Firewalls: The Next GenerationThe Most Important Things You Need Your Next Firewall to Do
So, how do we quickly get to the next-generation firewall - and what are the key qualities it will need to embrace?
In an interview about the future of firewalls, King discusses:
- Where and how organizations are at risk;
- The most important things we need these next firewalls to do;
- How organizations can start to get there.
King is director of product marketing for Palo Alto Networks. Previously, he held strategic and product marketing roles at Blue Coat Systems, including responsibility for marketing and strategy for MACH5, Blue Coat's application acceleration solution - which he launched and helped grow to a $160 million/year business. Prior to joining Blue Coat in June of 2004, King spent over eight years as an information technology analyst for META Group. An internationally recognized expert on information security, he has consulted with hundreds of large IT organizations, spoken before a variety of audiences, and is often quoted in trade and business press. Before META Group, King managed an international network for Securities Registration Depository, and was employed by Ernst & Young. Mr. King holds a B.A. from George Mason University.
TOM FIELD: To get us started, why don't you tell us a little bit about yourself please?
CHRIS KING: I run product marketing here at Palo Alto Networks. I've been here for about three years. My prior lives includes stints at some information security vendors and a pretty long tenure as an analyst in this space with a company called MediGroup from years back. And going way back, I actually used to manage networks for a living, so I've kind of made a tour of the industry, and hopefully that will be reflected in some of the comments that we discuss today.
What's Wrong with FirewallsFIELD: Well, Chris, you just released a new paper about the next generation in firewalls and what they must do. Give us some context here. What is wrong with the current generation of firewalls?
KING: Well, the current generation of firewalls was designed in a different era. The traditional firewall has policy based on IP addresses and ports, and you wind the clock back a couple of decades ... and it used to be that applications had pre-assigned ports: port 25 that was SMTP, which was email; port 80 that was HTTP that was web browsing. And right around the turn of the century, folks figured out that the easy way to make their applications more accessible to end users, whether they are sitting in the enterprise or at home, was to ignore port and always shoot for an open port to be port agile or port hop. Basically, it was a safe assumption that port 80 was always open. It was a safe assumption that port 443 was always open. And it was a safe assumption that there would be other ports that were open. Gradually, application developers figured out, starting with folks developing instant messaging applications ... hey, there is a simple technique here to get through the firewall. Normally, you'd say 'Well, big deal.' Some of these applications are good, some of them have very serious business benefit, but they also have risk. Not to mention the fact that the majority of threats being developed today target applications as either the thing they are exploiting or as a transmission vector.
What happened over time was the security industry said, 'Well, we can add helpers to the firewall, and we can add things like IPS and proxies and URL filters, and all these things.' But at the end of the day, the firewall is still the thing that makes the decision to allow traffic on to the network. Everything else looks at subsets of traffic. It is only looking for certain things. The access decision is still made by the firewall, and unfortunately the traditionally firewall is incapable of making a meaningful decision.
The RisksFIELD: You used a key word a few minutes ago which was risk. Where and how do you see organizations most at risk now because of the firewalls they are depending upon?
KING: This is actually, I think, one of the most important discussions in information security today, because if you look at a lot of the buzz out there, there is a lot of noise about application control, and the problem is that the information security industry has sort of pre-defined to think about risk as a threat. As you and I know, risk is not a threat. If you talk to a business person, risk is actually a good thing. Risk is where you make money.
So the challenge here when you start to look at some of these applications, whether we are talking about cloud-based collaboration apps, whether we are talking about social networks, there is a tremendous amount of potential business benefit in these initiatives. You look at some of the major auto manufacturers, you look at some of the major PC manufacturers, you look at some of the major pharmaceuticals, healthcare, financial services, they are all targeting social networks or online applications of various types in order to be more productive, more cost effective, reach more customers. So, the problem is a lot of information security folks, they have this kind of this model that says 'New risky stuff bad, must block.' The risk for organizations is two-fold. One, absolutely correct, a lot of these applications are risky. Two, you know the problem with the mindset that I think a lot of us are conditioned to - and, by the way, we're conditioned to it because those are the controls we have: block or not -- is that we either alienate ourselves from our organizations, or we potentially block business benefit. And, yes, there are lots of business risks including data loss or operation costs, there is risk to compliance, business continuity, even productivity, which I would argue might be a little bit of a red herring. But those things are the types of risks that the business might see that we need to balance those benefits that I mentioned before, productivity and lower operational costs, and faster time to market and those kinds of things. But it is sufficient to see the point I made before: Threats are using applications, so there is real risk. The problem we've got is there is also benefit to a lot of these things.
Next-Generation FirewallFIELD: Chris, now paint us a picture of what the next generation firewall is going to look like?
KING: So basically, the next generation firewall does five things. It identifies the application regardless of what port it is on, what kind of encryption it is using, how evasive it is trying to be. It identifies the application.
The second thing is it identifies the user. So I can use policy in a group fashion. So I can say that marketing is allowed to use Facebook, or corporate communications is allowed to use Twitter, or the product research folks are allowed to collaborate using Box.Net with some of our partners.
Third, it scans content. So for the allowed applications, I can scan it to mitigate some of those risks that I talked about. So for example with SharePoint, a very common application, one of the problems is that sometimes people upload stuff unknowingly that is carrying a threat. So you want to be able to scan that allowed traffic port threats.
Fourth, you want to be able to wrap this all up in policy, so it's not a matter of having to go to the Firewall to turn on one thing, and then go to an IPS and do something else, and go to a URL filter and do something, and you've got sort of this policy that is scattered all over every place that's got different paradigms and language and so on and so forth. You want to be able to tie that at application that user that content all up in one policy, and then you know fit.
By the way. the firewall is still a critical piece of infrastructure, so you have to do this without getting in they way of business. Translation, you've got to do this at high throughput rates with low latency.
So, with those things as the sort of the five things that you've got to do, one of the most important things is number one and number two, the app and the user, that's in the firewall. That's one of the challenging bits about this, and I'm guessing we'll have an opportunity to talk a little bit more about that later, but basically doing this in the firewall is absolutely critical from a performance standpoint and from a functional standpoint in what you see and what you get to control and everything else.
What You Need from Your Next FirewallFIELD: Chris, let's dive down a little bit deeper here. One of the big themes of the paper you put together is the 10 things that firewalls need to do. What are some of the most important of the ten things that we really need these next firewalls to do for us?
KING: So that's a great question because I think there is a lot of buzz out there about application control, and again it goes back to that sort of that pre-conditioned idea that I think a lot of people in the security space have, which is you treat an application like a threat. So, a lot of the efforts to application controls have been, 'Well let's put a bunch of application signatures in an IPS.' The problem that you have with that is really highlighted by some of the things, some of those ten things that we talk about in the paper.
If I'm going to look at the top three things of the ten things, the first thing you've got to be able to do is identify the app regardless of what port it is using. So people are familiar with forcing certain applications to HTPS or SSL, whether that be in a port 443 or not. People are familiar with things that are port agile and the hot ports. People are familiar with forcing IM to port 80 or something like that. It doesn't really matter what port anymore it is on; the firewall has to be able to identify the application regardless of port. I think when you write a policy, if you want that to be effective -- which most people do -- you've got to be able to identify the app regardless of what port it is moving on.
Another one, and this is related, is kind of being able to identify the application and enforce the policy that you need to enforce, whether that be controlling certain elements of that application, whether that be scanning an application for threats, you've got to be able to look at things inside of SSL. This is a major challenge that requires lots and lots of horsepower and policy flexibility when you look at the sensitivity of opening up SSL and scanning content inside that for threats and so on and so forth. So A, you've got to be able to do it; B, you've got to be able to do with performance without intrusion latency; and C, you've got to be flexible enough to say certain pieces are off limits. We don't want to decrypt it, we don't want to know what is inside of for example, personal healthcare, personal financial applications. I kind of alluded to this before; you want to be able to scan for threats in the allowed traffic.
And if I can add one more, one of the most important elements in my opinion of the 10 things is what happens to the unknown traffic? Is that unknown traffic simply passed through or is that unknown traffic handled by policy? Given that the unknown is typically where the highest risk traffic is, or more specifically where the threats like to hide, having a policy centric treatment of this as opposed to yeah, well it just gets through if we don't know what it is. This is a big deal when you are talking about security.
Getting There from HereFIELD: Chris, the big question is how do we get from here, where we are today, to there which you've just described?
KING: So, that is a great question, and I think there are probably two ways to answer that. One is, from the industry or vendor perspective, and the second one is from the user perspective, or more specifically the customer perspective.
I think when you look at from the vendor perspective, it's a challenge. We had a benefit in the sense that we didn't have a traditional firewall that we had to remake. We were founded in 2005. We shipped our first product mid-year 2007 after all the dynamics I just described had already occurred. So we looked at it and said 'Hey, we have a unique way to solve this problem. If we identify the application in the firewall, then we have some unique benefits that we can bring to the enterprise.' A lot of the traditional firewall vendors are looking at this and saying, 'Wow that's a different classification engine.' So when you look at a firewall, the thing that classifies traffic, the engine that classifies traffic, whether in a traditional firewall we are talking about or it's an IP addresses, or the next generation firewall like ours, we are talking about users and applications. The classification engine is the brain of the firewall. And if you look at this from a vendor perspective, you know it's kind of like doing a brain transplant. It's really, really hard. It's far easier to start from the beginning and build a new firewall with a new classification engine that is designed specifically for that purpose, which is what we did. The challenge for the rest of the industry is: If you're an existing traditional firewall vendor, that's not something you really relish doing. Since it's not something you can tack on, there is a big hurdle for a lot of the traditional security vendors to clear.
Now the second aspect of that question is, if you're an end user organization you know how do you get there? What does the customer do in order to kind of make this transition? It's certainly something does require a little bit of a sea change in how you think about policy, but there is a benefit in the sense that the security administrator or the security officers can go back to the business and say, 'Hey, I know that you need to do a social networking initiative to reach out to customers and deepen the relationship that we have with them. Let me help you do that safely, rather than saying no, we're not going to do it. It's too risky.' That is a huge change. I mean people, have talked for years about, oh, let's treat security as an enabler. Well, if your only control as a security person is allow or deny, then it is hard to be an enabler. Whereas now we're in a situation where we can say, 'We're going to allow certain applications for certain people in certain functions, but we're going to scan it for threats and so on and so forth.' So that is incredibly liberating when you start thinking about security as an enabler and moving off that traditional, kind of that Doctor No reputation that a lot of security folks have.
Firewall TipsFIELD: A final question for you Chris. If you could boil it down, what advice would you give to an organization to help start them down this path to the next generation firewall?
KING: I think the most important thing that you need to be able to do is understand the applications that are running on your network. I think most information security folks have some inkling of some of the things that are going on, but they don't know the depth, and they don't know the breadth of the kinds of applications that are on their network. So step one is figure out what is on your network.
Step two is kind of start looking at enabling applications. You don't just flip a switch and cut everything over. You can kind of ease from a port-centric mentality to an application- and end user-centric mentality. But I think step one, find out what applications are running on your network, and then start having those conversations with the business about, 'Okay I found that all of the accounting people are using this particular application. I don't know anything about it. Why don't you tell me? I'll help you understand the risk. You help me understand the benefit ,and we can come up with a policy that makes sense.'