Firewalls

Avoiding break-ins requires firewall filtering at multiple external and internal network perimeters.

Firewalls have long provided the first line of defense in network security infrastructures. They accomplish this by comparing corporate policies about users' network access rights to the connection information surrounding each access attempt. User policies and connection information must match up, or the firewall does not grant access to network resources; this helps avert break-ins.

In recent years, a growing best practice has been to deploy firewalls not only at the traditional network perimeter-where the private corporate network meets the public Internet-but also throughout the enterprise network in key internal locations, as well as at the WAN edge of branch office networks. This distributed-firewall strategy helps protect against internal threats, which have historically accounted for a large percentage of cyber losses, according to annual studies conducted by the Computer Security Institute (CSI).

The rise of internal threats has come about by the emergence of new network perimeters that have formed inside the corporate LAN. Examples of these perimeters, or trust boundaries, are between switches and back-end servers, between different departments, and where a wireless LAN meets the wired network. The firewall prevents access breaches at these key network junctures, ensuring, for example, that sales representatives are unable to gain access to the commission tracking finance system.

Placing firewalls in multiple network segments also helps organizations comply with the latest corporate and industry governance mandates. Sarbanes-Oxley, Gramm-Leach-Bliley (GLB), Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standard (PCI-DSS0, for example, contain requirements about information security auditing and tracking.

Protecting All Points of Access

The private-public network edge is still considered particularly vulnerable to intrusions, because the Internet is a publicly accessible network and falls under the management purview of multiple network operators. For these reasons, the Internet is considered an untrusted network. So are wireless LANs, which-without the proper security measures in place-can be hijacked from outside the corporation when radio signals penetrate interior walls and spill outdoors.

It is still critical to protect the LAN-WAN edge. However, network firewalls now must also keep communications between internal network segments in check so that internal employees cannot access network and data resources that corporate policy dictates are off-limits to them. By partitioning the corporate intranet with firewalls, departments within an organization are offered additional defenses against threats originating from other departments.

In addition, network usage continues to rise, as employees become geographically more dispersed across branch offices and increasingly use mobile and remote networks. Now, nearly 90 percent of employees work in branch offices, away from the headquarters facility, according to Nemertes Research, a firm specializing in quantifying the business impact of technology. As a result, a network perimeter now exists also at the edge of each branch office network, where a WAN access router meets the public Internet or other wide-area network. This edge must also be protected.

In its role as the first line of security defense, then, the firewall has a place in the following network segments:

At the traditional corporate network perimeter (where the data center meets the WAN and Internet)
Between departments, to segregate access according to policy among user groups
Between corporate LAN switch ports and Web, application, and database server farms in the data center
Where the wired LAN meets the wireless LAN (between Ethernet LAN switches and wireless LAN controllers)
At the WAN edge of the branch office
In laptops, smartphones, and other intelligent mobile devices that store corporate data (in the form of personal firewall software) in the case of telecommuters and mobile workers

How Firewalls Are Evolving

In addition to being deployed in more enterprise locations, firewalls have grown more sophisticated since their mainstream introduction about a decade ago. They have gained additional preventive capabilities, such as application and protocol inspection, which help avoid exploits of operating system and application vulnerabilities.

Firewalls have been enhanced with extra preventive features such as application inspection capabilities-the ability to examine, identify, and verify application types and treat traffic according to detailed policies based on variables beyond just connection information. This helps identify, and thus block, traffic and users that unlawfully try to gain admittance to the network using an open port.

For example, the Hyper-Text Transfer Protocol (HTTP) is extensively used to transport Web data and services. It comprises about 75 percent of network bandwidth usage today and natively uses application port 80. In most firewalls, port 80 is left open at all times, so any traffic destined for port 80 is admitted. Hackers, worms, and viruses might use this pinhole, however, to attack a Web application and to possibly gain access to sensitive data.

To protect against this, application filtering involves deep packet inspection to determine exactly what HTTP application traffic is attempting to enter the network. There are many HTTP applications that organizations will wish to let onto their networks; however, there might be some that they prefer to block. The application firewall will also use deep packet inspection to determine whether the application protocol (in this case, HTTP) is behaving in an irregular manner.

Policies can be set, for example, to identify and block overly long HTTP headers or those containing binary data, which suggest a possible attack. Administrators can also set a policy to limit server requests to a certain number per minute to avoid denial of service (DoS) attacks.

In addition to application filtering, virtual firewall capabilities are now available that are useful particularly to organizations that have consolidated servers and data centers. Using this firewall feature, a single physical firewall can operate as several logical firewalls, allowing a single firewall in a given form factor to do the job of multiple devices and thereby helping reduce capital expenditures (CapEx).

Accumuli Security can offer a full range of security products, including a variety of products based upon traditional stateful-inspection and next-generation firewall technologies.

Page 1 of 1

Results per Page:

SonicWALL Next Generation Firewall Solutions

SonicWALL® firewalls tightly integrate Reassembly-Free Deep Packet Inspection™ to deliver superior intrusion prevention, malware protection, application intelligence, control and real-time visualization, and inspection for SSL encrypted sessions.

Palo Alto Next Generation Firewalls

Palo Alto Networks' next-generation firewalls enable enterprises to identify and control applications, users, and content (not just ports, IP addresses, and packets) using three unique identification technologies: App-ID, User-ID, and Content-ID.

Cisco Adaptive Security Appliances

Cisco adaptive security appliances integrate industry-leading firewalls, VPN technology, intrusion prevention, content security, and unified communications security, in a unified platform.

Check Point Security Appliances

Check Point security appliances deliver powerful turnkey systems for deploying and managing Check Point's award winning software solutions to address virtually any security need.