Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
/

Reviews /

Hot firewalls finding new niches

Today's breaking news
Send to a friendFeedback

New products, innovative features are keeping more networks safe from intruders.

By Joel Snyder
Network World, 07/19/99

Five years ago, all firewall products looked pretty much the same - a combination of packet filtering and TCP proxies running on a Unix system. We predicted then that the firewall market would shake out. Too many vendors and too little differentiation, we observed. We were half right.

In fact, the number of players has grown, although the names of the players have changed. Our interactive Buyer's Guide contains product specifications for 52 products from 33 vendors.

Meanwhile, vendors have worked hard to differentiate themselves and their products by aiming at every conceivable niche. As a result, vendors have made it easier to manage firewalls while improving security where it's needed most: in Web services and e-mail. Five main trends have driven this change and continue to shape the direction of the firewall market:

  • Firewall appliances are finding their place in branch-office environments.
  • Configuration continues to get easier and more error-proof.
  • E-mail and Web-browsing functions dominate Internet traffic.
  • New virus and content-scanning features are showing up in firewall feature sets.
  • Vendors are building in defensive maneuvers to protect against denial-of-service attacks.
One of the most tangible changes is the move from firewall hosts to firewall appliances. Originally, the only acceptable firewall was a Unix workstation or server with two or more LAN connections straddling the secure and insecure networks. As a general-purpose system, the firewall managed traffic across networks, and also provided network services of its own: Domain Name System (DNS), File Transfer Protocol (FTP), Web-browsing, e-mail and Network News Transport Protocol (NNTP).

Today, few firewalls support network services (DNS is a notable exception), and vendors generally discourage users from running services on the firewall itself. This advice comes from a combination of hard-learned lessons and common sense. Firewall managers have learned that the more software on the firewall, the greater the likelihood of an exploitable security flaw. They've also come to realize that every time someone touches the firewall's configuration, even if it's just to adjust an FTP server, the possibility of introducing configuration errors exists.

Because costs for computing hardware have dropped so dramatically, putting in additional systems to handle Internet-based services, such as FTP and NNTP, has become the standard answer for enterprise nets. As a result, the newest breed of firewalls are often deemed appliances: products that require a minimum of adjustments and tightly limit the options available to users.

Some vendors have also produced Internet appliances that not only have firewall functions but also include Internet-based services, such as mail and Web browsing, on a single platform. (See our review of firewall appliances, NW, April 19, page 57). This niche market could grow dramatically as the widespread availability of high-speed Internet access via digital subscriber lines and cable modems makes it practical for very small businesses to host their own Internet services locally.

Vendors cater to less-sophisticated shops

Firewall watchers like to describe the deployment of firewall products across the network in terms of waves: First were the very early adopters who used Digital's (now Compaq) commercial product and Trusted Information Systems' (now Network Associates) free firewall tool kit. Then came the first wave of commercial firewalls from vendors such as IBM, Raptor (now Axent Technologies) and Check Point Software. During these times, most buyers were network security experts.

As the security-savvy companies filled their firewall orders, the next wave came from large organizations that needed a firewall but didn't necessarily have the expertise to understand the subtle differences between products. Check Point's Firewall-1 began to dominate the market at this stage for one major reason: It had an extremely easy-to-use graphical user interface for configuration. A network manager who knew next to nothing about security could whip out a configuration in no time and feel confident that there were no loose ends.

The fourth wave of firewall purchases is being dominated by companies that want to get on the Internet but have only the most cursory knowledge of network security. At many of these sites, the corporate security policy is often little more than "keep the bad guys out." To satisfy the needs of these sites, firewall vendors are going to elaborate lengths to simplify and bullet-proof their configuration utilities.

The growth of the NT firewall market is evidence of this trend. Windows NT provides an easy-to-install and easy-to-manage base. While NT-based firewalls generally lag behind Unix-based firewalls in performance, the simplicity and easy availability of the NT platform is driving heavy sales of NT-based firewalls.

At the same time, critical applications that have been difficult to properly implement with a firewall in place, such as DNS, are getting much more attention from vendors intent on simplifying operation.

Streamlining Internet traffic

Although the basic infrastructure of the Internet supports dozens of applications and data-access models, this diversity is not exploited like it used to be. For example, five years ago, it was critical that a firewall properly handle Telnet, Gopher and Wide-Area Information Servers. Now most companies don't have any such services, or if they do, they don't need them for Internet connectivity. Instead, most companies see their Internet connection largely as a conduit for e-mail, Web browsing and the occasional multimedia application.

Difficult-to-firewall applications of yesteryear, such as the X Window System and Sun's Network File System, have dropped off the radar screens of network executives. In their place firewalls now have better support for Web browsing, including built-in Web caches and the ability to handle HTTP over Secure Sockets Layer.

Proxies for applications such as NNTP and FTP remain in most products, although only the older firewalls pay serious attention to them. New firewall proxies generally have few or no features for controlling how these protocols are used.

Application developers have supported this trend. For example, early versions of Progressive Networks' proprietary but widely used Real Audio protocol were notoriously difficult to secure with a firewall; newer versions have been developed with security and firewalls in mind.

Web browsers, the now-dominant interactive Internet application, come with built-in support for firewall proxies. This makes complicated factors such as NEC's SOCKS protocol, a common component of early network firewalls, unnecessary.

Active filtering

The simplification and streamlining of Internet traffic has had a second side effect: Network executives are now focusing on more things they want to do with Web traffic before it enters their networks.

Firewall developers are responding to this interest by building in much more powerful Web proxies. For example, most firewalls have built-in virus and content scanning, or have hooks that let you attach virus- and content-scanning software.

Virus scanners have been popular for years. Content scanners are gaining in popularity as pressure to monitor and control employee access to the Internet grows. Content scanners can not only look for and delete Java, Javascript and ActiveX components, but can also block connections to inappropriate sites. Many firewalls today include support for filtering products, such as The Learning Company's Cyber Patrol, and links to third-party filtering services that maintain categorized lists of objectionable Internet sites.

Firewalls are also including time-of-day restrictions in their Web proxies to allow off-hours surfing and logging and reporting on surfing activities.

While firewalls have done a good job keeping the bad guys out, the vulnerabilities built into the TCP/IP protocol suite have opened up the Internet to denial-of-service attacks. In a denial-of-service attack, the attacker tries to saturate the corporate Internet connection or crash the systems that link to it so the Internet is unavailable for corporate use.

As more businesses depend on Internet access for day-to-day operations, denial-of-service attacks are having a greater impact. The firewall marketplace has responded in turn.

While no firewall can prevent all denial-of-service attacks, firewall vendors have worked hard to build in as much resistance to denial-of-service attacks as they can. Simple-minded attacks, such as sequence number prediction and IP spoofing, have been part of the firewall toolbox for years. More complex denial-of-service attacks, such as SYN flooding, which can lock up Web and mail services so no traffic can get in, call for more sophisticated detection and avoidance schemes, which vendors are racing to deploy. Many times, this means that firewall vendors are just one step ahead of the attack community.

It also means that firewall vendors are releasing new versions more often - and are expecting their customers to install them. Frequent updates reinforce the need for products that can be configured and upgraded by those with little security training.

The next generation

Today, evaluating which firewall is right no longer means having to evaluate a dozen different look-alike products. Vendors have tailored their products to meet very specific needs. By properly identifying your required features, it's easy to narrow the field of potential products.

While simplified products address the needs of smaller nets, more advanced firewall products are concentrating on specific areas, such as Web proxy services, and neglecting areas that are not mainstream enough to create customer interest. This is not opening a security gap but is creating a functionality gap. Some features are available only on the older and more mature firewalls. But these older firewalls carry a larger code base and have not been as swift in adding and supporting new functions. This can leave firewall shoppers stuck deciding between two products: a product with new features and an easy configuration interface; or a feature-rich product that is more difficult to configure and does not have the latest bells and whistles.

Although the presence of market leaders such as Check Point and Axent poses a formidable challenge to new entrants, there appear to be plenty of vendors eager to get in the game. The markets that the leaders have ignored, such as small businesses, along with the continued explosive growth of the Internet, will keep firewalls a mobile and active business.

RELATED LINKS

Joel Snyder is an internationally known expert in the area oftelecommunications and networks and a member of the Network World Test Alliance Reach him at jms@ opus1.com.

Review: Firewalls
Raptor Firewall 6.0 takes top honors in our testing. Network World, 7/19/99.

Interactive buyer's guide
Detailed specs on 52 models. Find the one that meets your criteria or compare two or more models on different specs.

Issues and trends
Where the firewall market is headed and what to look for. Network World, 7/19/99.

Firewall RFP
Sample firewall RFP and vendor responses.

Forum: Firewalls
Post your firewalls questions and discuss their use in this forum.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.