Enough of firewalls – how about an intelligent firedoor?

Editor’s note: Starting Dec. 7, Network World’s Windows Networking Tips will be renamed Windows Networking Strategies and will be mailed once a week on Wednesdays. Dave Kearns will continue to bring you his take on the goings on in Redmond and analyze how Microsoft’s latest moves will affect your networking infrastructure. We hope you enjoy the new format.

Editor’s note: Starting Dec. 7, Network World’s Windows Networking Tips will be renamed Windows Networking Strategies and will be mailed once a week on Wednesdays. Dave Kearns will continue to bring you his take on the goings on in Redmond and analyze how Microsoft’s latest moves will affect your networking

infrastructure. We hope you enjoy the new format.

Last issue I talked about firewalls: what they were designed to do, what they currently do and why they might need some rethinking.

Firewalls in a building are designed to contain a conflagration. On a network, though, we’ve come to rely on firewalls to keep out incendiary “stuff” (spam, hackers, Trojans, viruses, etc.). Firewalls do this by monitoring the traffic to and from the network.

Ten or 15 years ago, this wasn’t a daunting problem. Most of the Internet traffic to and from the network was using a small number of protocols: SMTP, FTP, HTTP (or, previously, GOPHER) perhaps NNTP. There were only these three or four “open holes” in the firewall and they were easily monitored.

Today, traffic is hundreds of times heavier; there are many more protocols moving around and it sometimes appears that the fabric of the firewall has more holes than fabric.

Maybe it’s time to get back to what firewalls were originally intended to do – isolate an area under attack to minimize the damage that can be done. But rather than change the generally understood definition of a network firewall, I want to name this isolating instrument after the same type of device that building architects use: a fire door (or, in our usage, a “firedoor”). More particularly, I’d like this network service to emulate an “automatic fire door”: one that closes when it senses the conditions of a fire (heat, smoke, etc.).

Too many firewalls are simply passive devices: you configure them (at great length) and they do what you tell them to do, create voluminous logs, send you occasional alerts and chug along trying to keep up with the huge amount of traffic moving in and out of your network. Yes, many of them supposedly have the ability to close ports in response to defined actions, but I want more than that.

I want my “firedoor” to react to anomalous activity, activity that may be intended to harm the network or the organization, by creating an isolation area where all of the potentially malicious packets are quarantined. But quarantined by event – separate areas for each attempt to breach security. The firedoor would then respond to the potential threat by sending back apparently legitimate packets as expected. It would also alert security personnel and log actions (just as firewalls do) but would also begin the forensic process to trace the attack itself as well as its source.

This is not, I hasten to add, a replacement for the firewall but a separate service that only kicks into action when potential malicious activity is observed. Timely isolation keeps damage from occurring. Seemingly authentic responses keeps the attack from vectoring to some other port. Logging and alerting provide for timely responses by human authorities while immediate forensic traces and probes can lead to apprehension (and prosecution) of the perpetrators.

I’m not aware of any product that does all this now, but if there is one please tell me about it. Also, tell me if something like this is of interest to you. I’m sure that vendors (even Microsoft) would be willing to develop such a beast if there was enough interest.