion detection and prevention functionality Vastly improved centralized management systems More flexible deployment options Why? Market demand, obviously… Additional Granular Controls focused on a few applications Everybody loves HTTP management • • Header filtering • Embedded Data blocking (Javascript) • Virus scanning, URL Filtering File type & MIME type blocking Other applications are piecemeal • • FTP • • VoIP SMTP File Sharing HTTP-oriented features served “pressure points” HTTP Action Controls Filename & MIME type blocking Post/Put/ Delete Filename; no MIME blocking Full Netscreen None Filename .EXE & .ZIP; no MIME blocking No No No WatchGuard Post MIME blocking Limited Set No No ActiveX, Java ActiveX, Java, Cookies CyberGuard Can block 'upload' only Filename & MIME type blocking Filename blocking by extension Get/Post/ Put/Head Filename by wildcard; no MIME blocking Full SecureComputing All Symantec Check Point Header Filtering Full No SOAP controls Basic Block/Allow No Basic URL Translation Can Block within HTTP… ActiveX, Java, Javascript, VBScript, XML Virus detection URL filtering/ blocking Yes, external server WebSense Yes, internal or external server WebSense plus local URL list WebBlocker No ActiveX, Java, Javascript, VBScript None Local scanning, 2 types (signature/he uristic) No WebDAV, DCOM Local scanning Smartfilter and local URL list Rating system and local URL list Yes ActiveX, Java, Javascript, Vbscript Yes, external server OPSEC and local URL list Yes Advanced Controls are diverse across products FTP H.323 Product • • CyberGuard • Netscreen • WatchGuard • Secure Computing • • • Symantec • • Check Point HTTP LDAP NNTP RealAudio • • • • • • • • • • • SIP SMTP POP DNS IMAP Socks • • • • • • • • • • • • • SNMP CIFS • •Differentiating between “advanced” controls and “basic” controls was easy to do. •Proxy-based firewalls proved to be almost undistinguishable from their “insecure” stateful packet filtering brethren. •Vendors appear to be reactive, not proactive. • • Virus Scans and Policy Controls are simple, right? No! Some firewalls insisted on having virus and/or URL scanning happen “off box” No! Some firewalls can’t configure where you scan for viruses No! Some devices don’t have virus scanning No! Some firewalls don’t support a local list of blocked URLs Conclusion: it’s not simple We’ve learned how to write good GUIs, haven’t we? Not in the firewall business, we haven’t Additional granularity means additional thinking about resources Products are … disappointing The firewall people have a lot to learn from the SSL VPN people Centralized management has improved a bit Folks who had it Folks who didn’t are doing slightly have it now better than they generally have were something We’re still missing a general policy management system for firewalls Many of the centralized management tools have very rough edges “Intrusion” is the new buzzword in security Rate-based IPS technology In firewalls, means “SYN flood protection” May be smart (NS) May include shunning (SecComp, WG, CP) Content-based IPS technology Based on IDS-style thinking May have small signature base (NS, CP) May be an “IDS with the IPS bit on” (Symantec) So what’s going on in the firewall business? Products are diverging, not converging. Personalities of products are distinct. IPS is a step forward, but not challenging the world of standalone products. Rate of change of established products is slow compared to new entries. What does this mean for me and my firewall? Products are diverging Personalities are distinct IPS weaker than standalone Change rate slow Matching firewall to policy is hard; change in application or policy may mean changing product! Aggressive adoption of new features unlikely in popular products; need new blood to overcome product inertia Advanced Intrusion Defense Joel Snyder Opus One [email protected]
© Copyright 2026 Paperzz