• Time for a new firewall

Today I evaluated a network that had been designed about six years ago. Since its creation, many new devices ranging from wireless access to remote connections through a VPN have been installed. Unfortunately, during this time frame the security architecture has remained the same. With tight budgets and mass layoffs, this scenario seems to be the norm. Put in what is mandatory for business growth; nothing more. We have all read the reports that corporations are finally increasing security budgets while reducing in other areas, but when it comes down to it, these funds have not been rushed to the frontlines. Administrators are just starting to see some light at the end of the tunnel and have been told they can put in budget requests for mandatory network security needs.

The problem is, where to start. With so many new security technologies now available, it’s hard to decide just what should be top priority. This is where I would like to throw in my two cents. People have started to forget the basics. They have become so wrapped up in the latest security fads that they have forgotten their firewall; the gatekeeper of the network. It used to be that a firewall had one purpose; to, filter unwanted traffic. They were not always pretty, often hard to manage, and in many cases needed to be rebooted every few days. Now you have firewalls that filter traffic, block spam, scan for viruses, detect intrusions and, stop employees from visiting their favorite porn sites. Furthermore, manufacturers continue trying to add a multitude of other security related ideas they think will help them get an edge in a very crowded market space.

Why focus on firewalls? Well let’s face it. It’s still your first line of defense and with many of the companies out there, it is their only line of defense. Oh sure, most companies have added anti-virus but when you’re doing the numbers, the first and most important big ticket item that is shoved into any new network is the firewall.

Now, not so long ago I would speak at seminars on the need for firewalls, explaining to a dazed and confused audience what they were, how they worked, and the differences between proxy-based (application level) and stateful inspection. Of course back then that kind of thing actually made a difference and really mattered when you were choosing a firewall. There were two camps; 1) those who knew proxy based firewalls and that it meant that data was actually being reviewed at the application level. Therefore these were much more secure; and 2) those who knew that stateful inspection could not only watch certain traffic at the application level, but that everything would flow at a much faster speed.

Well, Checkpoint (The Godfather of stateful inspection) is now controlling over 50% of the entire firewall market, while Gauntlet, a former major proxy-based force in the firewall industry, has been sold out to two separate companies. It was ultimately absorbed into another existing firewall.

Does that mean stateful inspection was found to be better? Well that’s still a matter of opinion. Lets not forget, BETA recorders were technologically superior to VHS, yet what do you have in your house today?

So now, administrators with firewalls that are several years old are faced with some interesting questions. Should they stick with the firewall they have, upgrade to newer software (if available), or is it time to go out searching for the latest and greatest? The easiest way to make this kind of decision is to look at what you have now and how it will suit you 1 to 2 years down the road. If, for example, you are one of the few who are still using Gauntlet, this should be a simple question to answer. It is time. On the other hand if you have one of the zillion other firewalls out there, it is handling all of your current network traffic, it still has room to grow with the expectations of your organizations growth, and the manufacturer has given you assurance that its end of life is at least 1 to 2 years away, then you might be just fine where you are. If it’s not broke don’t fix it. For the rest of you however, it might be time to seriously consider kicking the tires on a few of the new firewalls on the market.

How Not To Choose
As I mentioned earlier, some firewall manufacturers have taken the approach of adding as many services as possible into their device. This approach has the potential to be a great value to the end user but on the other hand has had disastrous results.

Again, take the now defunct Gauntlet firewall for example. Cyber Patrol, a web surfing content filter was added to the firewall to allow administrators to limit access to certain sites based on categories. The idea made sense. To browse the Internet, you’re going through an application level firewall anyway, so why not add one more option and allow filtering of the traffic right there. On paper, it looked great. Unfortunately for Network Associates, they didn’t properly secure the new service listening on the firewall and a major security flaw was discovered. Ultimately this flaw allowed any hacker on the Internet to gain access to the firewall with complete administrative control.

And therein lies the problem. When you add more services, you add more risk. Another example, was against Checkpoint FW1. A vulnerability was discovered at the beginning of February 2004. It affects a recently added component of software, which again can give a remote user the ability to execute commands on the firewall.

These incidents are not exclusive to these firewalls. Almost every major firewall on the market today has had some vulnerability released against it. In fact, because so many firewalls have had vulnerabilities, there is one specific company that is marketing its reputation on the fact that it has never had a single vulnerability. To most this would sound like it might be the perfect solution. What better than a firewall that has never had a single security flaw. Obviously, if it has never had a vulnerability, then it must be the best firewall on the market. Unfortunately this manufacturer has crafted their wording very carefully. In their ads they make the claim that they have never had any published vulnerabilities. At last years Networld Interop Convention I had a chance to speak with a sales rep about this and asked him why the claim was crafted with the word “published” in it. Either you have had a vulnerability or you haven’t. His response was “Well, don’t you think if someone had found a vulnerability, they would have published it.” I smiled and walked away.

By now it should be clear that I am not mentioning the company by name and this is for a reason. You see, I personally discovered two remote buffer overflow vulnerabilities against this particular firewall manufacturer a while ago. I contacted them, notified them about the issues, and worked with their engineers to explain the process used to find the exploits.

So why has no one ever read about them? How come there is no “published” vulnerability information? Well it turns out that not only does that company have an engineering division that is doing everything they can to keep vulnerabilities at bay, they also have a legal department that is there as a backup just in case. As with all public vulnerability disclosures, after notifying the manufacturer about the issues, I asked them if they would be releasing a public statement. I offered to allow them to make a comment on a statement published by the company I worked for at the time as an alternative. They responded with the threat of legal action if any information was made public.

It turns out that since the company I worked for was a reseller of their product, we were under a confidentiality clause. Apparently it was a gray area but rather than risk legal action, we were forced to remain silent. In this manufacturer’s defense, I do acknowledge that they had just released a recent upgrade that resolved the issue. Therefore, if you were one of the lucky customers who upgraded immediately after the release was available, you were not at risk to these new vulnerabilities. Of course without knowledge that their current version was at serious risk, what incentive did customers have to rush to upgrade a firewall that was functioning without issue.

I truly did assume they would quit claiming they had never had a vulnerability as part of their marketing. However, as of today, they still push that claim as though they actually believe it. The question I have to ask now is if people knew the tactics they used to keep vulnerabilities from being published, would they still be impressed with the number? For now I guess as long as they have a good legal team they won’t need to worry about their engineering.

Making Your Decision
So if firewalls with too many bells and whistles can be risky and firewalls claiming “no vulnerabilities” actually mean “no vulnerabilities that you know of,” then how do you choose a firewall that’s right for your organization?

When choosing, figure out what your network needs and the price you are willing to pay. Appliance firewalls like Sonic Wall, Netscreen, and Watchguard can be relatively inexpensive for but might not fit into a very large networked environment. Software-based firewalls such as Checkpoint or Sidewinder, or can handle very large networks but at a price to fit. There are also firewalls like Pix from Cisco, which can range in price from very inexpensive to outrageous, depending on just what your organization needs. Others like Astero, a software-based firewall that can handle small to large networks come at a lower price, but are often overlooked because they don’t have the name recognition.

Obviously I can’t name off every firewall on the market and the ones I did mention are quite possibly not the best solution for your organization. The point is that you need to do your own research. Don’t just read the marketing slicks. Actually dig in a little. Make a checklist of what your network needs. If you’re on a very tight budget and want to get as much out of your firewall as possible, then going with an all-in-one solution might be your best bet. On the other hand if you are absolutely paranoid and want to have as little chance of security failure as possible, you might want to budget for a firewall with mandatory access control.

What it all comes down to is this: All of the major firewalls on the market are good. They all do what they are supposed to do. Some do it faster and some handle more traffic. Some are designed specifically for very small networks while others are made for the mega intranets. Don’t just take the word of the sales rep. Read the reviews and talk to peers in your industry. A great firewall doesn’t have to be expensive. There are free firewalls available that when properly configured, I would put against any firewall on the market. The point is marketing is for automobiles and movies. Not for firewalls.