Blessay:Firewalls are like noses:Everyone’s got one.

Firewall’s are not special

My definition of a firewall is “router that doesn’t work”. That is, it forwards packets but unlike a router, by default it doesn’t work it must be configured to ALLOW packets.

Of course, the key difference is that stateful inspection and application inspection is a new concept, but now even IOS supports these features – consider the Zone Based Firewall in the IOS 12.4 release train.

Logically every Network Engineer should have at least some skill in firewalls. Consider the following high level diagram that ignores the routers and switches in the network should be a reasonable abstraction for medium to large networks.


Data flows across a network are likely to cross at least one firewall, and possibly many before the service flow is completed. Designer that are not aware of the impacts of firewall on the packet core are likely to make errors of judgement and create network problems.

Firewalls are not the only security tool

Firewalls are not the only security tool in a modern network, they are the least security tool. I believe that Firewalls are mostly used to create a control point in the network between zones that have differing requirements in security, and thus are now part of the network core. Importantly, they are a vital part of HA design practice. Typically network cores are designed to be high performance, fault tolerant and when you add firewalls, they interrupt or even destroy the HA nature of a network.

Confused ? Many people think that firewalls are all about security, but this is less true, and less relevant than years gone by. Firewalls are about creating a point of control in data flow. The configuration of the firewall is a security issue, but the maintenance and upgrades are a part of IP Operations.

What is modern security then ?

Where once a firewall was the pre-eminent tool in Security Practice, it is now merely the first layer – a simple locked door is a fair metaphor. Modern security practice consists of many other layers and services. Elements such as AAA, IPS Systems, Log collection and analysis, Security Threat Mitigation, Application inspection, Scanning and Penetration Testing are just some of the standard technologies for a complete security landscape.

Firewalls are useful as a focus for network traffic. That is, the constriction that forces traffic through a firewall also makes a good point for inspection, IPS, logging and so on.

VPN Concentrators, static or dynamic, are also key points for control and inspection. I don’t discuss them in this article.

Firewalls are routers that don’t work

If Security Designers are now looking at other tools to build security into the network, then firewalls can be considered part of the network core. A Design Engineer should have at least some knowledge on how firewall’s work and be able to understand their functional requirements – at least in terms of redundancy, failover and stateful inspection.

Yes, Even IP Core / Telco networks

This is also true for IP Core design, as it is for Enterprise. While Enterprise networks will use more firewalls and more often, even a modern service provider backbone will have firewalls in various places. For example, a service provider will use firewalls to control and protect OAM((Operations and Management)) or enhanced services, it is these areas that often are high visible to management’s ongoing search for profit.

What is the difference

I think that the most significant conceptual difference is that IP Packet Cores are stateless, where Firewall systems is stateful.

When packets are forwarded across a router, the packet header is read and routed. With a firewall, the packet is inspected and the matched for flow, state, security and then routed. A flow permitted in one direction can return without further configuration. (Network Address Translation adds some complexity but this can easily occur on both routers and firewalls, it is more commonly deployed on firewalls.)

Security Principles need changing

In the past, Security people were overly zealous in controlling traffic across a firewall and I think that this led to the proliferation of firewalls. Why ? To try and move traffic between zones so that the business could survive, many more firewalls were deployed than was really necessary. Security processes need to reconsidered to respect the overall business requirement.

But a more significant development is that firewall performance is reaching multi-gigabit levels. In the past, firewalls were restricted in both packets / second and connections (and the rates of connection setup) and could not be regarded as ‘core capable’. Today we see that NetScreen and Cisco have released firewalls that have multigigabit performance (although total connection counts are still somewhat restricted) and can have acceptable performance for high speed IP Cores.

The original idea of protecting the “Golden Egg” by protecting the security perimeter is no longer useful. Why ? Consider the HTTP protocol. Originally, HTTP 1.0 was able to read data, and had limited capabilities for posting data. The use of AJAX and semi-permanent HTTP connections that constantly pass data between two systems, including access to local and remote SQLite databases (such as Google Gears) means that permitting HTTP through a firewall may expose a substantial risk. And the risk gets worse once this is encrypted using SSL into a HTTPS connection as you may never be able to analyse the payload.

Firewalls need to be maintained by IP Operations NOT Security Operations

For many years, Security Practice has dictated that firewalls should be managed by a “special operational team” to ensure integrity. I believe that Security Operations is a liability in a modern network and should be joined into IP Operations.

Troubleshooting problems required a focus on end-to-end connectivity. Watching issues bounce between IP Ops and Security Ops is a frustrating exercise.

Security Operations needs to move into a new phase

If Security Operations is no longer about firewall ownership, what should they be doing ? My answer:

  • Audit – Firewall configuration and integrity, devices security (switches and routers), internal and external scanning
  • AAA maintenance and improvement
  • IDS – (no need to have a separate team for IDS if Firewalls are managed by IP Operations)
  • Process and Procedural Oversight – reviewing and selectively auditing firewall changes, developing secure procedures and guidelines for firewall rule implementation.
  • Security Threat Mitigation tools – keeping CS-MARS tuned and working
  • Responding to Security Incidents and assisting in Security Investigations with Network Design.
  • etc etc

As you can see, I propose that Security Operations should expand their role into more interesting and more effective security technologies. Their role remains as vital and important as before, but takes on a new and proactive dimension.

The experience and skills that exist in a security team will allow them to move into these new areas without a great deal of training, they should already have most of these skills (although they might not be widely spread throughout the team).

Security Design

At this time, I believe that Security Design is no different from any other design. That is, the Network Design team should deliver security as part of its day to day functions. Most likely, certain team members will have a specific focus on security for product and technical knowledge, and may well refer to them for specific aspects of Security Design as needed.

But separating Security Design from Network Design is sure to cause communication and disconnection. Most likely, the Security and Network engineers will have chest beating exercises and not work effectively together.

Do I make sense ?

So the purpose of this article is ask you whether you think this is a good idea ? Is the idea of moving Firewall Operation into Network Operation a good or bad idea ? Am I missing some area or consideration ?

  • Charlie Allom

    isnt this what most sane people do already?

    i haven’t seen a security team in years – but i don’t work in banks :)

    • Greg Ferro

      I think that financial institutions are a special or exceptional case, while significant, the security processes and posture that applies to banking is very different from the other eighty percent of the world. I think that many people forget this.

  • Steve B

    I work in Network Operations at a v.large IT Services company and Firewalls are 100% separate from Network Operations.

    We have had wildly different experiences with different firewall teams. That has caused outages due to lack of communication. However due to good personal relationships between teams the majority of incidents that involve Operations and Firewalls go smoothly. If that was not the case it would be different though.

  • akonkol

    I hate the answer “it depends,” but….

    Proxy, application aware firewalls would not easily maintained by most people in the network operations/ ip operations team.

    Although proxy firewalls cater to your idea of transcending IP in terms of security.. they are often a lot more expensive.

    I agree that the trend is moving away from perimeter, and focusing on the inside of the network.

    As for myself.. both security and networking teams where I work have merged together.

  • Chris Campbell

    If you want true security you need separation of duty. Most of the companies that I have been into in the last couple of years that have a specific security team have a good link between that team and networks. If issues bouncing between teams is a problem then you would be better off looking at improving the communication process rather than merging the teams.

  • Sunny

    Hi Greg Ferro!
    Let me appreciate your work and thoughts (specially they way you relate Networks with real like, e.g Painter vs Artist , Nose in this case).The way you put light on topics make it alive and I can see every thing happening in front of my eyes.

    Yes I do strongly agree Firewalls should be more widely accepted under IP Operation for given reasons in my opinion
    i. As Organization and enterprises focusing HA so it would be reduce downtime (having under same Team)
    ii.Being Integral part network security organization expecting much more then just designing and deploying Firewall from Security Teams
    iii. AEP Networks,Advanced RemoteProxy,Advanced Gateway Security, including event analysis, correlation and device provisioning things like that really need to focused by Security Team.

    keep it up Greg

    The Best Bunny

  • the_ios_inqusition

    I love the IOS Zone-based Firewall feature set. A huge deployment snag though is its inability to queue and process TCP out-of-order packets, and its lack of stateful failover features. With classical IOS firewalls(CBAC), both are available for configuration. I’ve found that ZBFW’s are great to configure at the edge of branch and remote sites. But at the focal-point of a large datacenter, I’m still forced to use CBAC. The primary reason is dropping TCP flows that contain out-of-order packets on large amounts of aggregated traffic has a noticeable impact on throughput and application performance. I would love to use ZBFW in these situations(while CBAC is fine, it suffers from many limitations that are resolved in ZBFW). I’m bringing this up here because I believe if enough of us would open up feature requests through our cisco account team, Cisco would actually fast-track development of these features. Thanks, and I’m wide open to suggestions.

    • Greg Ferro

      I expect that stateful failover for ZBW will arrive this year since CBAC is now deprecated.

      Out of Order packet support now included in IOS 15

      “Out-of-Order Packet Processing Support in Zone-Based Firewall Application

      Out-of-Order (OoO) packet processing support for Common Classification Engine (CCE) firewall application and CCE adoptions of Intrusion Prevention System (IPS) allows for packets that arrive out of order to be copied and reassembled in the correct order. This enhancement reduces the need to retransmit dropped packets and reduces the bandwidth needed for transmission on a network. To configure OoO support use the parameter-map type ooo global command.”

      • the_ios_inquisition


        Thanks so much for pointing this out. I remember reading through all of the 15.0 docs when it was release, but apparently I must have skimmed right past this.

        Thanks again.