Вы находитесь на странице: 1из 9

Application-aware firewalls

Enterprises are demanding more from firewalls, especially


as network perimeters disappear, corporate traffic begins
to include Web 2.0 and social media applications, and
threats become more targeted. Many vendors tout their
firewalls as next-generation products, but the definition
varies greatly. This IT Checklist will outline the capabilities
an application-aware firewall can and should have, and
help you create a list of criteria to match the most
appropriate firewall product to your security needs.

INSIDE:

IT DECISIONS

The truth about


application-aware
firewalls
The challenges of
application awareness
Application-aware
firewall buying criteria
Questions to ask
your vendor
Providers
at a glance

A PPLICATIO N-AWARE FIREWALLS

a
THE
CHALLENGES
OF APPLICATION
AWARENESS

a
APPLICATIONAWARE FIREWALL
BUYING CRITERIA

APPLICATIONAWARE
FIREWALLS
BY ANDREAS ANTONOPOULOS .

a
QUESTIONS
TO ASK YOUR
VENDOR

a
PROVIDERS
AT A GLANCE

only IT discipline that


is fundamentally based on an adversarial relationship. In the battle for
control over IT resources, attackers
have been gradually moving up the
stack, from IP and TCP attacks to
HTML, XML and application layer
attacks. When the attackers move,
we must also move our defenses up
the stack. But the application layer is
much richer than the network layer
and therefore much more complex
and difficult to secure. Essentially, the
Internet protocol stack is an inverted
pyramid: A huge number of applications sitting above a narrow set of
common standards, including TCP/
IP, UDP, HTTP and RTCP.
The term deep packet inspection
(DPI) reflects the early stages of the
SECURITY IS THE

2 IT DECISIONS CHECKLIST

movement up the protocol stack.


Beyond DPI, todays security devices
may tout application awareness,
application fluency or next generation characteristics, all of which
essentially mean the same thing:
The ability to inspect, identify and
analyze application traffic with
increasing sophistication.
It is important to understand how
application awareness differs from
and augments basic identification
of applications based on content
inspection. The least applicationaware firewall is one where there is
some basic packet inspection to
identity specific application headers
or protocol signatures. At this level,
the firewall glances into the TCP
header, looking at port numbers and

A PPLICATIO N-AWARE FIREWALLS

a
THE
CHALLENGES
OF APPLICATION
AWARENESS

a
APPLICATIONAWARE FIREWALL
BUYING CRITERIA

a
QUESTIONS
TO ASK YOUR
VENDOR

a
PROVIDERS
AT A GLANCE

trying to deduce what is being carried


within the payload. Like a child trying
to guess the content of a Christmas
present by examining the shape of
the box, header inspection is highly
inaccurate. Many firewalls are no
more application-aware than that.
Going one step further, a more application-aware firewall might look into
the TCP payload and identify specific
application signatures, or even maintain some connection state (stateful
inspection) trying to reconstruct
application flows. Again, barely
scratching the surface, this is like
trying to guess a persons profession
by the car they driveonly sometimes successful and often highly
misleading.
The highest level of application
awareness refers to the kind of insight
into application behavior that allows
the firewall to deconstruct and rebuild an application protocol, injecting control into the applications
interactions. At more advanced levels
of application awareness and fluency,
the firewall can look into specific features or quirks exhibited by the application and selectively enhance,
remove or control them.

THE CHALLENGES OF
APPLICATION AWARENESS

Application awareness is hard. Unlike the TCP/IP layer, where a single


standard has persisted more or less
unchanged for three or more decades,

3 IT DECISIONS CHECKLIST

the application space is vast and fast


changing. Counting apps is probably
a futile exercise, but just looking at
mobile platforms, we see hundreds of
thousands of applications running on
multiple operating systems.

DRIVING THIS EXPLOSION OF APPLICATIONS


IS THE GREATEST IT
TREND IN A DECADE:
CONSUMERIZATION.
Driving this explosion of applications is the greatest IT trend in a
decade: consumerization. The enterprise is no longer the incubator of
innovation, trickling down new technologies to consumers. Rather, consumer technology far outpaces enterprise technology, and users bring
innovation from home and inject it
into corporate IT systems. Corporate
IT often moves too slowly to suit consumer-trained cohorts of workers,
driving users to seek out consumer
technologies like social media and
mobile devices to get the job done.
Security control over IT systems is
diffused and fragmented, especially
once we take user mobility, data center virtualization and use of cloud
resources into consideration. The old
castle-and-moat perimeter model
has been turned inside out, with IT
infrastructure systems moving outside the company and many of the

A PPLICATIO N-AWARE FIREWALLS

threats that ITor rather the enterprisefaces being introduced by user


behavior behind the firewall. The
insiders are inviting attacks into the
network, inadvertently undermining
the perimeter controls.

a
THE
CHALLENGES
OF APPLICATION
AWARENESS

a
APPLICATIONAWARE FIREWALL
BUYING CRITERIA

a
QUESTIONS
TO ASK YOUR
VENDOR

a
PROVIDERS
AT A GLANCE

UNDERSTANDING APPLICATIONS

What exactly is an application?


There is no exact definition, really.
An application can range from huge
complex meshes of service-oriented
architecture (SOA) components
replacing the monolithic systems of
previous decadessuch as an Enterprise Resource Planning (ERP) system, to a small app on a smartphone.
Then, there are application platforms
that look like one application but are
in fact a collection of dozens or even
hundreds of applications. The social
media platform Facebook is one such
example: It is found at one Web
address but really is a platform that
includes chat, messaging, games,
media and many other capabilities.
A firewalls ability to discriminate
between applications is critical not
just for security, but also for business
innovation and agility. Every chief
security officer has to balance the
risks inherent in accessing external
applications with the business benefits they offer. For example, social
media may expose a business to
user-generated content that can contain malware, but it will also enhance
collaboration, public relations and

4 IT DECISIONS CHECKLIST

marketing. If the firewall is unable to


discriminate between specific features or sub-applications, the security
team will either have to allow the
whole application or reject it completely. More likely, they will be
forced to ban the application to protect the company. If, however, the
security team can clearly define
which aspect of the application they
will allow and which they will deny,
they can minimize the risk and say
yes to more applications. They can
say yes to Facebook status updates
and messaging, but not to games or
attachments. They can say yes to
instant messaging but not to file
transfer. Similarly, if the firewall cannot distinguish between users, security will have to make its choice for all
users: Everyone gets access, or everyone doesnt.
So, application-aware firewalls give
security teams the chance to safely
introduce new technologies into the
business. In other words, application
awareness buys you business agility
and competitive advantage. Security
is no longer the department where
innovation diesif security can say
yes selectively.

BUYING CRITERIA

How do you know if a firewall is


application-aware, and what criteria
should you use to select such firewalls?
First, you have to ensure that the
(Continued on page 6)

A PPLICATIO N-AWARE FIREWALLS

QUESTIONS TO ASK YOUR VENDOR


q Please describe the architecture behind your application-aware firewall
product.

a
THE
CHALLENGES
OF APPLICATION
AWARENESS

q What are the performance ratings on your application-aware firewall


product?

q What security functions, besides basic port and protocol identification,


does your application-aware firewall product perform?

a
APPLICATIONAWARE FIREWALL
BUYING CRITERIA

a
QUESTIONS
TO ASK YOUR
VENDOR

q What applications are supported by your application-aware firewall?


q How often do you update your supported applications?
q What is your plan for users integrating these products into their security
infrastructure?

q How does your company define and accomplish application-aware firewall


intelligence?

a
PROVIDERS
AT A GLANCE

q How does your application-aware firewall product identify and classify


different types of application traffic?

q Can your application-aware firewall product enforce varying policies on


different types of application traffic? How?

q Can your application-aware firewall product enforce varying policies on


specific features or content within an application? How?

q Does your application-aware firewall product incorporate user identity


access and management? What directories does it interoperate with?

q Does your product integrate DLP (data loss prevention)?


q Does your product offer inspection of SSL traffic?
q How does your product distinguish itself as truly next-generation?
Complied by Kara Gattine, Senior Managing Editor

5 IT DECISIONS CHECKLIST

A PPLICATIO N-AWARE FIREWALLS

(Continued from page 4)


application awareness is detailed
enough to support your needs:

List the most commonly used or


a
THE
CHALLENGES
OF APPLICATION
AWARENESS

a
APPLICATIONAWARE FIREWALL
BUYING CRITERIA

a
QUESTIONS
TO ASK YOUR
VENDOR

a
PROVIDERS
AT A GLANCE

desired applications in your business and compare them to the firewalls supported applications. This
of course requires communication
with the end users and the business
lines to find out what those applications are. You are already having
those conversations, arent you?

Evaluate how many different features or application capabilities can


be individually selected in a policy.

Pick a specific brand-new application or application feature that is


important to your business and see
if it is supported. This will give you a
hint as to whether the firewall vendor is keeping up with the latest
developments.

Ask about the vendors application


update frequencynew applications should be added frequently
to keep up with a rapidly changing
market. Watch for cloud-supported
functionality, which might provide
quicker response to new applications than a traditional signature
file can.

Pick an application that is not


supported and find out how easy/
difficult it is to create a custom

6 IT DECISIONS CHECKLIST

signature or policy to identify and


control it.

Look for an online community


where other companies using the
firewall can help each other out,
without the vendor as an intermediary.
Second, you have to be able to map
your policies to specific users and
groups:

Make sure the firewall integrates


with your chosen directory infrastructure (e.g., Active Directory
and LDAP).

Examine whether policies can be


applied against multiple roles or
groups as defined in your directory.

Examine whether you can add peruser exceptions or user-specific


policies.

Ensure that the firewall logs user


identity in the access and exception
logs and uses standard syslog
mechanisms so you can include
the logs in your log management
scheme.

Dont forget the firewalls administration and operations: You should


be able to control those on a perrole or per-user basis, too.

Ask whether the firewall can con-

A PPLICATIO N-AWARE FIREWALLS

sume policies or identities created


by other systems, using standards
such as the Extensible Access Control Markup Language (XACML) or
Security Assertion Markup Language (SAML).

a
THE
CHALLENGES
OF APPLICATION
AWARENESS

a
APPLICATIONAWARE FIREWALL
BUYING CRITERIA

a
QUESTIONS
TO ASK YOUR
VENDOR

a
PROVIDERS
AT A GLANCE

Finally, you will need to see if the


firewall can support the network traffic your business generates:

Evaluate the need for 1 gigabit or


10 gigabit Ethernet interfaces.

work the firewall has to do. More


complex applications require more
thorough analysis. Inevitably, you will
have to make some compromises.
Choosing the right applicationaware firewall will depend on your
business needs and a realistic assessment of your network traffic. Smaller
branch offices will have different
demands than a large campus or data
center. You have to decide if you need
broad application coverage or detailed
fine-grained application awareness.

Review independent testing for firewall performance at wire speed.

Ensure the firewall is tested with a


limited and complete set of policies,
and compare the performance
under different scenarios.

If you cannot find high quality, independent testing, consider requesting a demo or trial to evaluate the
firewall under real-world conditions.

COMPROMISE AND TRADEOFF

The ideal firewall performs at wire


speed with thousands of application
policies without missing a beat. Of
course, it will be difficult if not impossible to satisfy all those requirements
in a single device. Generally speaking,
application awareness requires some
computationally-intensive analysis of
each packet. The more application
policies you have defined, the more

7 IT DECISIONS CHECKLIST

A MILE-DEEP, INCH-WIDE
OR MILE-WIDE, INCH-DEEP

You may only care for deep inspection of application-specific threats to


apply only to Web-hosted, browseraccessed applications such as those
provided via Facebook. You may want
all channels of the Internet to be
under the microscope, but not at such
a high magnification. This requires
that you have that deep and searching conversation with the business
and the users not just once but regularly and fairly frequently. This relates
both to the level of application awareness you want to have at the institutional levelhow many applications
do you want the enterprise to have to
care about? It also relates to the performance questionthe more you
want to pay attention to, the more
processing power you need to have
and the harder it gets to have wirespeed throughput at low to no latency.

A PPLICATIO N-AWARE FIREWALLS

LOCATION, LOCATION, LOCATION

a
THE
CHALLENGES
OF APPLICATION
AWARENESS

a
APPLICATIONAWARE FIREWALL
BUYING CRITERIA

a
QUESTIONS
TO ASK YOUR
VENDOR

a
PROVIDERS
AT A GLANCE

Youll have to consider the difference


between what you need to have in
place to protect end users in a branch
versus at headquarters, as well as the
differences between user-focused
protection and data center-focused
protection. A firewall in the data cen-

ter should be looking at XML and


other protocols and content types
with an eye toward protecting backend systems from compromise: Your
ERP system components will not be
using Farmville, but they probably
need to be protected from SOAfocused XML denial of service attacks.

PROVIDERS AT A GLANCE
THE FOLLOWING IS a list of application-aware firewall providers.

Click on the vendor name for more information.


Alcatel-Lucent

Imperva

AppliCure

Ingate

Astaro

Juniper Networks

Barracuda

Layer 7 Technologies

Bee Ware

McAfee

CA

Netgear ProSecure

Check Point Software

Network Box

Cisco Systems

NitroSecurity

Citrix

Palo Alto Networks

eEye Digitial Security

SonicWall

F5

Stonesoft

Fortinet

Trustwave

Global DataGuard

VMware

Global Technology Associates, Inc.

WatchGuard

HP

WhiteHat Security

IBM

Zeus Technology

Complied by Susan Fogarty, Editorial Director

8 IT DECISIONS CHECKLIST

A PPLICATIO N-AWARE FIREWALLS

a
THE
CHALLENGES
OF APPLICATION
AWARENESS

a
APPLICATIONAWARE FIREWALL
BUYING CRITERIA

a
QUESTIONS
TO ASK YOUR
VENDOR

a
PROVIDERS
AT A GLANCE

A firewall in a branch office or campus would need just the opposite.


Youll also have to consider the
possibility of using network-based
aka cloudfirewalls, which shift the
processing burden to someone else
but take away none of the need to
develop deep familiarity with what
users have to and wish to use.

PLATFORM CHOICES

Nowadays, firewalls and other security functions can be sourced in multiple different flavors:
On-premises vs. cloud. A cloudbased firewall will put the burden of
management, updates and maintenance on a service provider but still
allow you to maintain control over
policy and reporting. This may be an
especially attractive choice if you
need to cover multiple distributed
branch offices or remote users and
cannot deploy appliances everywhere
or do not have IT staff to manage the
device.
Appliance or software. An appliance
will provide a straightforward deployment option; you dont have to worry
about sizing the hardware for your
needs. A software solution, by comparison, will give you more flexibility
but may require extra planning and
testing or specialized hardware such
as multicore, accelerated network
cards and network processors.

9 IT DECISIONS CHECKLIST

Virtualized software firewall. A


virtual firewall is a software firewall
wrapped in a virtual machine, installed on a virtualized OS or in the
hypervisor. A virtual firewall will give
you the benefits of virtualization that
you already enjoy on your virtualized
servers. You will be able to scale out
or scale up the hardware, move the
virtual machine around and use business continuity or disaster recovery
solutions for virtual infrastructures to
recover your firewall in another data
center.

CONCLUSIONS AND
RECOMMENDATIONS

Corporate IT is facing enormous


challenges with information security
because of the rapid consumerization
of IT and the incredible pace of innovation in the Web and application
space. Fortunately, firewalls are also
evolving rapidly, moving up the stack
and becoming far more application
aware. As you build a security strategy for your company, you should
reconsider the requirement for firewalls and the role you expect the firewall to play in your network. With the
right planning and roadmap you can
drastically improve your security posture through the use of an application-aware firewall.
Andreas M. Antonopoulos is senior vice president
and founding partner with Nemertes Research,
where he develops and manages research projects,
conducts strategic seminars and advises key clients.