Security Hardware Maturing from Firewalls to NICs

• 08/16/2000

Networking vendors are starting to take notice. Many -- including bigwigs Cisco Systems Inc. (www.cisco.com), 3Com Corp. (www.3com.com), and Cabletron Systems spin-off Enterasys Networks (www.enterasys.com) -- have beefed up the array of security offerings in their respective product offerings. In addition, newcomers like firewall appliance specialist WatchGuard Technologies Inc. (www.watchguard.com) and denial-of-service attack rebuffer Top Layer Networks Inc. (www.toplayer.com) are delivering best-of-breed solutions to help address this critical business need.

One of the most popular and successful hardware and security integration success stories is the firewall appliance -- a hardware-based firewall that is frequently packaged as a turnkey solution.

According to market research firm IDC (www.idc.com), revenue from firewall appliances could rise to $1.4 billion by 2003.

Many IT managers in large environments don’t have the time to keep on top of the latest firewall- and operating system-specific security problems. These customers are potential candidates for the firewall appliance, says Bill Smeltzer, vice president at systems integrator URS Information Systems (www.ursinfo.com ).

"A firewall that runs on a known operating system -- whether that be Windows NT, Solaris, or Linux -- has its own set of problems," he explains. "There’s a huge advantage to buying the network appliance for these organizations because the operating systems present so much more complexity in terms of closing up their own security holes, not to mention those of the firewall."

It’s the complexity of it all that's creating an opportunity for the firewall-as-network appliance, says Vincent Salas, director of product marketing at firewall appliance vendor WatchGuard Technologies.

"We have to confront the reality that the number of people in the marketplace with network competency is really constrained right now, and it’s even worse when you think about people with Internet security expertise," Salas observes. He notes that most software-only firewall solutions require IT managers to be experts not only in operating system administration, but also in security hardening.

"Hardware-only-based solutions can be a lot easier to configure, manage, and monitor. You minimize the need to have a high degree of knowledge in order to use a hardware-based solution, because it’s almost turnkey," he says.

WatchGuard distributes a series of firewall appliances for small- and medium-sized businesses, for enterprises, and for educational environments.

One of the arguments against using a firewall appliance is the contention that software-based firewalls typically offer an endless number of configuration options and are more apt to support the latest-and-greatest in network security capabilities.

But far from lacking the features and functionality of their more well-known software brethren, firewall appliances are typically on the cutting edge of network security. Among other newfangled security features, WatchGuard’s firewall solutions, for instance, feature support for stateful packet filtering. This technology only allows packets destined for an active connection to pass through the firewall. WatchGuard’s firewall appliances also provide the ability to open up ports for protocols such as FTP, which may require short-lived connections to transfer a file.

WatchGuard isn’t the only vendor making moves in the firewall appliance space. Cisco -- the number one appliance firewall provider in market share according to IDC -- announced in early July the release of its Internetwork Operating System (IOS), complete with integrated firewall features.

According to Cisco officials, the company’s new IOS Firewall -- slated to run on Cisco 1700, 2600, 3600, and 7200 series routers -- features 59 embedded attack signatures grafted from Cisco’s NetRanger intrusion detection system onto the IOS software. At the time, Cisco also announced several additional security-related products, including a firewall appliance -- dubbed PIX 515 -- and a tool for policy-based management -- the Cisco Security Manager -- and a beefed up virtual private network (VPN) client for remote access.

A Layer 7 switch manufacturer, Top Layer Networks, is also building in denial-of-service attack protection. In early May, Top Layer announced a new ASIC-Integrated Security Suite for its AppSwitch family of Layer 7 switches that introduced the ability to selectively detect and filter out malicious network traffic -- such as Syn flood and ICMP echo attacks -- by means of embedded DoS attack signatures.

On the client side of the picture, the new generation of security-enabled hardware devices begins with the network interface card (NIC).

In late March, 3Com unveiled the 3CR990. The product features a RISC processor and a dedicated application-specific integrated circuit (ASIC) that could be used to offload both networking- and encryption-related processing from the operating system to the NIC hardware itself.

Tom Hayes, vice president of marketing at 3Com, says his company’s 3CR990 NICs show that the industry is stepping up its efforts to make enterprise LAN environments -- traditionally overlooked in the rush to protect internal networks from external attacks -- more secure.

"Security is very important when you talk about accessing the corporate infrastructure through the use of firewalls and VPNs. Increasingly it’s being incorporated into the LAN for critical confidential information that’s shared on internal information systems, also," Hayes says.

According to Dick Bussiere, a network security architect at Enterasys, the pending IEEE specification 802.1x would bring client-side authentication procedures similar to those typically used for VPN and for RAS dial-in services to the internal corporate LAN. At present, Enterasys and other vendors have incorporated prestandard versions of the 802.1x specification into their higher-level network devices, including switches and routers.

Malicious users, at present, are more or less free to exploit open ports on a corporate LAN. Most switches can let IT administrators map specific ports to the MAC addresses of specific clients -- theoretically making it impossible for unauthorized users to gain network access. But these features are sometimes difficult to administer and even harder to set up.

IEEE 802.1x defines a specification forcing a user to authenticate before gaining access to the LAN.

"802.1x says that if users are authenticated on the outside, they should be authenticated on the inside, too, so they just can’t plug their computers in and see stuff," Bussiere explains. "We have numerous pieces of this in our switching and routing devices already. We’re taking a very proactive stance toward the implementation of 802.1x."

URS Information’s Smeltzer says technologies such as autoencrypting NICs and 802.1x are used now in security-minded environments such as government installations, but are ahead of the perceived requirements for most of his enterprise customers. "I think they’re a little early, but in the next two to three years they’re going to become more commonplace."