Government Computer News
Technique | Network visibility
Seattle tests a new firewall and finds trouble on the inside
Digg
De.licio.us
Slashdot
Technorati
Lessons learned
Advanced firewalls will lay ground for new generation
SEATTLE’S PLAN TO ADD advanced firewall protection goes beyond security and bandwidth concerns. The visibility provided by the firewalls is needed to create and enforce policies that will keep the city competitive in the job market, said Mike Hamilton, Seattle’s chief information security officer.
“About 40 percent of our city employees will be eligible to retire in a few years,” Hamilton said. “We’re hurting.” He has to compete with employers such as Amazon.com and Starbucks for young, tech-savvy workers, and “we have to compete with potholes for funding.”
To attract the employees Seattle needs, he will have to provide acceptable-use policies that not only protect the security of the network but also enable new workers to use emerging technologies on the job that they already are using at home. This technology could help identify these needs and integrate authorized services into the network with the proper controls and archiving.
“We can’t have instant messaging going on willy-nilly,” no matter how useful it is, Hamilton said.
The firewall’s creators are under no illusions that this new approach will replace traditional firewall technology anytime soon.
“It is a complete firewall platform,” Stevens said. “But the reality of the situation is, the firewall is the core piece of security infrastructure in enterprise networks today” and will not be easily replaced. “For some period of time, we will be deployed alongside existing firewalls.”
Then he hooked up a beta version of a new type of application-aware firewall from Palo Alto Networks to a segment of his network.
“We didn’t expect the extent to which we were going to find peer-to-peer and soft voice-over-IP phones and the extent of instant messaging,” he said. “This Web 2.0 stuff is out of control. At lunch, we’re using 30 megabits/sec to perpetuate YouTube. And YouTube is rife with security problems.”
Bandwidth consumption and security vulnerabilities are not the only concerns about unauthorized applications. When employees use tools such as instant messaging for city business, those messages become official records that are not being managed and archived as required by law. It is not that workers are intentionally using out-of-channel routes to avoid those controls, but by using a new application to help do their jobs, they are moving beyond what current policies envision.
That is why the founders of Palo Alto Networks thought it was time for a new kind of firewall.
“The primary concern is restoring visibility and control of the enterprise,” said Dave Stevens, the company’s chief executive officer. “The applications have become pretty good at bypassing the traditional security infrastructure.”
The heart of that security infrastructure has been the firewall, a descriptively named device that sits between the enterprise and the outside world, passing judgment on traffic coming into the network. There are many ways to filter traffic, but source and destination port numbers are among the most common and probably are the easiest ways to configure and enforce policy. This technique was efficient when there was a dependable relationship between port number and application.
But “the relationship between port and application doesn’t really exist anymore,” Stevens said. Applications looking for network resources often masquerade or tunnel through a port. Port 80 used to be simply Web browsing, but today that can also mean instant messaging, peer-to-peer connections, VOIP or any number of applications.
This is not necessarily malicious, but it can open the network to hacking exploits and make it difficult to enforce meaningful policies.
Networks are not completely blind. Firewalls can be tuned in a variety of ways, and intrusion-detection and -prevention systems can extend the perimeter defenses.
But these often cannot control new applications as they are developed. Palo Alto’s chief technology officer and founder, Nir Zuk, wanted to build an appliance that would identify and enforce traffic policies by application type. The firewall was the logical place to do this because it remains the choke point through which all traffic passes. The first two products in this category, the PA-4050 and PA-4020, announced in June, can identify more than 400 applications at speeds of 10 gigabits/sec and 2 gigabits/sec, respectively. The 4050 model lists for $60,000, the 4020 for $35,000.
![1105 Government Information Group [purity]](/images/1105logo_website.gif "Government Computer News [purity]")
© 1996-2008 1105 Media, Inc. All Rights Reserved.
