Building a Modern Firewall Appliance
By John Amaral

If you're connected to the Internet, you need a firewall. Back in the days of innocence, you could connect your computer, or an entire network, to the Internet without a firewall or even a NAT device. If you try to do something like that now, the unwashed hordes of hackers, crackers, script kiddies, click kiddies, worms and viruses will eat your lunch.

Firewalls have evolved over the years. First generation firewalls that protected the Internet in the early and mid 1990s were stateful packet filtering devices installed on general-purpose operating systems, such as Windows NT or Unix. These firewalls were popular because firewall administrators already had a good understanding of the underlying operating system, so the learning curve was confined to the firewall software installed on the familiar operating system.

The problem with these first generation firewalls was that while firewall administrators were able to leverage their current knowledge of the operating system to optimize performance and reliability, they were at the mercy of attackers who discovered holes in the underlying operating system. Because operating system vendors were not focused on security at that point in Internet history, the industry moved away from these first generation "software" firewalls.

Second Generation Firewalls
Second generation firewalls moved away from general purpose operating systems. Firewall vendors created stripped down, limited functionality operating systems that were optimized for a single purpose: run the firewall software.

In addition to stripping the firewall software's underlying operating system to the bone, the second generation firewall vendors optimized their code to such an extent that the entire firewall operating system and firewall code fit onto an integrated circuit (IC). This was the birth of the "hardware" firewall. The hardware firewall began its run to dominate the firewall scene in the latter 1990s and continues as the most commonly used firewall implementation today.

A key factor in the success of the "hardware" firewall was that it could be delivered in an "appliance" package and form factor. These firewall appliances shared several things in common and for several years were the sine qua non for any serious network firewall. Common features seen in these hardware firewalls included:

* No moving parts
* No "bootable" operating system
* ASIC-based (application specific integrated circuit)
* Stateful filtering

The concept of the hardware firewall appliance is based on the firewall operating system and firewall software being coded into an integrated circuit (or ASIC). The ASIC approach enabled the hardware firewall appliance to avoid the use of moving parts, such as hard disks, floppy disks and other removable media devices like floppy and CD/DVD-ROM drives. The absence of a bootable operating system allowed the second generation firewall to boot quickly and load the entire code in one fell swoop.

All these features of the second generation firewall worked together to make it easy to set up the hardware and get the appliance up and running. While the firewall software in these hardware firewall appliances was often very difficult to configure correctly, the appliances became increasingly popular because the basic hardware setup was simple and straightforward, and there was a perception of security because there were few reports of security issues regarding the underlying operating system.

These hardware firewalls suffered from one major limitation: They were limited to simple stateful filtering. A stateful filtering firewall (sometimes misstated as a "stateful inspection" firewall) is able to use information in the network, transport layer headers and make "allow" or "deny" decisions based on this information.

The stateful component enabled the hardware firewall appliance to track connection state, which allowed the second generation firewall to dynamically open and close ports based on the status of a connection, and track other components in the communication stream, such as sequence numbers and TCP flags. The state management prevents potential exploits such as session hijacking.

The problem with the second generation hardware firewall appliance is that they are limited to essentially network layer (IP "packet") based attacks. Attacks that bring down networks and destroy data and productivity are aimed at the application layer.

Application layer attacks are focused on the software applications and services that run the business. Network connected groupware servers, databases servers, Web servers, FTP servers, news servers, mail servers, Instant Messaging servers, and many more are all susceptible to application layer attacks. It's not only the servers that are susceptible; network connected client applications such as e-mail clients, Web browsers, file system managers, and office applications can all be attacked at the application layer.

Modern attackers don't want or need to attack the firewall appliance itself. There's no money in it. The Internet criminals' brass ring is the network's services and applications running behind the hardware firewall appliance. Since the firewall appliance is unaware of application layer activity, it merrily passes the attack from the Internet to the corporate network.

Third Generate Firewalls
Firewall evolution continues because of the ever-changing nature of network attacks. The current state of the art is the third generation firewalls, appliances uniquely suited to protect corporate networks from the current raft of application layer attacks. Third generation firewalls demonstrate how the pendulum swings back to the roots of firewall technology, as these modern firewalls are based on hardened versions of general purpose operating systems and sport the same moving parts as first generation firewalls.

Building a third generation stateful filtering and stateful application layer inspection firewall appliances pose a special challenge because they need to meet the following specifications:

* Act as multifunctional devices and perform multiple tasks such as firewall, VPN, and Web caching
* The underlying operating system must be locked down tight
* Installation, configuration and management must be done in a headless or "lights-out" environment
* Updating the underlying operating system and firewall software must be easy and foolproof
* The firewall must be easily extendible so that it can meet current and future threats without requiring new hardware
* Built-in "one touch" disaster recovery
* Flexible scale up and scale out options
* Easy integration with current network infrastructure devices and services

While second generation firewall appliances had limited functionality because all code needed to fit on an IC, third generation firewalls can leverage massive amounts of memory, operating system and disk resources to support a multifunctional configuration and still provide high performance. Modern processors in the 3+GHz range easily handle computational duties, and can be arranged in multiprocessor configurations to support even the most processor-intensive tasks. Encryption offload cards further enhance the processing power of the third generation firewall appliance.

Second generation firewall appliances used proprietary and system specific operating systems designed to only run the firewall software in the IC. Current third generation firewall appliances run general purpose operating systems that are specially hardened so that even if the third generation firewall appliance were compromised, the attacker would not be able to leverage the underlying operating system to attack any protected network. In contrast to first generation firewalls, the vendors of general purpose operating systems were much savvier regarding security issues and have a deep understanding of what it takes to secure the base OS without breaking the functionality that allows for third generation firewall extendibility.

One of the main attractions the second generation hardware firewall appliances had over first generation firewalls was headless or "lights-out" installation and management. No keyboard, video or mouse was required. You just plugged the network interfaces and the power cord and then setup and configured the machine from a management station on the network. Third generation firewalls sport similar "lights-out" installation and configuration features using secure SSL or 128-bit encrypted RDP connections.

A major advantage the second generation hardware firewall appliances had over first generation firewalls was that you could "flash" the appliance with updates to the firewall and operating system components. Not that many users actually did this, but it was a simple affair to copy the code from a management station and have it run automatically. In contrast, the first generation firewalls required multiple code fixes to both the general purpose operation system and to the firewall software running on it.

In contrast, third generation firewall appliance vendors carefully screen fixes for the underlying operating system and firewall software. Appliance vendors determine whether the fix applies to the firewall appliance and if so, tests the code before distributing it to their customers. Appliance vendors also check the firewall software fixes to validate that fix against the firewall software's implementation on the appliance. Not all fixes apply to each appliance, so extraneous fixes aren't applied. The appliance vendor then optimizes the fixes and provides a simple "one click fix" patch management system.

Meeting Current and Future Challenges
Extensibility is the ability to enhance the firewall's feature set so that it can meet current and future network security challenges. In 1999, who would have imagined the flood of e-mail borne worms and viruses? Who thought of the new "blended" attacks that install exploits on a user's computer and then uses the installed code to attack other computers not only on the same network as the compromised system, but systems on other networks by connecting to them over the Internet?

Second generation firewalls can't keep up with the evolving nature of network attacks. New ICs must be created and many of the attacks don't lend themselves to simple code fixes that can be applied to an IC. In addition, second generation hardware firewalls are optimized for performance on low-powered processor platforms. Even if the hardware firewall vendors could fit updated code into their ICs, the puny processing capabilities of these devices would bring network connectivity to a standstill.

Processing power isn't an issue for the third generation firewall appliances because they are designed around open platforms and can be upgraded easily with large amounts or memory, additional processors and disk space. The additional hardware support allows you to install advanced stateful application layer inspection extensions that perform deep scrubbing of all Internet protocols. Viruses, worms, hacker attacks and malicious mobile code won't be able to hide inside email, instant messengers, RSS feeds, Web sites, FTP sites or dangerous peer to peer applications.

As comprehensive as the third generation firewall appliance may seem today, the fact is that hackers are like the bacteria and viruses of the Internet and continue to mutate and evolve so that they can survive the third generation firewall's antibiotics. Like pharmaceutical companies, the third generation firewall appliance vendors work with software vendors to come up with cures for the ills created by hackers and malicious code. The modern firewall appliance meets this challenge by supporting quick and complex software installation and upgrades. Second generation firewall owners are left in the lurch because the delta between discovery of a hack or security weakness in the wild, and an updated IC or code update, can take weeks or months. The third generation firewall appliance can be updated the same day a defense is developed.

If there is one truism in the computer industry it is "all hardware must die." A corollary to this is that "all software must be corrupt." The hardware can be ROM, flash memory, RAM, hard disk, network interface, or any other of the innumerable components included in today's computing machines. All generations of firewalls suffer from this plague and there must be a way to quickly recover from hardware or software disasters.

The challenge for the third generation firewall vendors is that they must have an elegant and efficient method to restore damaged operating system and firewall software components. Third generation firewall vendors accomplish this task in a number of ways, including mirroring drives, push-button "restore to factory settings" routines, and automated firewall configuration backup and restore. Third generation firewall appliance disaster recovery now can replicate the easy recovery once only available to the second generation hardware devices.

One of the most frustrating experiences security professionals have to deal with is outgrowing their current hardware firewall architecture. An organization that began as a small 40 employee outfit grows to 200 employees in six months and 2000 employees in a year. Security officers plan for growth, but predicting the future is always guesswork. They must replace their current firewall infrastructure with machines sporting more robust hardware.

Smart organizations today plan for growth by avoiding the hardware firewall appliance vendors' "lock-in." Owners of third generation firewalls can easily add processors, increase the amount of memory, add disk space and upgrade network interfaces to meet not only evolving threats, but increased network performance requirements as companies grow. Depending on the third generation firewall appliance vendor, you either have the option to purchase the components off-the-shelf or order them directly from the appliance vendor. Both these options allow you to "scale up" at a fraction of the cost incurred by replacing an aging second generation hardware firewall appliance.

As attractive as third generation firewall appliances appear, the fact is that many companies have significant "sunk costs" built into their current firewall infrastructure. These companies want to at least be able to get back some of their investment on depreciation. The hardware costs are just part of the story. There are also the labor costs involved with setting up and configuration the current firewall infrastructure. Organizations who have already invested tens or hundreds of thousands, or even millions of dollars in the second generation firewall appliances will be loath to "rip and replace."

Fortunately, the same flexibility you have in the third generation's hardware and software configuration is seen in the alacrity of network placement. You can easily place the third generation firewall appliance on the Internet edge, on the corporate backbone network, on the back-end directly in front of the asset networks, right in front of key infrastructure service segments, or even as a single interface Web caching server that accelerates users' Web browsing experience and logs user names and Web sites visited.

So, now you know about the significant security and competitive advantages that a third generation firewall appliance provides. Now the challenge is, "Which one should I get? Which one has the most advanced, state-of-the-art, stateful filtering and stateful application layer inspection engines available on the market today?"

The answer may come in different ways, but organizations should look towards companies that have a profound understanding of software to counter the effects of the malicious software launched against all computer users. Also, the firewall software has to be complemented by a secure operating system. But, as secure as the base operating system might be, there's plenty that can be done to make it even "harder."

That is where the third generation firewall appliance vendor can make the operating system even more secure. Appliance vendors can sift through all components of the operating system, remove all non-required executables, and set access controls on all files in the operating system and in the Registry. They can also employ change detection methods that detect whether system files have been changed, added or removed. Deviations from the secured firewall system state can trigger an alert and shut down the firewall services and notify the appropriate security officers via cell phone, pager, email or SNMP trap that a compromise may be in progress.

John Amaral is the Chief Technology Officer for Network Engines, a developer, manufacturer and distributor of storage and security solutions. With over a decade of experience, Amaral is recognized as an innovator and expert in the area of IP/Ethernet networks and application layer processing.

<< Previous Page