First-generation firewalls fail in Web 2.0

Legacy enterprise firewalls which rely on port and protocols are becoming irrelevant in Web 2.0 landscape as these systems can be easily bypassed, says firewall expert.
Written by Liau Yun Qing, Contributor

Web 2.0 applications are rendering first-generation enterprise firewalls "useless" as users are able to bypass these legacy technologies easily, said a Palo Alto Networks executive.

In an interview with ZDNet Asia Wednesday, Mao Yuming, chief architecture and co-founder of Palo Alto Networks, said legacy firewalls that rely on port and protocols to define traffic are not effective in the Web 2.0 landscape.

One of the ways applications can bypass firewalls is by using HTTP (Hypertext Transfer Protocol) or HTTPS (Hypertext Transfer Protocol Secure) as launch points, he said.

Therefore, firewalls should identify data not at port or protocol level but at the application level, Mao said, adding that Palo Alto Networks' "next-generation firewalls" features three core identification technologies catered to today's applications landscape.

One such technology is App-ID, which lets organizations manage the applications that are allowed in their networks. On top of that, to better advise its customers, Palo Alto has a dedicated team that daily tracks and updates into its database apps and new app variations.

Larry Link, the company's vice president of worldwide sales, added that Palo Alto's customers also submit their list of applications to the global list. The company also works with universities, where "a lot of applications are first seen"--equipment is in place to track application traffic and identify newly-created applications, he explained.

User-ID, another feature, defines users' access policies based on user identity instead of the traditional way of tracking IP addresses.

"IP address is not relevant anymore, especially when more and more users are using notebooks," Mao said, pointing out that users' IP address changes when they work at different locations within the corporate environment.

With User-ID identification technology, Palo Alto leverages the organization's directory service and converts it into a user identity so that even when the user's IP address changes, the same access policy is applied to the user, he said.

Another technology included in Palo Alto's hardware-based firewalls is Content-ID, which is able to process data, threats and URLs in a single scan so there is no latency, Mao added. This contrasts with other commercially available firewalls where "firewall helpers" such as IPS (intrusion prevention systems) and antivirus are added in the form of additional boxes, which slow down their capabilities.

While behind-the-scene firewalls are important, Mao said it is equally important for IT administrators to be able to see the ongoing network activities. Palo Alto's products include the Application Command Center which graphically displays network activities such as the applications on the network, users using a particular application and the potential security impact of the application.

Firewall's role in mobile workforce
Asked how the proliferation of smartphones in the workforce has affected firewall deployment, Link noted that security related to accessing the corporate network through mobile phones is rated as a low priority among its customers.

Instead, organizations are more concerned about enforcing firewall policies on company-owned laptops, he said. This is especially the case with mobile workforces, which often access the Internet from external gateways and have the potential to introduce threats back into the corporate network.

To help address that concern, the company recently announced a new product called Global Protect, which aims to provide the same level of control to mobile devices, said Link.

The software, installed on laptops, will have preliminary security functions such as checking the status of the machine to ensure that security measures are in place. The tool, he explained, also prohibits the device from connecting to the Internet without going through Palo Alto gateway. It would search for the nearest gateway to connect out to the Internet, so that traffic is redirected through the gateway.

The next step for the company, added Link, will be to develop a similar tool for mobile devices.

Editorial standards