Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
A firewall treatise from Marcus Ranum...what should we see in firewalls for the next 5 years?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
A firewall treatise from Marcus Ranum...what should we ... - 23.Mar.2007 1:40:45 PM
|
|
|
tad_braun
Posts: 94
Joined: 31.Dec.2003
Status: offline
|
This reads like a great description of our ISA firewalls...
A new whitepaper on securecomputing.com from firewall expert Marcus Ranum summarizes like this:
Some Predictions
What does the future hold for firewalls? The author believes that the typical firewall administrator is going to find (sometime in the next 5 years or so) that the network-layer signature-checking firewall is going to be increasingly subverted—to the point where it may become effectively useless. For high-security applications, a proxy-style firewall that does application protocol validation and allows the administrator to tightly define a more restricted use of the protected application will remain the preferred tool. A necessary feature-set for the firewall of the future will be:
• High performance;
• Rapid URL checking and matching, to allow Web site-specific correctness matching and white-listing;
• Strict protocol analysis, matching for correctness rather than known hostile behaviors;
• Exhaustive HTTP transaction checking and decoding of tunneled layers;
• Ability to support large numbers of specific rules, as rules become increasing precise—down to the individual host level;
• Centralization and rapid reaction to new rules;
• Ability to run IDS-style signatures to diagnose and identify known attacks.
The future firewall will be a complex piece of software indeed, because it will need to be able to decode and analyze an ever-increasing number of complex and layered software protocols. Is there an alternative? The old “look for what you know the bad guys are doing” approach to protection is clearly doomed to fail. Or, more precisely, it really never succeeded in the first place, it’s just that the mass consumer was never well-informed to understand this. Consider the anti-virus industry’s twenty-year-long effort, which has resulted in twenty years of virus outbreaks. “Old school” security wizards have been pointing out for decades that eventually, it is more cost-effective to identify the software that you want to allow to run rather than to try to identify all the malware that you do not want to allow to run. The same logic applies with firewalls.
As networks grow increasingly complex and the type and cleverness of hostile network applications begins to vastly outnumber the legitimate applications, firewalls will need to switch away from the IPS-firewall approach back toward a “permit only what you know is OK” model. As part of that process, network and system administrators will be forced to confront the vast mix of services and protocols that they allow back and forth between their “internal” network and the “outside” world. The complexity of that protocol mix is already too high to be effectively secured without rigorous checking, and many administrators have favored the easier route of simply installing a network-layer firewall, even though (as we have just discussed) they simply cannot do the job. As stated earlier: you cannot meaningfully secure traffic without looking at it.
Summary
Over the course of the next decade, it is going to be become absolutely critical that we understand the traffic patterns of ingress and egress within our networks. The permissive model that has been popular for the last decade is clearly failing. In fact, some might argue that it has shown no sign of succeeding in the first place. Proxy firewall technologies have proven time and again to be more secure than “stateful” firewalls and will also prove to be more secure than “deep inspection” firewalls. The main point of comparison between stateful firewalls and proxy firewalls has traditionally been performance, which had been a trade-off with security. The good news is that high-performance proxy firewalls are available today which are easily capable of handling gigabit-level traffic.
|
|
|
|
|
RE: A firewall treatise from Marcus Ranum...what should... - 26.Mar.2007 10:24:52 AM
|
|
|
tshinder
Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Tad,
I've always found that I agreed with Ranum more often than I disagreed -- and you're right -- the firewall of the future is the ISA Firewall, and just wait until what you see with the next version!
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: A firewall treatise from Marcus Ranum...what should... - 10.Apr.2007 10:10:40 AM
|
|
|
pwindell
Posts: 752
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
Too bad the guy doesn't realize that what he is waiting for to come in the future has been here for 7 years since ISA2000 and has gotten better with each version.
Is he familiar with ISA at all? Do you know him?
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: A firewall treatise from Marcus Ranum...what should... - 11.Apr.2007 2:37:13 PM
|
|
|
pwindell
Posts: 752
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
The burning hay bales as a firewall was excellent! I haven't had time to read through much of the site yet, but I think I like the guy a lot already.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: A firewall treatise from Marcus Ranum...what should... - 11.Apr.2007 7:32:56 PM
|
|
|
tshinder
Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Phil,
He's definitely a common sense sort of guy, who sees right through the "hardware" firewall moron's BS. Ranuum created the BSD FWTK, which was the first proxy and application inspection firewall.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
