Advanced Intrusion Defense

1
Advanced Intrusion Defense
Joel Snyder Opus One jms_at_opus1.com
2
Traditional perimeter technology is being
Supplemented?
3
A firewall is not just a firewall anymore

• Firewalls now have advanced application
  intelligence
• Actually, they had that already, but the
  marketroids had to keep themselves busy.
• Firewalls now are intrusion prevention systems
• Isnt every firewall an intrusion prevention
  system?
• Firewalls now do virus scanning, content
  scanning, and ironing.
• Application-layer firewalls are needed to protect
  legions of inadequate Web programmers.

4
A firewall is not just a firewall anymore, II

• IDS has been replaced by IPS.
• (No, I dont believe that, Im just repeating
  awful rumors.)
• Worms now outnumber viruses in your e-mail by a
  factor of 20 to 1.
• Spam represents 50 to 75 of all e-mail you
  receive.

5
Key Question Do you need this?

• Do you need to buy (or upgrade) to a bigger,
  smarter, faster, more capable firewall?
• Do you need to buy an IPS?
• an application layer firewall?
• a smarter IDS?
• an SSL VPN device?
• Do I want an all-in-one thing?
• Do I want individual parts?

• The answer youve been waiting for is on the
  very next slide!

6
Should I buy a lot of this new security stuff?
And if I do buy this, what kind should I buy?And
where should I put it?And which product should I
buy?
Answer 42
7
I cant tell you what is right for your network

• I can tell you what products are out there and
  what they are doing
• I can also tell you what the trends are in these
  products

• But the hard work remains yours

So lets look at whats happening in the firewall
business
8
March, 2004 Information Security sponsors
research on new firewall technologies

• Products from Check Point, Cyberguard, NetScreen,
  Nortel Networks, Symantec, Secure Computing,
  Watchguard
• Support from Andy Briney, Neil Roiter at
  Information Security

http//infosecuritymag.techtarget.com/
9
Firewalls have been around for a very long time

• ATTs gateway creates a sort of crunchy shell
  around a soft, chewy center. (Bill Cheswick,
  Design of a Secure Internet Gateway, April, 1990)

First firewalls deployed in Internet-connected
organizations
CheckPoint revenues cross 100m
Firewalls and Internet Security published
WatchGuard introduces 1st FW appliance
Cisco buys PIX (Network Translation)
TIS toolkit commonly available
1989 1991 1993 1995 1997 1999 2001
2003 2005
10
Surely firewall makers have been busy since 1999?

• Clear market trends
• Faster
• Cheaper
• Smaller
• New Guard NetScreen (Juniper), Watchguard,
  SonicWALL
• Old Guard Cisco, Check Point

• Clear product trends
• Add VPN features
• Site-to-site
• Remote Access (?)
• Add policy-based URL control
• Websense-type
• Add interfaces
• No longer just inside, outside, DMZ

11
Shirley firewall makers have been busy since 1999?

• Clear market trends
• Faster
• Cheaper
• Smaller
• New Guard NetScreen (Juniper), Watchguard,
  SonicWALL
• Old Guard Cisco, Check Point

• Clear product trends
• Add VPN features
• Site-to-site
• Remote Access (?)
• Add policy-based URL control
• Websense-type
• Add interfaces
• No longer just inside, outside, DMZ

12
Incremental improvements are not very exciting

• Smaller, cheaper, faster thats great
• VPNs, more interfaces thats great
• But what have you done for me lately?
• To answer that, we need to digress to the oldest
  battle in all of firewall-dom proxy versus
  packet filter!

13
Arguments between Proxy and Stateful PF continued

• Proxy
• More secure because you can look at application
  data stream
• More secure because you have independent TCP
  stacks

• Stateful PF
• Faster to write
• Faster to adapt
• Faster to run
• Faster also means cheaper

14
Proxy-based firewalls arent dead just slow!
Process Space
Proxy
RTL
TCP/IP
Outside net 1.2.3.4
Inside network 10.1.1.0/24
Src1.2.3.4 Dst5.6.7.8
Src10.1.1.99Dst5.6.7.8
Packet Filtering
Kernel
15
Firewall Landscape Five years ago

• IBM eNetwork
• Secure Computing
• Altavista Firewall
• TIS Gauntlet
• Raptor Eagle
• Elron
• Cyberguard
• Ukiah Software

• NetGuard
• WatchGuard
• SonicWALL
• Check Point
• Livermore Software
• Milkyway
• Borderware
• Global Internet

Where have they all gone?
16
Stateful Packet Filtering dominates the market
Check PointCisco NetScreen SonicWALL
Freeware-based products Ipchains, IPF, Iptables,
IPFW
FW NewcomersFortinet, Toshiba, Ingate,
ServGate, many others
IP
Stateful Packet Filtering
Kernel
17
But, the core argument was never disputed

• Proxy-based firewalls do have the possibility to
  give you more control because they maintain
  application-layer state information
• The reality is that proxy-based firewalls rarely
  went very far down that path
• Why? Market demand, obviously

18
Firewall EvolutionWhat we hoped for

• Additional granular controls on a wide variety of
  applications
• Intrusion detection and prevention functionality

• Vastly improved centralized management systems
• More flexible deployment options

19
Firewall EvolutionWhat we found

• Additional granular controls on somea wide
  variety of applications
• Limited intrusion detection and prevention
  functionality

• Vastly improved centralized management systems
• More flexible deployment options

Why? Market demand, obviously
20
Additional Granular Controls focused on a few
applications

• Everybody loves HTTP management
• Header filtering
• File type MIME type blocking
• Embedded Data blocking (Javascript)
• Virus scanning, URL Filtering

• Other applications are piecemeal
• FTP
• SMTP
• VoIP
• File Sharing

21
HTTP-oriented features served pressure points
22
Advanced Controls are diverse across products

• Differentiating between advanced controls and
  basic controls was easy to do.
• Proxy-based firewalls proved to be almost
  undistinguishable from their insecure stateful
  packet filtering brethren.
• Vendors appear to be reactive, not proactive.

23
Virus Scans and Policy Controls are simple, right?

• No! Some devices dont have virus scanning
• No! Some firewalls dont support a local list of
  blocked URLs
• Conclusion its not simple

• No! Some firewalls insisted on having virus
  and/or URL scanning happen off box
• No! Some firewalls cant configure where you scan
  for viruses

24
Weve learned how to write good GUIs, havent we?

• Not in the firewall business, we havent
• Additional granularity means additional thinking
  about resources

• Products are disappointing
• The firewall people have a lot to learn from the
  SSL VPN people

25
Centralized management has improved a bit

• Folks who had it are doing slightly better than
  they were

• Folks who didnt have it now generally have
  something

Were still missing a general policy management
system for firewalls Many of the centralized
management tools have very rough edges
26
Intrusion is the new buzzword in security

• Rate-based IPS technology
• In firewalls, means SYN flood protection
• May be smart (NS)
• May include shunning (SecComp, WG, CP)

• Content-based IPS technology
• Based on IDS-style thinking
• May have small signature base (NS, CP)
• May be an IDS with the IPS bit on (Symantec)

27
So whats going on in the firewall business?

• Products are diverging, not converging.
• Personalities of products are distinct.
• IPS is a step forward, but not challenging the
  world of standalone products.
• Rate of change of established products is slow
  compared to new entries.

28
What does this mean for me and my firewall?

• Products are diverging
• Personalities are distinct
• IPS weaker than standalone
• Change rate slow

• Matching firewall to policy is hard change in
  application or policy may mean changing product!
• Aggressive adoption of new features unlikely in
  popular products need new blood to overcome
  product inertia

29
Advanced Intrusion Defense Joel Snyder Opus
One jms_at_opus1.com