Cloud computing, virtualization, and SDN increase firewall security complexity

Source: Internet
Author: User
Keywords Firewalls security said now

Over the past few decades, firewalls have been a port-based guardian of the Internet. Now vendors are scrambling to roll out so-called "next-generation firewalls" because these "application-aware" firewalls can monitor and control access based on application usage.

In addition, many firewalls have added more and more features to try to discover the 0 attacks, including intrusion prevention systems (IPS), web filtering, VPN, data loss protection, malware filtering, and even threat detection sandbox. For a separate IPs, because of its application control, it may be referred to as the "Next generation IPs", such as IBM receptacle Security Homeowner XGS 5000 (Network protection XGS 5000) or the McAfee NS series.

Firewall/ips vendors compete very fiercely, and they also offer higher throughput to meet the requirements of speed, because a "virtualized" datacenter needs to provide higher bandwidth at the firewall.

Suppliers are eager to be admired by companies such as influential Gartner, or to try to beat competitors in technology assessment tests, such as NSS Labs or Neohapsis labs. But in fact, the key to success or failure is to win the favor of buyers such as Rusty Agee, Rusty Agee is the United States North Carolina State Charlotte Information Security engineers, he used a variety of firewall products.

"Firewalls have been vastly improved," Agee says, "when it comes to the capabilities and speed of firewalls and IPs," I always want more. ”

Data center virtualization, the proliferation of mobile devices, and the city's plan to deploy "bring its own equipment to the workplace (BYOD)" Policy are the reasons why Agee remain open to the various methods that might be used to protect data from government agencies. He pointed out that the city's fire department and police departments have begun to use tablets and smartphones, so he is now need to consider a BYOD migration policy.

The city's staff using mobile devices are using Cisco's AnyConnect clients to establish VPN-type connections and connect back to the city's Cisco ASA Firewall. In addition to Cisco firewalls and separate Cisco IPs, the city uses a check point firewall and separate IPs to block traffic to critical servers, data centers, Internet access, and the city's wireless network.

In addition, the city uses Palo Alto NX Next-generation firewalls to monitor and control employee application use. In addition, the city uses the F5 NX application firewall to look for attack traffic against the Web server. Agee says Charlotte has centralized log management of these security devices through LogRhythm security information and event management.

"Our firewalls generate hundreds of thousands of logs per day to LogRhythm," Agee says, and the city government sometimes receives feeds from Federal security alerts. Centralizing the firewall and IPs log feeds, as well as the server logs, can help the city's security personnel determine from a single point the network security issues that may be involved in the attack, as well as employee web usage issues that can be better handled by human resources or management.

Having such a mix of firewall combinations in one enterprise can be a special case, not uncommon. Gartner analyst Greg Young said at the Gartner Security and Risk Management Summit in June that Gartner found that most companies use only one supplier's products. Gartner has been strongly advocating the use of next-generation firewalls, and Gartner estimates that less than 8% of companies now use NGFW for next-generation firewalls (NGFW), although that figure is expected to climb above 30% in five years.

Young also pointed out that it was clear that the SSL VPN had been completely transferred to the firewall and was no longer a stand-alone SSL VPN product.

In fact, firewalls and IPs seem to be everywhere. One example is the Fortinet Secure Wireless LAN, which is essentially a wireless access point and switch integrated into a unified threat management device that supports firewalls and IPS capabilities. According to Fortinet marketing vice President John Maddison, the product is popular in retail chains, which can help retailers get wireless coverage and security in a cost-effective way.

Chain restaurant Jack-in-the-Box recently deployed 650 FORTIWIFI-60CS devices in its hundreds of chain stores, which combine wireless access and firewall/ips. Jim Antoshak, the company's IT director, says Jack-in-the-Box's old wireless spots can now be "retired" and that these fortinet devices will be a combination of compact wireless and security.

An argument?

The industry debate revolves around two questions: can multipurpose firewall/ips be as effective as stand-alone devices? What about the security modules in the switch or router?

Like Cisco and Juniper Networks, HP provides security modules for firewalls and intrusion prevention that can be used in the vendor's switches and routers. But when it comes to intrusion prevention, Hewlett-Packard TippingPoint, vice president and general manager of corporate Security products, said that HP's main deployment was still a dedicated stand-alone device. In terms of performance and fine-grained control, he notes, this is often considered the best way for HP's next-generation applications to perceive IPs.

Mike Nielsen, senior executive of Cisco's network security and product marketing, says most of the firewalls and IPs products that Cisco sells are "dedicated security devices". The ASA 5585-x series in its re-use Security appliance series is said to have 40Gbps firewall throughput, and Nielsen says in IPs this can be improved to 80gbps,ips also includes an application control function, According to Gartner, this is the most important element of what it is called the next-generation firewall.

Jason Brvenik, vice president of security strategy at the Sourcefire Company's technical research group, said that "special devices can give you more freedom when companies respond to the latest threats that are changing." ”

Check Point Product marketing director Fred Kost says customers who require high throughput and low latency often choose specialized features. But he notes that SME customers often find that multipurpose firewall gateways and unified threat management devices are sufficient. Check Point is also vying for the title of "Next Generation", which recently added a "threat emulation blade" as a firewall module. The threat simulation blade can safely "detonate" the file in the sandbox, trying to discover the 0 attack. It uses the same approach as Palo Alto wildfire Threat Detection in its next-generation firewalls.

Now, the idea of the sandbox is catching up. For example, McAfee recently acquired a firewall/vpn/ips vendor Stonesoft and Validedge to strengthen its sandbox technology.

NSS Laboratory analyst Iben Rodriguez says testing of firewalls and IPs shows that running multiple security services on a firewall is inherently bad for performance and efficiency. Scott Behrens, head of Neohapsis laboratory research, summed up a common-sense approach to the problem: "If I were a buyer, I would ask, ' will this bundle meet my business needs? '"

In Utah State's Weber County government, Matt Mortensen is the information security officer at Ogden, where the local firewall/ips throughput needs to be no more than 10Gbps. The multifunctional Dell SonicWALL Receptacle Security Appliance E8500 Model with IPs, URL filtering and antivirus software has been able to support a network of 1200 employees in the county, and recently they are planning to upgrade to a more powerful sonixwall 9400. The county has also deployed several Cisco ASA, including the Cisco ASA 5505 Firewall, which specializes in law enforcement-related operations, such as telecommunications eavesdropping data.

Some of the most valuable uses of SonicWALL firewalls are the use of application control for security reasons to block Skype or even Java,mortensen using SonicWALL to limit bandwidth.

"I also perform IP filtering that does not allow users to visit certain places, such as Eastern Europe, South America or China," Mortensen points out that Utah State does not have business dealings with these places, so we block them for security reasons. The county also performs inbound geographic IP filtering. Mortensen also set up a firewall for export filtering to see the signs of zombie activity.

The world of the Internet is now very dangerous, and many universities are starting to take safety measures. Last April, MIT decided to deploy a security strategy after receiving a fake bomb threat.

"Now, the system on the MIT network receives thousands of unauthorized connections from around the world every day, which causes MIT to add 10 stolen accounts every day," Mit told its academic committee, explaining that MIT would start to block traffic from outside the MIT network based on its firewall infrastructure.

Will firewalls and IPs not meet demand in the future?

Firewalls and IPs can be said to be "versatile," not only as hardware devices, but also as software, sometimes designed to drive security into virtual desktops and server environments-mainly based on VMware, Microsoft Hyper-V, Red hat kernel virtual machines (KVM) or open source Xen management program (recently Citrix donated it to the Linux Foundation). What makes some firewall software frustrating is that over the past few years VMware has joined the camp through its own software-based virtual firewall control.

"Virtualization is bringing new challenges and what we see now is that they need more firewalls," kost of Check Point said, noting that check points 21000 and 61000 represent that check point is driving support for VMware based networks. In addition, VMware itself has "Vcloud Network and security" to build a VM based firewall.

Jason Brvenik, vice president of security strategy at Sourcefire Company's technical research group, says all this raises the question of who is in control of the firewall and IPs areas.

Virtual machine based approach to firewalls and IPs is increasing

Last month, WatchGuard just added Hyper-V support to its XTMV unified threat management platform. Karim Toubba, vice president of Juniper Network products and strategy, insists that "firewalls should now be virtual, it is no longer the way it was before," and pointed out that the Juniper Network's approach supports KVM and VMware. "The perimeter has become very resilient, and we want the firewall to be more resilient in a private cloud environment." ”

Nielsen says Cisco has ASA 1000-v Cloud Firewall. Sourcefire launched its first next-generation firewall firepower this spring, and the company has developed a way to filter the flow of management programs from the Xen, KPM, and VMware workload environments. But he acknowledges that there may be some performance challenges compared with more traditional IPs.

Palo Alto NX company Chris King says more and more customers are starting to use both their physical and virtualized next-generation firewalls.

However, NSS lab analyst John Pirc warns that the hypervisor-based firewall and IPs are still quite new, with the problem that firewalls/ips vendors do not always support multiple virtualization platforms. NSS Labs may test the safety of virtual machines in their labs this year.

However, according to Gartner, virtualized firewalls only account for less than 5% of the entire firewall. A virtualized firewall can complicate things in specific situations, says young, with questions about whether they should be managed by a network operations group or a server operations group. "In this virtual version, there is the complexity of who manages what," he said. ”

The rise of cloud computing, where businesses are constantly sending data and processing to the network of cloud service providers--possibly a platform--a service, an infrastructure, a service, or a software--is a reflection of the future of firewalls and IPs. Now, your operations in the Cloud (Amazon, for example) are rarely associated with your internal operations, and firewalls and IPs are now primarily within the enterprise.

At the same time, the security industry should also deal with the emergence of software-defined networks and the use of Cloudstack and OpenStack.

"This is a subversive shift," Toubba, who points out that the Juniper Network believes other security services, such as software-based firewalls, can be deployed to SDN and cloud computing technologies.

The founder and chief technology officer Simon Crosby of the start-up Bromium, who was the founder and chief technology officer of the company XenSource before XenSource was Ctrix, did not believe that traditional firewalls and IPs (or "Next Generation") were the answer. He says public cloud technology and OpenStack are the main forces that push things through.

Crosby points out that the security industry has been "bankrupt" and that suppliers are "lying", warning that "any assertion can detect an attacker's technology is problematic." "He believes that a better way to implement virtual machine security is through CPU protection and hardware isolation," hardware isolation is a novel way to leverage the built-in Intel and ARM chip security features. Bromium's vsentry virtualization is safe to operate as a virtual machine within a virtual machine, and for Windows attack code, isolate and then "discard".

Whether the new idea works is still to be seen.

Gartner's Young says the upcoming SDN technology does not mean that physical switches will exit the historical arena, noting that this immature form of networking will bring new ways to orchestrate applications and automate service chains through controllers. The problem, however, is that the technology is sure to affect how the firewall works now, and there is no solid security model for SDN, Young says: "The current SDN security mechanism is virtually non-existent." The

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.