Firewalls are old hat these days. The majority of firewall vendors are now leveraging their firewall technologies and hardware as a basis for security appliances that provide services far in excess of the tasks a humble firewall used to provide.
Jobs such as antivirus filtering, intrusion detection and/or prevention, network traffic filtering, content filtering, spyware detection and/or filtering amongst a host of others are now being incorporated or offered as optional extra "golden screwdriver" upgrades to the average box.
This convergence can impact in two ways. On the positive side, if the appliance is easy to manage and it fits the application and environment perfectly then go for it. On the negative side, with all the eggs in one basket, poorly scoped deployments, or situations where the product does not quite fit the environment, it can be a trigger for disaster. If the device lacks the redundancy needed for that deployment, a single failure in one subsystem can mean that the whole device is offline.
Likewise a security administrator who mis-configures one of the services may also cause detrimental effects on other services running on that box. Even minor glitches, which may require the redundant system to kick in and take over, can be a nightmare -- particularly when all the various connection states need to be maintained in a mirrored environment. This is where loads really need to be considered. Careful evaluation and testing needs to be performed before committing to any single security appliance.
Firewall technology evolution
Fundamental firewall technology has not changed much in recent times. It separates into a few broad categories and most vendors incorporate some or all of them into their toolset.
Virtual firewalls and virtual policies/rule-sets are now making an appearance -- allowing several administrators to have access to their own areas and rules on the one appliance.
Stateful Packet Inspection
Stateful Packet Inspection (SPI) is a simple form of data scanning whereby data is scanned on a packet-by-packet basis according to whether or not the firewall deems the data to be legitimate.
Any suspicious or non-requested packets are flagged, logged, or simply denied. Packets are only allowed to pass through the firewall if they are associated with a valid session initiated from within the network.
If a Trojan has managed to breach the other security defences due to a negligent user--the SPI firewall will allow that data through as it seemingly comes from a legitimate request on the LAN. Where SPI firewalls come into their own is in conjunction with other methods of data scanning within the firewall, or with another firewall on the LAN. SPI provides a percentage of coverage while still maintaining performance across the network.
If a large enterprise was looking to protect its corporate network and if every single packet of data both inbound and outbound needed to be captured, logged, scanned for strange characteristics, and then traced, the network bandwidth hit would be unacceptable and the firewall would cause a bottleneck. While not an ideal solution, SPI can ease the pain while other techniques can be implemented to handle its deficiencies. A benefit of SPI is that it can be utilised as an additional technology to protect a Demilitarised Zone (DMZ) or a network that is required to allow public access to some machines/servers. It can allow specific individual IP addresses or segments on the LAN to have open ports, so the administrator can essentially select from a list -- ports to open/close for any given machine’s IP address on the LAN.
The majority of these devices are more than just firewalls but we have kept our focus on firewall considerations for the time being -- see the feature tables for some of the additional extras.
How can you test all firewalls and leave the marketleader out ? All these are toys ! :)checkpoint rules