In-Depth

Firewalls Fill the Gap

Firewalls are evolving to accommodate today's sprawling enterprise systems. Several types of products can enhance your security and peace of mind.

It used to be that your network administrators could protect low-end systems with no more than password protection and a physical server cage. Those days are long past, replaced by an ever-increasing need for vigilance in the face of almost daily hacker attacks, both external and internal. Several years ago, Verizon Data Services (formerly GTE Data Services) reacted to these trends by rethinking its availability strategy. While traditional recovery processes focus almost exclusively on systems and platforms, Verizon has developed a strategy that involves a combination of a high-performance infrastructure, continuous data accessibility and protection from data loss.

Enter the firewall, a piece of software—and now hardware— that performs the function suggested by its name.

Product Information

Cisco PIX 515, 525 and 535
Cisco Systems Inc.
San Jose, Calif.
(800) 553-6387
www.cisco.com

The Firewall as an Appliance
One major player in the firewall market is Cisco Systems Inc. Cisco's enterprise offering is the PIX firewall appliance line, which ranges in capacity from private networks to large enterprises, with the highest-end model capable of gigabit Ethernet connections, a half-million concurrent connections and VPN capability.

Firewalls first appeared on the scene soon after packet filtering, according to Dennis Vogel, product manager for Cisco's PIX firewall product line. While the first firewalls recognized only outgoing packets, today's firewalls perform what is known as "staple packet" inspection and can recognize return connection packets as well.

Almost all firewalls currently on the market, including the PIX, are considered hybrids, explains Paul Robertson, director of risk assessment at TruSecure Corp. Hybrid firewalls combine packet filtering and application layer gateways. Application layer gateways provide a middle layer that acts as both client and server concurrently to both the host and client computer involved in the network transaction. The goal is to filter out whatever standard packet filtering misses.

Cisco's entire PIX line features a proprietary operating system, which Vogel says is "purpose-built." That means, unlike a Windows or Unix-based OS, no unnecessary features are built into the operating system; rather, all features of the PIX are streamlined. The same OS functions on every level of the PIX line, making scalability and upgrading relatively simple.

Multiple management options exist for the PIX line, according to Vogel. Telnet or SSH command-line interfaces are available for management via a central console. Additionally, PIX devices can be managed through PIX Device Manager (PDM) software, an SSL, Web-based GUI management application that features real-time graphical monitoring of a network's PIX throughput. For multiple PIX devices, Cisco offers Cisco Secure Policy Manager, which allows an administrator to set security policies on the entire network.

The premier model in the PIX line is the PIX 535. The 535 features: throughput of 1 Gbps; 500,000 concurrent connections; 7,000 connections per second; 100 Mbps, 168-bit, 3DES IPsec VPN throughput; and 2,000 simultaneous VPN tunnels. On the hardware side, it boasts the speed of a 1GHz Intel Pentium III processor, 512 MB RAM and 16 MB of flash memory.

Troubleshooting and support are key integrated features of the PIX line, according to Cisco's Vogel. Cisco Certified Internet Engineers (CCIEs) developed the PIX line, as well as other security solutions and network segments, based on the SAFE network architecture. This architecture is designed and tested by security personnel, and the design and results of its benchmarks are made public to security administrators, who plan to implement network segments based on SAFE.

According to Tim Smith of analyst firm Dataquest Inc., the PIX line is consistently the No. 1 performer in the VPN-enabled market space. Smith calls the line a "very capable VPN approach." In addition, Smith reports that Cisco is pursuing PIX product line testing at ICSA Labs.

While Cisco may be the 800-pound gorilla of the network security space, it isn't the only player. Several smaller companies have appeared on the scene to complement, and in some cases compete with, Cisco.

Product Information

1000, 6000 and 8000 models: $1,995, $14,995 and $29,995
RapidStream Inc.
San Jose, Calif.
(866) 727-4348
www.rapidstream.com

VPN Capabilities
RapidStream Inc. develops firewall appliances with piggybacked VPN capabilities. RapidStream is moving its product line toward a more hybrid state, according to Bruce Byrd, vice president of marketing. That's because once encryption becomes the industry standard, it will be difficult for firewalls to act alone to remove bad packets. However, since VPNs are processor-intensive, Byrd predicts the industry will evolve toward a more integrated security platform.

VPNs and firewalls differ fundamentally in that firewalls are security technology designed to keep specific things out, while VPNs are access technology that create secure passages for information between two nodes. Thus, the VPN is an extension of the network trust; however, according to TruSecure's Robertson, they can also be a weakening of that trust.

Because VPNs are processor-intensive, RapidStream has developed the RapidCore network security processor. The RapidCore architecture consists of four programmable RISC processors, hardwired logic for packet classification, encryption and quality of service (QoS) algorithms, and more than 1.6 million gates and on-chip memory. The RapidCore ASIC is the basis for several RapidStream products, taking care of the security policy execution, while the individual software product is responsible for the initial policy decision.

RapidStream also has the ability to measure voice over IP (VoIP) latency in microseconds rather than milliseconds. The RapidStream VPN line features a standalone GUI, with an option for a command-line interface from a central management console.

The top-of-the-line RapidStream 8000 is an enterprise VPN concentrator. It features two 1000base-SX Gigabit Ethernet ports, firewall throughput of 620 Mbps, VPN-3DES throughput of 360 Mbps and 128,000 concurrent firewall sessions. The VPN Enterprise Concentrator 8000 model, for example, offers 20,000 simultaneous VPN tunnels.

Issues with firewalls and VPNs vary greatly, according to TruSecure's Robertson. Proper implementation can be a major issue with firewalls. Robertson says that up to 70 percent of security breaches occurring with firewalls in place are due to improperly implemented firewalls that failed to detect objects they are supposed to sniff out.

IPSec and VPNs
IPSec technology is an industry standard for protecting information in transit. It can help secure VPNs, which can create a breach of network trust. VPNs are used mostly for secure transfer of data from office to office or network to network contact, assuming that both networks have the same level of security. However, one challenge with IPSec technology is interoperability. Because so many different vendors have developed their own versions of IPSec, sometimes IPSec-enabled devices from different vendors don't interoperate.

IPSec-enabled VPNs and firewalls can, however, be brought into collaboration. Jim Ridley of service provider Terraspring, is a network administrator with a small but growing network of Windows, Unix and Linux boxes. He had several criteria for implementing a VPN: It had to be a VPN-focused appliance; it had to work with his heterogeneous network; and it had to be IPSec-compliant.

Terraspring's previous network security implementation was a series of Cisco PIX boxes. Ridley switched to a configuration using RapidStream 6000 and 1000 appliances because, he says, he prefers to "keep things separated—a firewall as a firewall and a VPN as a VPN." In addition to implementing the RapidStream appliances on the user side of his network, Terraspring is starting to test RapidStream solutions for the corporate network.

"Foolish" Security

The Motley Fool, a financial services and advice Web site, was looking for a comprehensive security configuration in late 1995. At the time, according to Motley Fool CTO Dwight Gibbs, the company was operating without a firewall, relying on Windows NT security. The company "didn't want another Unix box" and decided on Cisco's PIX firewall because it wanted a dedicated firewall appliance.

The Motley Fool network team built up its security from there. Currently, the company runs PIX 525 boxes at its data center and U.S. headquarters, as well as the 515 model in its U.K. headquarters, all on active standby. In addition, the company runs a VPN/IPSec tunnel between its U.S. and U.K. offices. Gibbs says that the cost of running a tunnel "won't be cheaper than with Cisco."

The Motley Fool finds the 515 and 525 models both scalable and easy to use and manage, according to Gibbs. "It's easy to add another NIC into the box." He points out that the 525 model allows up to 225,000 concurrent connections, with the 515 allowing 150,000, making the PIX hardware cost-effective for The Motley Fool's security needs.

—I.S.

Distributed Firewalls
While RapidStream touts its VPN appliance for enterprise use, the distributed firewall is gaining in importance at Network-1 Security Solutions Inc. Over time, explains Kevin Gagnon, director of technology at Network-1, standard perimeter firewalls became insufficient to protect each user on a heavily trafficked, corporate network. Because Network-1's software is host-based, says Gagnon, it works in conjunction with the perimeter firewall to offer an additional layer of security for individual users. Chris Christensen, program director of the Internet Security Group at analyst group IDC, says this has made Network-1 a market leader in distributed, server-based firewall software.

Product Information

CyberwallPlus-SV (Server):
Prices start at $1,095
CyberwallPlus-WS (Workstation):
Prices start at $995 per 10-pack
Network-1 Security Solutions Inc.
Waltham, Mass.
(781) 522-3400
(800) 638-9751
www.network-1.com

The newest Network-1 product is CyberWallPLUS 7.0, which includes expanded support for Windows end user systems, wireless networks and data centers. It features Windows 98, 98SE and Me support, dial-up support, compatibility with wireless standard 802.11, network load balancing and cluster support, and teaming NIC support.

As with most current firewalls, there is a VPN component to Network-1's firewall product line, explains Christensen. But he adds that a centralized VPN solution can be as beneficial to an organization as a centralized firewall system. Because of the inherent differences between VPNs and firewalls, a centralized solution featuring both would provide an organization with the tightest possible security.

Jim Connelly is one user who discovered that distributed security solutions are the way to go. Connelly is the manager of network services for CorrectNet, an ISP/ASP that also develops custom Internet software and helps small businesses develop a Web presence without the need for programming skills. Because Connelly's firm performs security audits on a regular basis, it's critical that he provides a robust security configuration to his customers.

Connelly was introduced to Network-1 and its product line indirectly through a connection at the Exodus Data Center, where CorrectNet's hosting is actually located. Connelly downloaded a trial version of CyberWallPLUS and was pleased with the results. He says he found the software easy to install and manage.

Previously, CorrectNet had used a proprietary firewall implemented by the Exodus Data Center, but Connelly was looking for a more flexible, scalable solution with no single point of failure that CorrectNet could manage independently and less expensively.

With CyberWallPLUS each server has its own firewall in addition to the enterprise's greater firewall, ensuring that if one server's security is breached, it doesn't bring down the entire farm or network. Its built-in intrusion detection capability was another attractive feature for Connelly.

Integration Ahead
Firewall and VPN appliances, along with distributed network firewalls, have made leaps and bounds since network security's packet-switching days.

The market appears to be leaning toward more integrated firewall/VPN appliances that are IPSec-compatible, in combination with distributed firewall software on individual workstations and intermediate-level, smaller-scale servers. Such an ideal configuration would cover all the bases—servers, workstations and the tunnels through which data is transferred. As IDC's Christensen says, network security is "a composite story—centralized management, VPNs and firewall technology"—in which "the sum of the parts is greater than the whole."

Must Read Articles