Application Firewalls
Recently the idea of application firewalls has had something of a second coming. Some vendors term them all-in-one boxes like the locally made unix box ‘Netbox Blue’. Others are called application firewalls like Palo Alto or McAfee. The more enthusiastic marketers use phrases like “next generation”. But this idea is not new nor ground breaking in any way. The idea of opening packets to OSI layer 7 on a firewall was being done by people like Raptor way back in 1997. Even the Wikipedia page on firewalls points out the application firewalls predate even stateful inspection. In the old days they were also sometimes called proxy based firewalls because the idea was an application level proxy (or daemon) would look at the data at the application level.
In this debate there are two philosophical ends of a scale. At one end you have the idea that you separate ingress/egress control from the content control. At the other end we find people doing both at the same time. Cisco was the original champion of the pure network layer firewall. The full application level firewall people went bankrupt and it’s been a long time since we saw anyone claiming to open every network packet to layer 7. The other dominant player at the time was Checkpoint who chose a middle ground where they did some network layer routing and opened some packets to layer 7. Almost every vendor followed the Checkpoint model and even Cisco has options to open packets to layer 7 these days, the firewall that only does port level routing hasn’t been sold for many years. We call the Checkpoint model of firewall a Hybrid.
In security terms we think about it this way. At the gateway there are two different things going on, for which I use the analogy of a airport. When you arrive in country immigration are concerned with simple things like who are you and do you have any right to be here. Assuming you pass that test a second group called customs have other concerns. They don’t really care about your passport or right to be there - they just want to know what’s in your bag and if you are smuggling anything. The same thing is happening in your network. The firewalls primary and most important concern is immigration; what is this traffic doing here and does it have any right to pass through here in the first place. Beyond this secondary questions can be asked, what is inside this traffic I have allowed.
It may appear to be a good idea to open every network packet to layer 7, as appears to be the promise of an application firewall. But there are no known exceptions to the law of conservation of energy so every gain has a cost to be paid somewhere in the system. In this instance it’s performance and by extension cost.
Ever since gigabit networking was rolled out vendors have been trying to open the live datastream in real time for scanning. The first guys to do it were a company called Intruvert Networks, who invented an IPS appliance called the Intrushield. They could successfully pick up every single network packet and process it to layer 7, run a full policy set, and get it back onto the wire in not many milliseconds so as not to break VoIP and other time sensitive stuff. The smallest model they made was only good for 100Mbit networks and it used no less than 20 custom ASIC processors because they did by using massive parallel processing. Before they sold many IntruShield’s that company was purchased for US$200 million dollars in cash (not shares) by McAfee. In the days when $200 was worth something. With this knowledge under our belts we can tell straight away that anything running on an Intel processor box can’t open every packet to even 100Mbit speeds. Either the vendor is lying, they aren’t running a full policy or it only works some of the way to 100Mbit. If you examine SNORT technical white papers you’ll find the same performance issues.
All this to suggest whilst the latest generation of application firewalls may have high levels of application detection, they certainly do not open every network packet to layer 7. In my book that means they are basically Hybrid devices, with some packets being opened to layer 7 and some not.
There are other questions around attempting to do everything on a single box. What is the point of consuming resources to open a Skype packet to layer 7, it’s a proprietary protocol and also uses encryption - what were you planning to do with it? If I combine customs and immigration into one process how confusing will that user interface be? It is our current view that traffic control and content control are very different in load, challenge and focus and so we chose many years ago that we would support devices that provided separate function rather than trying to roll everything up into one big tar ball. That is not to say our general approach might not change in the future, but with IPv6 coming soon we expect network layer processing loads to increase substantially in the next 18-36 months. So this position seems unlikely to change in the short term.
Undoubtedly the organizational need to apply control over protocols like instant messaging and peer to peer programs is increasing. However, we do not agree that a new wave of application firewalls are an inevitable conclusion to this need.
Comments
Post new comment