Last time, we mentioned that the current generation of WAN firewalls has not advanced as rapidly as the security threats that the firewalls are supposed to protect against. Today we'll examine that in greater detail and identify some of the key weaknesses in the current generation of firewalls.

In the last newsletter, we pointed out that the current generation of WAN firewalls focuses on the packet header. One reason for that is that the current generation of firewalls generally have limited processing capacity due to architectures that are based on software that runs on an industry standard CPU. While there certainly are advantages to using an industry standard CPU, their ability to perform intense processing is definitely not one of them.

To overcome these limitations, many of the current firewall vendors have souped up their products with the addition of some limited forms of hardware assistance or acceleration. For example, some current generation firewalls have been augmented with intrusion protection and/or intrusion protection functionality that uses Deep Packet Inspection (DPI) to screen suspicious-looking traffic. However, the limitations in the processing power of current generation firewalls prevents DPI from being applied to more than a small minority of the packets traversing the device.

In addition, current generation firewalls make two fundamental assumptions, both of which are flawed. The first assumption is that the information contained in the first packet in a connection is sufficient to identify the application and the functions being performed by the application. In many cases, it takes a number of packets to make this identification because the application end points can negotiate a change in port number or perform a range of functions over a single connection.

The second assumption concerns the use of well-known ports. In IP networks, TCP and UDP ports are endpoints to logical connections and provide the multiplexing mechanism to allow multiple applications to share a single connection to the IP network. Port numbers range from 0 to 65535. The ports that are numbered from 0 to 1023 are reserved for privileged system-level services and are designated as well-known ports. Both TCP and UDP have well-known and registered port numbers. The typical current-generation firewall makes the assumption that these port numbers are always used as specified.. As we discussed in a previous newsletter a growing number of applications such as AOL's Instant Messenger don't always use the well-known ports that were assigned to them. Hence, while this assumption may have been valid 20 years ago, it is not valid today.

Steve Taylor is president of Distributed Networking Associates and publisher/editor-in-chief of Webtorials. Jim Metzler is vice president of Ashton, Metzler & Associates.