This reads like a great description of our ISA firewalls...
A new whitepaper on securecomputing.com from firewall expert Marcus Ranum summarizes like this: Some Predictions What does the future hold for firewalls? The author believes that the typical firewall administrator is going to find (sometime in the next 5 years or so) that the network-layer signature-checking firewall is going to be increasingly subverted—to the point where it may become effectively useless. For high-security applications, a proxy-style firewall that does application protocol validation and allows the administrator to tightly define a more restricted use of the protected application will remain the preferred tool. A necessary feature-set for the firewall of the future will be: • High performance; • Rapid URL checking and matching, to allow Web site-specific correctness matching and white-listing; • Strict protocol analysis, matching for correctness rather than known hostile behaviors; • Exhaustive HTTP transaction checking and decoding of tunneled layers; • Ability to support large numbers of specific rules, as rules become increasing precise—down to the individual host level; • Centralization and rapid reaction to new rules; • Ability to run IDS-style signatures to diagnose and identify known attacks. The future firewall will be a complex piece of software indeed, because it will need to be able to decode and analyze an ever-increasing number of complex and layered software protocols. Is there an alternative? The old “look for what you know the bad guys are doing” approach to protection is clearly doomed to fail. Or, more precisely, it really never succeeded in the first place, it’s just that the mass consumer was never well-informed to understand this. Consider the anti-virus industry’s twenty-year-long effort, which has resulted in twenty years of virus outbreaks. “Old school” security wizards have been pointing out for decades that eventually, it is more cost-effective to identify the software that you want to allow to run rather than to try to identify all the malware that you do not want to allow to run. The same logic applies with firewalls. As networks grow increasingly complex and the type and cleverness of hostile network applications begins to vastly outnumber the legitimate applications, firewalls will need to switch away from the IPS-firewall approach back toward a “permit only what you know is OK” model. As part of that process, network and system administrators will be forced to confront the vast mix of services and protocols that they allow back and forth between their “internal” network and the “outside” world. The complexity of that protocol mix is already too high to be effectively secured without rigorous checking, and many administrators have favored the easier route of simply installing a network-layer firewall, even though (as we have just discussed) they simply cannot do the job. As stated earlier: you cannot meaningfully secure traffic without looking at it. Summary Over the course of the next decade, it is going to be become absolutely critical that we understand the traffic patterns of ingress and egress within our networks. The permissive model that has been popular for the last decade is clearly failing. In fact, some might argue that it has shown no sign of succeeding in the first place. Proxy firewall technologies have proven time and again to be more secure than “stateful” firewalls and will also prove to be more secure than “deep inspection” firewalls. The main point of comparison between stateful firewalls and proxy firewalls has traditionally been performance, which had been a trade-off with security. The good news is that high-performance proxy firewalls are available today which are easily capable of handling gigabit-level traffic.
I've always found that I agreed with Ranum more often than I disagreed -- and you're right -- the firewall of the future is the ISA Firewall, and just wait until what you see with the next version!
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Too bad the guy doesn't realize that what he is waiting for to come in the future has been here for 7 years since ISA2000 and has gotten better with each version.
He's definitely a common sense sort of guy, who sees right through the "hardware" firewall moron's BS. Ranuum created the BSD FWTK, which was the first proxy and application inspection firewall.
Although the original source is not given, just the site, that paper describes a certain product, and not ISA, which its vendor calls the firewall of the future(W. Earl Boebert rings name a bell to you ?). Marcus is a big supporter of the proxy firewalls, and does not seem to like the "deep inspection" ones too much... Adrian
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Misc.] >> Tom's ISA Firewall Blog Discussion >> A firewall treatise from Marcus Ranum...what should we see in firewalls for the next 5 years? 
A firewall treatise from Marcus Ranum...what should we ... - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread