A brief history of firewalls and the rise of UTM
GUEST BLOG by RICHARD STIENNON
In this guest edition of our blog, security expert and Chief Research Analyst for IT Harvest, Richard Stiennon, offers a sneak preview from his forthcomming book, Cyber Defence: Countering Targeted Attacks
The gateway is the first line of defense against attack. The ever present escalation of attacks has led to continuous development of defenses that have been deployed at the network perimeter. In this chapter we start by demonstrating what that looks like in the typical large organization. Then we present the arguments for collapsing the myriad defensive tools into a single appliance, dubbed UTM (Unified Threat Management) by IDC. In the following chapters we will look at the component technologies for Firewalls, IPS, and secure web gateways, that many organizations have already deployed. We will suggest best practices for deploying and managing those technologies.
Network gateway protection has evolved over the last fifteen years.
The earliest firewalls were proxies deployed in front of a network just behind the primary router. A proxy is a server usually running a version of Unix. When an internal system attempts to connect to the outside it actually connects to the proxy which acts as a man in the middle. It accepts requests and forwards them on to the destination. It is then able to apply filters to the response, usually restricting responses to a fixed set of acceptable responses. Proxies have security advantages over the predominant firewalls of today but because each type of network connection has to be replicated the proxy has a lot of work to do and invariably cannot keep up.
The first generation of successful commercial firewalls was created by Check Point Software. By introducing stateful inspection, an efficient way to handle policies and network connections, Check Point became a dominant player in the security space. Cisco, and then Netscreen, founded by Ken Xie, introduced the next generation of firewalls that included stateful inspection software running on optimized hardware platforms. Stateful inspection is a simple and efficient method of managing network connections. The initial request for a connection is evaluated by looking at packet headers, the source-destination-port information in those headers is compared to a set of rules (the firewall policy) and once it is allowed the firewall maintains a state table so that the decision does not have to be processed more that once.
The third generation of firewalls came about when Netscreen acquired one of the first Intrusion Prevention (IPS) vendors, OneSecure, founded by Nir Zuk, a former Check Point employee, and bundled rudimentary IPS functionality into their firewalls. For the record, the other IPS vendors that simultaneously introduced the ability to scan and detect network attacks such as worms were Reflex Technologies, which has evolved into a virtualization security firm, Intruvert which was acquired by McAfee (now part of Intel), and Tippingpoint which is now in the hands of HP. Netscreen was acquired by Juniper Networks in 2004.
We are now well into the appearance of the Next Generation Firewall: network appliances that look at all the packets traversing them and determine their threat potential based on numerous factors such as malware, exploits, and source URL. There is some confusion in the literature over the difference between traditional firewalls and this next generation which has become known as UTM, Unified Threat Management, a term coined by Charles Kolodgy of IDC. Cisco for instance, include IPS or Anti-virus functionality in their ASA firewalls by attaching a separate card that can run separate security applications, but that is just a stepping stone to UTM.
Because multifunction appliances got a bad reputation from some of the original products that simply bundled open source security software on Linux boxes, which did not have the required performance, there is a tendency to attempt to confuse the market with different labels. You will see Anti-spam firewalls, Application Aware firewalls, and Identity based firewalls, but most of these share capabilities that derive from the ability to assemble packets and analyze them at high speeds. IDC calls these “complete content inspection firewalls,” but it will not be long until UTM functionality in a firewall is a given. Product and vendor choice will, as always, depend on performance, ease of deployment and management, and vendor viability and support.
But is UTM just a replacement for the firewall and the many other gateway security devices? Or, is there a greater purpose for powerful network platforms? I believe so. Driven by rapid changes in computing architectures such as data center consolidation and cloud delivered applications the network gateway is increasing in value; the same way real estate at high traffic intersections commands a premium. Every network connection calls for a router and every Local Area Connection (LAN) is most often connected to a network switch. The markets for routers and switches is bigger than the traditional firewall space, yet those products are viewed as commodities and the vendors (Juniper, Cisco, HP) focus on throughput at the expense of security.
Most UTM devices already incorporate switching and routing into their feature set. Fortinet (founded by Ken Xie), Palo Alto Networks (Nir Zuk), NETASQ, Watchguard, SonicWall, Cyberoam and a dozen other rapidly growing regional players have added switching and routing to accommodate customer demands for high availability and network segmentation.
As the constant barrage of attacks on business rise- from cyber criminals, malicious insiders, and even cyber spies- the demand for full content inspection security devices that also perform mundane tasks like switching and routing will rise. At some point in the near future those threats will become so prevalent that full content inspection at every network intersection will be required.
Excerpt from Cyber Defense: Countering Targeted Attacks (Government Institutes, 2012)
Chief Research Analyst