Is that a firewall on your perimeter or just some Swiss cheese?

As more Sobig-like intruders have their way with business networks, IT departments must begin requiring personal firewalls on all end-user devices (including PDAs) capable of carrying a malicious payload past existing perimeter defenses.
Written by David Berlind, Inactive

I feel badly for Swiss cheese. Thanks to a few holes, it will forever be likened to lousy security. These days, perhaps the best application for that metaphor is to your firewall. While firewalls (the non-personal ones) keep the riffraff out of your network, they can no longer be counted on to secure the perimeter of business or home networks the way they once did.

Striking a balance between Internet access and network security is becoming more difficult as more applications ship their payloads through the handful of network ports that must be left open to maintain a modicum of Internet functionality. Zone Labs marketing vice president Fred Felman, while talking with me about his company's recently introduced instant messaging-specific personal firewall, casually mentioned the various IM clients' use of port 80 (the one designated for passing HTTP traffic) as though such "abuse" is normal. In fact, it is.

More and more user-installed applications (especially IM clients) are operating through ports originally designated for other purposes. Throw in the current Web services movement, which works almost exclusively over HTTP (port 80) and its more secure cousin HTTPS (port 443), and it almost seems as though having a firewall on your perimeter is a waste of time. No matter how good your firewall is, it becomes irrelevant once nasty payloads like Sobig.F or MSBlaster infiltrate via ports that must be left open (like port 25, for Internet e-mail) and then, worse, launch a denial of service attack via another avenue such port 80, which is for HTTP (the Web).

For what we'll look back on as a fleeting moment in history, firewalls have evolved to engage in stateful packet inspection and intrusion detection, which involves double-checking the packets that pass back and forth, looking for something amiss that's typical of an attempted intrusion.

Unfortunately, with more applications hitching a ride on HTTP to get through port 80, stateful firewalls and intrusion detection systems are having a harder time distinguishing between malicious and benign payloads. To really get under the hood of those payloads, firewalls would have to edge closer towards the abilities of a powerful protocol analyzer, monitoring every stream to every workstation. It would be the equivalent of a single ticket taker at a stadium searching through the bags of every event attendee as they approached the turnstiles.

The resulting congestion could have a devastating performance impact on users and applications on both sides of the firewall.

To make matters even worse), an increasing percentage of the traffic passing through business and residential firewalls is encrypted, thereby limiting the chances that a stateful firewall or intrusion detection system will catch a malicious payload as it works its way towards a vulnerable user or workstation. Not only are more and more Web sites securing their users' sessions with SSL-based encryption (HTTPS), but more SSL-based Virtual Private Networking (VPN) solutions are surfacing on the market. At the same time, interest in the next version of the Internet Protocol (IPv6) --- a version in which support for encryption is mandatory --- is growing against the backdrop of rampant identity theft and other security-related transgressions on the Internet.

As a result, perimeter firewalls are becoming less effective without the assistance of firewalls and intrusion detection processes that are physically closer to where the application execution takes place--in the workstations and servers. Not only does such an approach distribute the workload,, but it also locates the sentries just outside the endpoints of the tunnels through which everything is encrypted. There, with each packet's envelope fully opened to virtually any inspection routine, interior firewalls and intrusion detection systems will have a greater degree of success than their perimeter-based siblings in keeping malicious traffic from compromising a business' or home's information assets.

While personal firewalls --- the sort that run on desktop and notebook computers --- have caught on in the consumer market, businesses (especially enterprises) have been slow to see their value, often assuming that their existing security frameworks were sufficient. But I expect that, as more intruders such as Sobig have their way with business networks, IT departments will respond with policies requiring the presence of personal firewalls on all end-user devices (including PDAs) capable of being the conduit for malicious payloads sneaking behind the existing defenses. For example, personal firewalls might not be able to stop the emails that targeted workstations with Sobig (a good email-based anti-virus solution is best for that), they could easily prevent infected workstations from participating in the sort of Distributed Denial of Service (DDoS) that MSBlaster had up its sleeve.

One of the advantages of personal firewalls is that, even if a worm gets behind the perimeter defenses, there's a chance that it can be successfully quarantined.

But, the IT department has to be on its toes. In addition to making sure that workstations are patched on a timely basis (most viruses and worms take advantage of vulnerabilities for which patches already exists), the security personnel have to know the specifics of the latest threat and how to make sure that the personal firewalls are configured to deal with it. Proving how difficult it is to implement policies that are designed to stop a threat dead in its tracks, some ISPs responded to MSBlaster with firewall re-configurations that mistakenly cut off traffic to more than just the Microsoft site that was "scheduled" to be victimized by MSBlaster's DDoS attack. The result hampered the functionality of Windows Update--the very service that people were relying on to keep their computers up to date with the latest patches.

Recognizing that telecommuters represent a huge threat to any business network, some companies are becoming proactive about disallowing access to any workstation (internal or external) that's not running a personal firewall. In some cases, it's simply policy. In others, there's a degree of coordinated automation between the VPN servers and the personal firewalls on workstations that are external to the firewall. In those situations, VPN servers (often a function of the perimeter firewall) are automatically denying access to firewall-less workstations. The assumption is that even though a workstation is attaching to the corporate network through a VPN, where technically, it's placing itself behind the safety of a perimeter firewall, there are still other ways for that workstation to become infected and then, once behind the firewall, to infect other machines inside the perimeter. One way this happens is when mobile systems attach directly to the Internet without any sort of firewall protection.

Hore harmonized solutions between network interior and perimeter security
Of course, there are other easy ways for viruses to find their way into corporate networks (and another reason to have personal firewalls in place). For example, when users engage in practices that provide an alternative route for executable files to end up on their systems. Examples are programming their e-mail clients --- the same ones used to access corporate e-mail --- to check a personal POP3 inbox; using file-sharing services like Kazaa or Morpheus; or using one of the many IM services that offer a file transfer feature. More and more companies are prohibiting the downloading and/or running of these and other applications. The fact that these and other conduits for malicious payloads will be available via encrypted sessions only underscores the need for something to watch every packet as it comes out of an encrypted tunnel and gets decrypted.

Personal firewalls, although addressing the broadest range of potential threats, aren't the only type of sentry needed near the application execution points. Application-specific firewalls---ones that stand guard in front of one or more specific applications--are also beginning to sprout up. Whereas KaVaDo's InterDo, for example, focuses specifically on Web application security, ZoneLabs' IMSecure is a firewall designed specifically for IM programs.

As the burden of responsibility shifts closer to the application execution points, this new emphasis on workstation, server, and application-based firewalls and intrusion detection systems is likely to force some consolidation in that market in ways that produce more harmonized solutions between the network interior and perimeter security. Evidence of this is already underway.

Cisco originally partnered with ZoneLabs on a solution that disallowed access via its VPN technology unless the right version of ZoneLabs' ZoneAlarm personal firewall was running on the workstation needing access. But recognizing that the integration will need to go much deeper in a way that produces a more integrated solution --- one that's governed by a centralized policy management console --- Cisco went on the acquisition trail and scooped up Okena, a company in the personal and application firewall space. Cisco now offers the Okena technology, under the name Cisco Security Agent, as an agent that runs at the workstation level and is centrally managed in an integrated fashion through Cisco's management console known as CiscoWorks. CiscoWorks is the same console used to manage Cisco's PIX firewall appliance, a device , found at the perimeter of many corporate networks. As you might suspect, through CiscoWorks, the perimeter and workstation firewalls work in concert with each other; the former does not allow workstations to connect unless the latter is present.

With Cisco having only acquired Okena in April, and few if any competitors having reacted, I expect that if Cisco's perimeter/interior integration starts scoring some market wins, that there will be a sudden consolidation involving Okena's competitors such as ZoneLabs, Sygate (makers of Sygate Personal Firewall), Internet Security Systems (makers of BlackICE), and even the biggies such as Network Associates (McAfee Personal Firewall) and Symantec (Norton Personal Firewall). Other companies specializing in application security (KaVaDo) or centralized policy development and management (Securify) are not likely to escape this consolidation either.

Another market dynamic that's likely to factor into this consolidation is the situation on the home front, where the coordination of perimeter firewalls (such as those found in the cable/DSL modem/routers from Linksys and Netgear) with personal firewalls will have to become idiot proof. This will require an unprecedented level of wrinkle-free interoperation --- for the most part, unexplored territory in home networks. Here again, Cisco saw the opportunity to iron out the wrinkles via the purchase of Linksys just weeks before the Okena acquisition. According to Cisco product and technology marketing senior director Jeff Platon, "Through the acquisition of Linksys, we intend to provide solutions that address [the home area]. Home networks tend to be very rudimentary. So, we're looking at what can be added to home and small business solutions to make them idiot proof. It's a different requirement than Cisco has traditionally addressed. My guess here is that we won't be able to do this in weeks or months. But we're hard on the job to add the same kind of security that we're offering small and large businesses." Suddenly, the timing of the Linksys and Okena purchases doesn't seem coincidental.

Based on the mail that I've received in response to my column on Sobig, consumers and small businesses are desperate for someone or something to come along and bail them out of the current mess of malicious worms and viruses. Should Cisco succeed at overcoming the challenges to pairing the Okena technology with the Linksys appliances, the outcome is not to be underestimated. Not only will those users embrace the Cisco offering, the competition will react (accelerating market consolidation) and ultimately, we could be on the verge of buttoning up the biggest threat to the Internet's overall security--vulnerable home computers.

Are personal or application firewalls a foregone conclusion on your network, or are you still holding down your fort with good old perimeter security? Share your thoughts and ideas with your fellow readers using ZDNet's TalkBack below, or write to me at david.berlind@cnet.com.

Editorial standards