With the recent conspicuous network attacks exposing new vulnerability, the firewall market is poised for transformation. Traditional firewalls provide security based on network parameters such as the origin, the server destination, or the application destination of the network transmission. While they understand the network, they lack understanding of the applications that ultimately receive the network transmission. As a result, traditional firewalls are unable to stop the latest network-based attacks. But a technology called deep packet inspection promises to address the problem.
The Bottom Line: In order to defend against the new generation of security attacks, companies must incorporate deep packet inspection technology into their perimeter security strategy.
What It Means: Unless you want your firewall to prevent all access to a Microsoft IIS Web server or SQL Server, a traditional firewall offers little protection against security attacks like Nimda or SQL Slammer. These latest security attacks exploit vulnerabilities in the application rather than the network itself. To make matters worse, an increase in Web services adoption will only exacerbate the application vulnerabilities. The Takeaway: Attacks against applications will increase in number and severity.
Deep packet inspection, first introduced in Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) and now found in some firewalls, is the new defense against application-level attacks. Deep packet inspection technology examines the data being sent to the application for patterns and anomalies that indicate an attack. In order to inspect network traffic at speeds sufficient to avoid network bottlenecks, users should rely on in-line devices (either a firewall or an IPS appliance) for deep packet inspection. The Takeaway: Use in-line deep packet inspection to block attacks and out-of-band IDS for analysis and forensics after an attack.
Recommendations: Companies should evaluate their existing firewall strategy and incorporate deep packet inspection technology into their defenses.
Specifically, companies should examine vendors’ products for the following:
Of the numerous firewall vendors, Check Point Software Technologies, Cisco Systems, and Netscreen have the size and experience to develop effective combined firewall and IDP products with centralized management capabilities. Check Point has released its Next Generation (NG) firewall, which contains deep packet inspection support. Similarly, Cisco provides deep packet inspection support in its firewall product, the PIX Security Appliance. Cisco recently purchased host-based IPS company Okena and is expected to incorporate Okena’s intrusion prevention support into its network security appliances. Netscreen has shipped more than 600 of its IPS appliance.
Other contenders include Internet Security Systems (ISS), Network Associates, and Symantec, which offer full security suites and have the financial resources to develop competitive firewall and IDP products. Ex-firewall vendor Network Associates (which sold its Gauntlet firewall to Secure Computing) entered the network IPS and host IPS fray when it acquired IntruVert Networks and Entercept Security Technologies. Security suite vendor ISS will have an IPS appliance that also supports virus prevention, content filtering, and spam blocking available later this year. Symantec offers a firewall, IPS, and a centralized management console that works with ISS and Cisco devices.
AMR Research originally published this article on 19 August 2003.