New Security Attacks Require New Security Technology

With the recent conspicuous network attacks exposing new vulnerability, the firewall market is poised for transformation. Traditional firewalls provide security based on network parameters such as the origin, the server destination, or the application destination of the network transmission. While they understand the network, they lack understanding of the applications that ultimately receive the network transmission. As a result, traditional firewalls are unable to stop the latest network-based attacks. But a technology called deep packet inspection promises to address the problem.

The Bottom Line: In order to defend against the new generation of security attacks, companies must incorporate deep packet inspection technology into their perimeter security strategy.

What It Means: Unless you want your firewall to prevent all access to a Microsoft IIS Web server or SQL Server, a traditional firewall offers little protection against security attacks like Nimda or SQL Slammer. These latest security attacks exploit vulnerabilities in the application rather than the network itself. To make matters worse, an increase in Web services adoption will only exacerbate the application vulnerabilities. The Takeaway: Attacks against applications will increase in number and severity.

Deep packet inspection, first introduced in Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) and now found in some firewalls, is the new defense against application-level attacks. Deep packet inspection technology examines the data being sent to the application for patterns and anomalies that indicate an attack. In order to inspect network traffic at speeds sufficient to avoid network bottlenecks, users should rely on in-line devices (either a firewall or an IPS appliance) for deep packet inspection. The Takeaway: Use in-line deep packet inspection to block attacks and out-of-band IDS for analysis and forensics after an attack.

Recommendations: Companies should evaluate their existing firewall strategy and incorporate deep packet inspection technology into their defenses.

Specifically, companies should examine vendors’ products for the following:

• Availability and maturity of deep packet inspection support--This should be either part of the firewall or a separate IPS appliance. Separating the firewall from the IPS eliminates a single point of failure within a security deployment, but adds to administration and management overhead and to the cost of the system. Vendors with deep packet inspection technology must demonstrate expertise in protocol and data analysis as well as in developing Application-Specific Integrated Circuits (ASICs) to support line speed processing.
• Centralized management console--As more capabilities are deployed for defense against attacks (multiple firewalls, IDS, IPS, virus prevention, content filtering, spam blocking, and vulnerability scanning), the management and administrative overhead to coordinate policy and correlate events is also growing, becoming a nightmare for security administrators. Next-generation firewalls and IPS appliances must support a centralized management console to administer multiple devices and types of devices from the firewall vendor and third parties.
• Financial viability--Vendors will need to invest substantial R&D to develop mature next-generation firewalls and IPS appliances. As a market still populated with scores of small vendors, an impending shakeout will leave only the financially strong.

Of the numerous firewall vendors, Check Point Software Technologies, Cisco Systems, and Netscreen have the size and experience to develop effective combined firewall and IDP products with centralized management capabilities. Check Point has released its Next Generation (NG) firewall, which contains deep packet inspection support. Similarly, Cisco provides deep packet inspection support in its firewall product, the PIX Security Appliance. Cisco recently purchased host-based IPS company Okena and is expected to incorporate Okena’s intrusion prevention support into its network security appliances. Netscreen has shipped more than 600 of its IPS appliance.

Other contenders include Internet Security Systems (ISS), Network Associates, and Symantec, which offer full security suites and have the financial resources to develop competitive firewall and IDP products. Ex-firewall vendor Network Associates (which sold its Gauntlet firewall to Secure Computing) entered the network IPS and host IPS fray when it acquired IntruVert Networks and Entercept Security Technologies. Security suite vendor ISS will have an IPS appliance that also supports virus prevention, content filtering, and spam blocking available later this year. Symantec offers a firewall, IPS, and a centralized management console that works with ISS and Cisco devices.

AMR Research originally published this article on 19 August 2003.