Last time, we mentioned that the current generation of WAN firewalls has not advanced as rapidly as the security threats that the firewalls are supposed to protect against. Today we'll examine that in greater detail and identify some of the key weaknesses in the current generation of firewalls.

In the last newsletter, we pointed out that the current generation of WAN firewalls focuses on the packet header. One reason for that is that the current generation of firewalls generally have limited processing capacity due to architectures that are based on software that runs on an industry standard CPU. While there certainly are advantages to using an industry standard CPU, their ability to perform intense processing is definitely not one of them.

To overcome these limitations, many of the current firewall vendors have souped up their products with the addition of some limited forms of hardware assistance or acceleration. For example, some current generation firewalls have been augmented with intrusion protection and/or intrusion protection functionality that uses Deep Packet Inspection (DPI) to screen suspicious-looking traffic. However, the limitations in the processing power of current generation firewalls prevents DPI from being applied to more than a small minority of the packets traversing the device.

In addition, current generation firewalls make two fundamental assumptions, both of which are flawed. The first assumption is that the information contained in the first packet in a connection is sufficient to identify the application and the functions being performed by the application. In many cases, it takes a number of packets to make this identification because the application end points can negotiate a change in port number or perform a range of functions over a single connection.

The second assumption concerns the use of well-known ports. In IP networks, TCP and UDP ports are endpoints to logical connections and provide the multiplexing mechanism to allow multiple applications to share a single connection to the IP network. Port numbers range from 0 to 65535. The ports that are numbered from 0 to 1023 are reserved for privileged system-level services and are designated as well-known ports. Both TCP and UDP have well-known and registered port numbers. The typical current-generation firewall makes the assumption that these port numbers are always used as specified.. As we discussed in a previous newsletter a growing number of applications such as AOL's Instant Messenger don't always use the well-known ports that were assigned to them. Hence, while this assumption may have been valid 20 years ago, it is not valid today.

Whitepapers

• Best Practices for HP Servers and HP Enterprise Virtual Array in a Microsoft Exchange
• Network-Wide Change Management Visibility with Route Analytics
• REMOTE CONTROL: How to Reduce the Cost, Complexity and Risk of Managing Your Distributed IT Infrastructure
• Steal This Script: Hands-On Tips for Service Impact Network Management
• The Case for an Untethered Enterprise
• Best Practices for WAN Optimization with Data Replication

View more LANS & WANS whitepapers

Webcasts

• WAN Optimization Editorial Webcast
• Best Practices for Deploying WAN Optimization for Disaster Recovery
• Tips and Techniques for Remote Data Backup and Delivery
• WAN Optimization Landscape
• High Availability for SQL Server 2005 Using Array-Based Replication and Host-Based Mirroring Technologies
• Technical Overview of Exchange Server 2007 with HP Servers and Storage

View more LANS & WANS webcasts

Special Reports

• Network World Executive GUide: The Virtualization Equation
• Get More From Your WAN
• Learn how to Keep your Mobile Workforce Connected
• WAN Optimization: How to rev up sluggish applications
• The Wireless Explosion
• Network World Executive Guide: Perfecting Application Performance Management

View more LANS & WANS special reports