NIST Scientists on Firewalls Circa 2011Fitting Firewalls Into Today's IT Security Regime
"Over the years people have talked about the disappearance of our perimeter," says Tim Grance, a computer scientist at the National Institute of Standards and Technology. "You have to let things in your network in order to do business, and it's challenging for people to do, which is why again having a clear sense of those needs, the business driver, the mission needs people have, and telling those security practices to best support that, while still maintaining a reasonable degree of security."
Firewalls have been around since the late 1980s, initially erected around network perimeters to control the flow of traffic, and protect data inside host computers. But computing has changed dramatically since Digital Equipment Corp. developed the packet filter firewall in 1988.
Though firewalls have evolved over the past 23 years, their functionality have basically remained the same, but their capabilities have vastly expanded, Grance and his NIST colleague Murugiah Souppaya say in an interview with Information Security Media Group (transcript below).
"Firewalls today need to have greater visibility to the traffic that's being transported on a network," Souppaya says. "You need to be able to see into the actual content that's flowing through your network, so capabilities of the firewalls have increased quite a bit over the past few years.
Grance and Souppaya, in the interview with Information Security Media Group's Eric Chabrow, discuss:
- The evolution of firewalls.
- How firewalls fit into today's overall IT security regime.
- Guidance NIST offers on firewalls, including its latest special publication, SP 800-41 Revision 1: Guidelines on Firewalls and Firewall Policy.
Past Vs. Present
ERIC CHABROW: How is a firewall or firewall technology different today then it was a generation ago or even three or five years ago.
TIM GRANCE: The basic functions remain the same. One of the trends is that so much more traffic has to pass through. Obviously, web traffic is what you ask for and what you get back in your system. In some ways, firewalls have remained the same, and in some sense, of course, we are applying them to the virtual firewalls and the VM (virtual machine) world and things like that. The basic function is the same, but some of the threats are different, obviously a more advanced threat.
MURUGIAH SOUPPAYA: In terms of capabilities, firewalls today need to have greater visibility to the actual traffic that is being transported on a network, so you need to be able to see into the actual content of what is flowing through your network. So, capabilities to firewall have increased quite a bit over the last years.
GRANCE: I'm glad Murugiah clarified that because the function is the same. It started out for early times to the notion of deep packet inspections, the idea is a deeper inspection of the item to make better decisions about to what let pass and what to not let pass.
CHABROW: It has a better ability now to analyze what the content is?
SOUPPAYA: Yes, when some of these types of firewalls, you could see naturally understand the application layer. So what it does it decomposes the application layer and looking to the content of the application itself. For example, it could look at web traffic and sees a piece of malware that is kind of being transported over your web traffic, it could detect that. It could also act as a component of a spam filtering system, where it will be able to look at content as it flows through the other firewalls.
GRANCE: And just take care of a little bit more of other capabilities. One of the newer trends over the years has been things like application firewalls, stateful protocol analysis and things like that. These are newer, I wouldn't say immediately current but things that have changed over the years.
Beyond the Network Layer
CHABROW: In the past the firewalls were more at the network level, and now they are there plus at the application level as well?
GRANCE: I would say that we're applying it in different places, in addition to the pure network layer.
SOUPPAYA: With today's mobile devices and laptops being taken outside of the trusted enterprise network, most of our mobile device has firewall capabilities. They do have a host firewall running on the local system. That firewall most of the time may also have other capabilities like some intrusion detection capabilities or intrusion protection capabilities built into the firewall itself. You want to be able to push that type of level defense down to the end user itself. In this case, down at the laptop level. For example, most of the modern operating system like Windows and Mac and Linux have built in firewall capabilities as part of the OS.
CHABROW: And these are designed to function with what would be on the network, they are configured in such a way?
SOUPPAYA: Yes, some of these firewalls have capabilities where you could actually manage the rule set of the host-based firewall from a central management console. The notion of when your laptop is on the enterprise network, the firewall rule sets that may behave differently then when you take that laptop out on travel to an un-trusted network like a hotel network. It would have a different profile, a different rule set.
GRANCE: Then, of course, you lead into other places. Am I going to bring the device here? Is it past my help status check and that sort of thing? It's about using the firewall appropriately for different threat differences. Obviously, the mobile worker brings the potential for additional threats because of the un-trusted nature of that network they are in.
CHABROW: How about other kinds of mobile devices, whether we're talking about Blackberries, iPhones, Androids, or removal of storage. Do they have similar kinds of capabilities as the operating systems you find on laptops?
GRANCE: Speaking broadly, mobile devices generally do not have as much sophisticated capability to defend it as other devices. Of course, the addition of mobile devices does make our life more interesting, so we have to deal with that in different ways. the Blackberries have a full management interface of how to manage these devices remotely so you can do things like wipe them remotely, disable service rapidly and quickly on those that are to belief to be stolen.
SOUPPAYA: In general mobile devices like smart phones do not have firewall capabilities, but the security models are slightly different. ... They do have other security mechanisms like sandboxing capabilities and things like that to provide a level of security, but in general they do not come with a firewall built in.
GRANCE: Sandboxing is obviously one of the key ways that people deal with, not letting something go into another space that it shouldn't be in. In which it might operate within the sandbox. It can't get out of that sandbox.
Data, Data Everywhere
CHABROW: Firewalls were first initiated to protect data by building this wall around it, and controlling the traffic in and out. Of course, data now exist everywhere. If you are a chief information security officer say at a government agency or a bank, or at hospital, how do you integrate firewalls into an overall IT security regime?
GRANCE: In the same way you introduce any other mechanism, it's another business decision. Does it work with my existing enterprise? Is my architecture around, like I want these multi-function products that can do multiple activities, or do I want more single purpose ones? That trend goes back and forth over the years. ... Having a policy and have architecture, understanding the kinds of data that you have and the kind of activities people are undertaking. If you have a large mobile workforce, always remote, there are different kinds of activities around virtual private networks that you're going to use. So it is about an integrated architecture I would say largely speaking.
SOUPPAYA: In general, the reasons why you are implementing firewalls are to provide some type of capabilities to support your policy. You need to understand what is your policy regarding, the type of traffic that you want to flow within your network, understand protocols that you want to allow on your network, and who needs to have to access to those type of services and protocols. Then that would drive the firewall rule set that you may want to configure at the enterprise level.
GRANCE: If largely people are just accessing e-mail, but if they are accessing backend resources that is a different set of things you want to do in those two environments. I mean it is challenging for the architect. Over the years people have talked about the disappearance of our perimeter. You have to let things in your network in order to do business, and it's challenging for people to do, which is why again having a clear sense of those needs, the business driver, the mission needs people have, and telling those security practices to best support that, while still maintaining a reasonable degree of security.
CHABROW: Anything else you would like to add?
GRANCE: No, we just again encourage people to take a look at our publications and look at our website, give us feedback, and we certainly aim to serve and appreciate folks looking on our pubs and giving us feedback.
CHABROW: What is the publication number for firewalls?
GRANCE: Firewalls, it's Special Publication 800-41.