In these unfriendly times, keeping vandals and crooks off networks of any size is a constant battle. Administrators face a juggling act, trying to balance adequate access to resources inside and outside of the company and sufficient security to protect users from the lowlifes who are determined to
go where they are neither authorized nor welcome.
The first line of defence for most networks today is the firewall. A firewall examines incoming traffic and decides whether or not to let it pass onto the network. Firewalls are not just for the huge corporate network, either. Any network exposed to the Internet needs some sort of product to protect it from online malefactors trying to steal information, or attempting to take control of machines to use them for other attacks or to send spam. Even individual machines with always-on high-speed connections are vulnerable.
With such a varied collection of systems to be protected, there is an equally large collection of firewalls. And with the ever-growing variety of threats, the basic firewall is now often combined with other products in a gateway appliance providing protection against many different potential attacks. IDC says that the Unified Threat Management (UTM) appliance, which includes not only a firewall, but also intrusion detection and prevention and gateway anti-virus, has gone from nowhere to 12 per cent of the market, while firewall/VPNs have declined by 17 per cent.
The security appliance market, as a whole, is hot. It grew a whopping 57 per cent in Q2 2004 compared to the same period in 2003, to $US523.4 million.
In the firewall/VPN segment, Cisco was top dog, with more than a third of the market, followed by Juniper (thanks to its NetScreen acquisition) at nearly 20 per cent and Nokia with 11 per cent. SonicWall and WatchGuard round out the top five security appliance vendors.
We checked out the specs for products from these market leaders; here’s a look at their offerings. We concentrated on appliances rather than on firewall software (with software firewalls, you have similar variety, ranging from desktop products like ZoneAlarm to enterprise-class programs).
You’ll see they come in all sizes, from products protecting the branch office to those guarding the largest enterprise, and each vendor has a varied selection to cope with virtually all parts of the enterprise, costing from hundreds of dollars at the low end, to thousands as feature sets and capacities grow. You’ll also see that the “”basic”” firewall typically includes a virtual private network these days.
Nokia’s Firewall/VPN appliance includes VPN-1 /FireWall-1 software from Check Point Software Technologies. Eight models handle networks from the branch office to the large enterprise or carrier network.
The stateful firewall inspects traffic right up to the application layer. It supports both RADIUS and TACACS+ authentication. Performance goes up to 4.2 Gbps. Nokia offers load-sharing and active redundancy between its devices.
Some models support Nokia’s Multiple Domain Security, which enables deployment of multiple separate security policies on one appliance, allowing security service providers to accommodate several clients on one device.
Cisco is the market leader in the firewall world. The PIX firewall appliance line varies from small models that protect the desktop and small office — handling 60 Mbps — to enterprise-class units that look after corporate networks and cope with 1.6Gbps. PIX firewalls also do NAT (network address translation) and act as proxy servers. Among their functions: virtual LAN (802.1q tag) support; Open Shortest Path First dynamic routing; Network Address Translation; Port Address Translation; content filtering (Java/ActiveX); URL filtering; authentication, authorization and accounting (RADIUS/TACACS+) integration; support for leading X.509 public key infrastructure solutions; and Dynamic Host Configuration Protocol client, server, relay and Point-to-Point Protocol over Ethernet support.
Cisco’s IOS firewalls run on its routers, and offer multiprotocol routing, perimeter security, intrusion detection, VPN functionality and dynamic, per-user authentication and authorization. Throughput ranges from 10-200 Mbps. They are stateful firewalls, which means they store information on a session when it is established and only allow subsequent packets through if they belong to a genuine session.
SonicWALL has a dozen offerings, with VPN throughput from 20 Mbps to 500 Mbps and up to 1 Gbps firewall performance. It supports RADIUS authentication, load balancing, and has a deep packet inspection stateful firewall and wireless support.
SonicWALL’s options include anti-virus and content filtering. In fact, many of its models straddle the line between firewall and security appliance.
Cyberguard says it now has more than a dozen separate firewall products in four different lines.
Its SG series (formerly known as SnapGear) are Linux-based products with throughputs up to 140 Mbps, and are aimed at the small business and branch office. They support dial-up as well as Internet-based VPNs, and some have an intrusion detection system, load-balancing, and Internet proxy.
Further up the food chain, the FS series is designed for enterprises with moderate (just over 1 Gbps) bandwidth needs. It is followed by the KS series, which peaks at just over 1.5 Gbps, and the top of the line is the SL series at over 3 Gbps. Each provides VPN capabilities, supports RADIUS, TACACS+, LDAP, and RSA SecurID authentication, and bears Common Criteria Evaluation Assurance Level 4+ (EAL4+), ICSA, ITSEC E3, and VPNC certifications.
Juniper’s acquisition of NetScreen bought it the NO. 2 spot in the firewall market.
A stateful Layer 2 and 3 firewall and VPN are common across all of its products. It has recently also introduced enhancements to protect VoIP and instant messaging from denial of service attacks.
The top of the line NetScreen 5400 offers up to a whopping 12 Gbps firewall performance. At the low end, the NetScreen-5XT model provides 70 Mbps performance, and is designed for the branch office or retail outlet. The NetScreen-5GT adds anti-virus from Trend Micro.
Authentication is via RADIUS, LDAP, or RSA SecurID. Juniper’s devices have received the Common Criteria and ICSA Firewall certifications.
WatchGuard’s products cover companies from small businesses to enterprises. The Firebox line’s six models offer dynamic firewall protection, VPN, intrusion detection and from 275 Mbps to 2 Gbps firewall performance. Web-based authentication is via RADIUS, local database and X509 certificates. Dedicated HA ports provide for redundancy.
Some models also include traffic-shaping quality of service.
Baking more functionality into firewall recipes
Today, it’s impossible for a company of any size to neglect network security. While the firewall is a critical part of that strategy, increasingly, hybrid appliances are finding homes where standalone firewalls once lived. Vendors are recognizing this, and are baking more and more functionality into their products, even those billed purely as firewalls. We’re seeing intrusion detection and anti-virus becoming a normal part of firewall functionality.
This opens the door for vendors of products in related areas. Most of those listed here are rising to the challenge, but we’re also seeing companies such as Symantec and McAfee entering the market with security appliances that watch for and stop viruses, worms, and other types of attack.
While firewalls that only examine the lower layers of the OSI model perform better, Layer 7 firewalls do offer better control over what can pass through. For example, they can restrict and strip MIME types to block malicious content.
Vendors are mixing and matching these functions to squeeze maximum performance out of the devices. For example, Cisco provides both stateful inspection for access control and 24 specialized inspection engines for protocols such as HTTP, FTP, and SMTP, and Watchguard’s FireBoxes provide limited application layer inspection of HTTP and SMTP traffic.
Encryption, though it, too, requires processing power, is mandatory to secure the now-ubiquitous VPN, again forcing firewalls to become more powerful. You’ll see DES and Triple DES virtually everywhere, with some models also supporting AES.