With corporate data exchange on the rise, network security is one of today's top concerns. Firewalls can be a company's first line of defense.
With all of the Internet's vulnerability, the best defense is a good offense when it comes to network security. "I have a little bit of a hacking kind of background," says Phil Reed, network administrator at Libbey Inc., a glass manufacturer and china and tableware distributor based in Toledo, Ohio. "So when we had our network up for a little while, I started poking around."
Reed helped to install the company's 1,100-user network back in 1996. But when he began testing it for vulnerabilities he either knew of or had heard about, "I tested just a few of those before I said, 'Whoops!'" he recalls, noting that Libbey's network was full of security holes. "I went firewall shopping immediately," he says. In early 1997, Libbey chose the FireWall-1 product from Check Point Software Technologies Inc., a leading firewall vendor in Redwood City, Calif.
Firewalls act as a buffer between a corporate network and the Internet at large. These devices (either software or a combination of software and hardware) define the privileges of who can go where inside a network. "It provides a network administrator with a tool to protect the corporate data resources and network resources," says Greg Smith, group manager of product marketing for Check Point. "It controls access to a network."
|AT A GLANCE: Libbey |
The company: Based in Toledo, Ohio, Libbey manufactures glassware and distributes china and tableware. The company employs 1,100 people.
The problem: Potential security exposure in its burgeoning Web presence.
The solution: Check Point's FireWall-1. The system currently accommodates 85,000 to 100,000 accesses per day. (Most of these hits are from internal users surfing the Web for business reasons.)
The IT infrastructure: FireWall-1 runs on a Windows NT-based 166MHz Pentium machine.
As such, firewalls are usually the first security option that corporations turn to. "Firewalls in and of themselves have become a piece of the enterprise security pie," says Scott Reamer, Internet analyst for New York-based investment bank SG Cowen Securities.
Firewall use on the rise
Over the past several years, the firewall market has grown rapidly, so rapidly in fact that it has even surprised analysts. In 1998, the worldwide firewall market was expected to reach $636 million, according to estimates from International Data Corp. (IDC), a Framingham, Mass.-based market research firm, up from only about $150 million two years ago.
Growth was fueled by several factors: Businesses have been upgrading their firewalls as Internet use has matured; companies have installed multiple firewalls to improve availability and throughput; and both intranets and extranets have required additional security.
Although the top players have stayed pretty steady in terms of market share--with Check Point in first place and San Jose-based Cisco Systems in second--the market is anything but stable.
Mergers, acquisitions, and IPOs have been the order of the day for a year or more: Raptor Systems was acquired by Axent Technologies, Global Internet Software Group and its firewall product, Centri Security Manager Windows NT firewall, is now owned by Cisco Systems. And Trusted Information Systems's Gauntlet firewall is now part of Network Associates. Of the half-dozen major firewall vendors, only Check Point Software remains independent.
Such consolidation can't continue indefinitely. Still, many industry insiders believe that another wave of acquisitions may occur as vendors realize firewall (and, in general, security) technology can best be leveraged through consulting companies with expertise in the area.
Doing the job and doing it well
Reliance on firewalls as the most ciritcal tool to securing a network is declining as encryption and authentication become easy to install and support.
But do firewalls actually do the job when it comes to network security? It depends on how you define the job.
Firewalls do a pretty good job of protecting networks from already recognized threats. "But it's a policy thing," explains Ray Suarez, Axent product marketing manager. "For FTP and Web access, it's extremely secure. But for more complicated, specific ports in the Net for proprietary applications, it can be more problematic."
Furthermore, firewalls are effective protection only from outside attacks, and more than 50% of network incursions come from within a company--or from one of its business partners with network access. "It's a perimeter defense. Firewalls keep people out," says Suarez. "It doesn't do much [to screen unauthorized] users already inside the network." Other security measures such as intrusion detection are needed for inside jobs, according to Suarez.
So what does it take to implement a firewall in the real world? Because most firewalls are not plug and play, each one has to be configured to the specific company, and it's no easy task.
"It took us 18 months to set up the firewall," says Sergio Cortez, director of resource management at Litton, a defense and commercial electronics company in Wilton Hills, Calif. "It wasn't the expense of the firewall; it was that our infrastructure was weak." The company had to implement proper frameworks in order to install firewall policies.
Because of this weakness, setting policy and standards and "making a clean installation is what took longest," he adds. "We had to invoke some standards at the division level," says Cortez. "There was some apprehension and pain, but divisions had to comply."
"There were a lot of growing pains," he reports. "We had some problems finding the right network administrator; I ended up adding about one and a half heads to the staff." This may sound excessive to run a firewall, but Litton has a virtual private network operating over 27 divisions.
On the other hand, Libbey's Reed, although handling a somewhat smaller network, reports that his company's firewall has been "fire and forget."
|Proxies vs. stateful inspection: Is there a clear winner? |
Among firewall vendors and their adherents, there's a great rift between two technology camps. "It's almost a religious thing," says Kurt Kruger, manager of security products marketing for Cisco Systems. Two technologies--techniques, really--dominate the marketplace: proxies and stateful inspection.
Proxies stop applications at the firewall, inspect them, and pass a proxy to the other side of the wall. Since the actual message doesn't pass through the firewall, proxies are viewed as more secure than stateful inspections. But because firewalls have to do a lot of work, they're viewed as drains on a system that can quickly degrade network performance.
"If you run the two different technologies on the same hardware under a small number of users and clock straight bandwidth, it's a modest performance penalty," says Michael Zboray, vice president, research director for GartnerGroup of Stamford, Conn. The Raptor Firewall 6.0 is an example of a mostly proxy-based firewall.
In a stateful inspection, firewalls look at the application data by scanning the packet and by setting up state tables to track information over multiple packets. Stateful inspection is much faster than proxies and imposes less of a performance drag on the network. However, because some data passes through the wall, stateful inspection is, theoretically, not as secure as proxies. Cisco Systems's firewall is an example of a stateful inspection firewall.
The lines are blurring, however. "There are some protocols that work better if they are proxied," says Gartner's Zboray. "FTP [and] H323 videoconferencing need proxy technology--companies like Check Point [Software] end up building a little proxy technology to handle protocols that need a little more intelligence," he adds. Similarly, proxy companies are including some stateful inspection to ease pressure on networks. "Your best bet is a relatively flexible mix," Zboray says.
Network Associates has recently adopted a scheme it calls adaptive proxy architecture. The scheme aims to make the best of both worlds: comparing the first packet of a message via proxy but passing the balance of a long message through a filtering scheme.
Regardless of whether or not your firewall runs out of the box, companies will almost inevitably encounter a few equipment problems as firewall use increases. At Litton, adding the firewall overloaded the whole network, resulting in performance degradation. "We had some small bandwidth lines. Since Raptor encrypts everything, performance became an issue, and some of our divisions were forced to upgrade," Cortez says.
At Libbey, Reed says the firewall is starting to outgrow his hardware. "We're running it on NT, sitting on a Pentium 166," he says. "It was fine when we started, but demands have gone up, and we haven't updated the machines. It's not exactly a bottleneck, but the machine is starting to breathe heavy."
Indeed, as companies begin relying more on exchanging data with customers and partners, the need for extranets grows. "Extranet firewalls should be part of the overall security policy," advises Check Point's Smith. "There are many applications where the public Internet is not involved...there are private IP networks where you might connect to business partners. The trouble is you're trusting the security of the other party's network."
Extranets, additional firewalls, or at least additional policy modifications, mean more work for the network administrator. But it's an increase in the volume of work, not in the kind of work that has to be done.
Once more into the breach
Horror stories drive customers to buy firewalls in the first place. "There's widespread awareness that security is a key," says Smith. "But there are always those who will wait until they are attacked. It should be a concern for every corporation--any corporation that is dependent on its network."
|Has your company decided on a particular firewall technology? Proxies or stately inspection? E-mail us and tell us what influenced your decision. |
Since a firewall is the first security product most people think of, there's a consistent demand for a low-end, turnkey product such as that offered by Cisco Systems. But as users grow more sophisticated, they try to upgrade their gear, leading to a demand for a second tier of full-function, firewall plus additional security products, according to a report published by IDC.
"In the future, the real debate will be whether security is part of networking or part of software," says Cowen's Reamer. "That will bear watching." //
Gerald Lazar is a freelance writer in Tenafly, N.J., and a contributor to a book on network security issues (as yet unpublished). He can be reached at email@example.com.
Check Point Software Technologies
Three Lagoon Dr., Suite 400, Redwood City, CA 94065
800-429-4391 or 650-628-2000
Key features: Check Point is one of the oldest firewall vendors. Its products are now part of a suite of security offerings that includes access control, authentication, encryption, and network and address translation. It's primarily a stateful inspection product, although it has incorporated some proxies for some communication. (See sidebar, "Proxies vs. stateful inspection: Is there a clear winner?")
Price: Determined by number of nodes. Prices range from $2,995 (for 25 nodes or fewer) to $18,995 (for unlimited nodes).
Platforms supported: Available on Hewlett-Packard, IBM, and Sun UNIX-based systems, Windows NT, Bay Networks routers, Nokia (Ipsilon), and Xylan switches, and 3Com (U.S. Robotics) remote access servers.
Strengths: Users find the firewall easy to configure, and the user interface gets praise from several quarters. Administrative overhead is relatively small, and the initial policy can be implemented quickly. Also, Check Point is responsive.
Weaknesses: The company had to add proxy capabilities to shore up technology. Some pieces of the product suite seem less robust--"hacked together," as one user put it. Software may eventually strain the capacity of low-end servers. Check Point's status as industry leader makes it a tempting takeover target.
What users say: Check Point's firewall serves as the front door of Libbey's security system. The Toledo, Ohio-based glassware manufacturer had little Web presence until recently, but network administrator Phil Reed spotted some weaknesses in the company's network and sought out a firewall product. "We've got about 300 users authorized for Web access," he says. "We need to isolate the internal network from the Internet except for a few well-defined points." Reed was attracted by Check Point's dynamic address translation feature, as well as by the firewall's ease of configuration. "The user interface for defining access rules is marvelous," he says. "The stuff that I need to get at is all there, and it's easy to drive." Reed likes the fact that, although Check Point's products are offered as part of a suite, he's still able to pick and choose the products he incorporates into his security scheme. "I am still able to buy best of breed," he says.
Raptor Firewall 6.0
2400 Research Blvd., Rockville, MD 20850
888-44-AXENT or 301-258-5043
Key features: Raptor Firewall has integrated application-level proxies, network circuits, and packet filtering into a single architecture, which also contains hooks for third-party filtering and antivirus products.
Sergio Cortez, director of resource management at Litton: "With a virtual private network, we had to invoke some standards. Two years ago, it was a nuisance; now it's a necessity."
Raptor "hardens" existing operating systems to eliminate known weak points, rather than providing a new version of an OS. The software also monitors the OS for changes that may compromise security.
Price: $2,495 to $15,000, depending on the number of seats.
Platforms supported: Windows NT, and Solaris.
Strengths: Users like the one-stop shopping that Axent provides for security products. User interfaces are quite easy to use. Application proxies are generally more secure than stateful inspection, and Raptor has a wide range of proxies to pick from.
Weaknesses: The company had a rough time integrating Raptor products into its line. Users indicate that they could use a little more hand-holding at times. Like all application proxies, Raptor eats bandwidth.
What users say: Commercial electronics manufacturer and defense contractor Litton was drawn to Raptor by its virtual private network capabilities. "We were disengaging from one of our divisions, and that division had secure private lines. We had to replicate that cost effectively," explains Sergio Cortez, Litton's director of resource management. The company selected Raptor for its 27 divisions in the U.S. and Europe for several reasons, not the least of which was some divisions had successfully used Raptor before. "We liked the fact that it was proxy," says Cortez. "Administration was pretty good, and it was scalable across our environment." After a two-month pilot project, Litton deployed Raptor across the company over 18 months in 1996 and 1997. Imposing standards and policies--and enforcing them--proved to be the most difficult part. "With a virtual private network, if you don't have a clean setup, you're in trouble," Cortez says. "To stay on top of it, we had to invoke some standards, whether people liked it or not." He says, however, that the divisions have adjusted: "Two years ago, it was a nuisance; now it's a necessity."
170 West Tasman, San Jose, CA 95134
Key features: PIX is a stateful inspection firewall, available on two hardware platforms. The system has its own proprietary OS, running in conjunction with Windows NT and can create virtual private networks.
Price: Base list price is $9,000 for 64 sessions. PIX supports as many as 16,000 sessions.
Platforms supported: Runs a proprietary OS with Windows NT on hardware supplied by Cisco Systems.
Strengths: Users report excellent speed. There is virtually no system degradation no matter how many users are added. As part of an end-to-end program from Cisco Systems, users can get one-stop shopping not only for security, but also for virtually all their networking needs. Many give tech support and responsiveness high ratings: When problems do arise, Cisco Systems helps promptly.
Weaknesses: Because PIX is only a small part of a much larger organization, some analysts and users say the company doesn't pay enough attention to the product, or to its customers. Management and reporting functions are said to be weak compared with other vendors' products.
What users say: When IT company NCR Corp. decided to boost its Web access to 45MB per second about a year ago, it was time to revisit the firewall supplier. The company was reasonably happy with Check Point's product but decided to make the move to the PIX firewall from Cisco Systems. "We were looking for performance and scalability," says David Pike, director of global network solutions for NCR in Dayton, Ohio. "With Cisco Systems, we had no concerns about speed or about scalability."
Because NCR has all of its corporate information at a central location, the company has opted for only one firewall. That's kept its administration and maintenance costs to a minimum. "It only works when information is centralized, though," Pike says. On the outbound side, "every associate with a browser is going through the firewall," he says. Despite all the activity generated by tens of thousands of users, the company has seen little or no performance degradation on the network. Also, because NCR already had a firewall policy in place, the company had no trouble implementing PIX.
In addition to its internal users, NCR has more than 260 extranet partners with access to its corporate data, a number that will grow a exponentially within the next 12 months, according to Pike. "The Web is the best way to control outside access to our data," Pike says. "That means that the firewall is an important part of security."
A big customer--and sometime reseller--of Cisco Systems equipment, NCR has found technical support to be exemplary. "One reason we are with Cisco is that they have end-to-end coverage," Pike says. "It's an enterprise concern, and a lot of people are looking for that."
Lessons learned about firewalls
Buy before you're burned. Many organizations know this already, but it doesn't hurt to repeat. The time your company first establishes a Web presence is the time to buy a firewall product.
Set rigorous policies. Firewalls work only if you've told them what you want them to do. Setting rigorous rules for access--rules designed before the firewall goes up--is the best way to ensure security. It's time-consuming, and it's a process you'll have to go through regularly.
Allow for expansion. As far as we can tell, everyone who installs a firewall will eventually encounter equipment constraints. You'll soon outgrow your hardware, your software, your networking bandwidth, or all three. Keep an eye on usage, and make plans to change when necessary.
Expect vendors to change. The rounds of acquisitions over the last couple of years have meant users are rarely dealing with the people and companies they started with. While the current round of acquisitions seems to have stopped, some analysts think another is coming.
Plan for intra/extranets. Even if you're only setting up a simple Web site today, down the road you'll be installing firewalls in areas you might not currently dream of.
Be prepared to explain performance hits. Your firewall is going to slow network performance, even if it only slightly. Do your best to minimize the effects of this. For management, the bottom line is usually not security, but speed.
Read all about it...
Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network
Written by an anonymous hacker who has seen the error of his ways, this book provides an excellent--if slightly daunting--look at today's network security issues. Only one chapter is specifically about firewalls, but it is an excellent introduction to the subject.
PC Week Intranet and Internet Firewalls Strategies
Read this guide to find out how firewalls work and why you need them. It shows you the essentials of firewall implementations: configurations, protocol issues, administration, and more. By identifying the real threats to your network, you can establish packet filters or application-level gateways before security is breached.
"GAO Report: Ongoing Security Issues"
(Oct. 6, 1998)
The General Accounting Office has released a report (its first in a couple of years) about the state of computer security in the federal government. The news isn't good, as this synopsis indicates. Some of the problems the feds have are probably problems your site has as well.
"Seven Firewalls Fit for Your Enterprise"
(Nov. 15, 1998)
This is an excellent report-card-style review of a half-dozen or so firewalls. In addition to ranking the vendors' products, it also provides background information on the latest technology and marketing schemes.
"Firewall Mailing List Archive"
For six years, subscribers to firewalls@greatcircle have been sharing their firewall data with one another. At this archive you can trawl for the firewall information you need. Like all unmoderated groups, you can expect a certain amount of spamming, as well as the obligatory flame wars. (Also see the group's FAQ file at ftp://ftp.greatcircle.com/pub/firewalls/FAQ).
4Firewalls is a page of links, and although this site is not the grand collation of firewall information it purports to be, it's a good place to start for follow-up information on firewalls, such as links to vendors and consultants.