Firewall’s are not special
My definition of a firewall is “router that doesn’t work”. That is, it forwards packets but unlike a router, by default it doesn’t work it must be configured to ALLOW packets.
Of course, the key difference is that stateful inspection and application inspection is a new concept, but now even IOS supports these features – consider the Zone Based Firewall in the IOS 12.4 release train.
Logically every Network Engineer should have at least some skill in firewalls. Consider the following high level diagram that ignores the routers and switches in the network should be a reasonable abstraction for medium to large networks.
Data flows across a network are likely to cross at least one firewall, and possibly many before the service flow is completed. Designer that are not aware of the impacts of firewall on the packet core are likely to make errors of judgement and create network problems.
Firewalls are not the only security tool
Firewalls are not the only security tool in a modern network, they are the least security tool. I believe that Firewalls are mostly used to create a control point in the network between zones that have differing requirements in security, and thus are now part of the network core. Importantly, they are a vital part of HA design practice. Typically network cores are designed to be high performance, fault tolerant and when you add firewalls, they interrupt or even destroy the HA nature of a network.
Confused ? Many people think that firewalls are all about security, but this is less true, and less relevant than years gone by. Firewalls are about creating a point of control in data flow. The configuration of the firewall is a security issue, but the maintenance and upgrades are a part of IP Operations.
What is modern security then ?
Where once a firewall was the pre-eminent tool in Security Practice, it is now merely the first layer – a simple locked door is a fair metaphor. Modern security practice consists of many other layers and services. Elements such as AAA, IPS Systems, Log collection and analysis, Security Threat Mitigation, Application inspection, Scanning and Penetration Testing are just some of the standard technologies for a complete security landscape.
Firewalls are useful as a focus for network traffic. That is, the constriction that forces traffic through a firewall also makes a good point for inspection, IPS, logging and so on.
VPN Concentrators, static or dynamic, are also key points for control and inspection. I don’t discuss them in this article.
Firewalls are routers that don’t work
If Security Designers are now looking at other tools to build security into the network, then firewalls can be considered part of the network core. A Design Engineer should have at least some knowledge on how firewall’s work and be able to understand their functional requirements – at least in terms of redundancy, failover and stateful inspection.
Yes, Even IP Core / Telco networks
This is also true for IP Core design, as it is for Enterprise. While Enterprise networks will use more firewalls and more often, even a modern service provider backbone will have firewalls in various places. For example, a service provider will use firewalls to control and protect OAM((Operations and Management)) or enhanced services, it is these areas that often are high visible to management’s ongoing search for profit.
What is the difference
I think that the most significant conceptual difference is that IP Packet Cores are stateless, where Firewall systems is stateful.
When packets are forwarded across a router, the packet header is read and routed. With a firewall, the packet is inspected and the matched for flow, state, security and then routed. A flow permitted in one direction can return without further configuration. (Network Address Translation adds some complexity but this can easily occur on both routers and firewalls, it is more commonly deployed on firewalls.)
Security Principles need changing
In the past, Security people were overly zealous in controlling traffic across a firewall and I think that this led to the proliferation of firewalls. Why ? To try and move traffic between zones so that the business could survive, many more firewalls were deployed than was really necessary. Security processes need to reconsidered to respect the overall business requirement.
But a more significant development is that firewall performance is reaching multi-gigabit levels. In the past, firewalls were restricted in both packets / second and connections (and the rates of connection setup) and could not be regarded as ‘core capable’. Today we see that NetScreen and Cisco have released firewalls that have multigigabit performance (although total connection counts are still somewhat restricted) and can have acceptable performance for high speed IP Cores.
The original idea of protecting the “Golden Egg” by protecting the security perimeter is no longer useful. Why ? Consider the HTTP protocol. Originally, HTTP 1.0 was able to read data, and had limited capabilities for posting data. The use of AJAX and semi-permanent HTTP connections that constantly pass data between two systems, including access to local and remote SQLite databases (such as Google Gears) means that permitting HTTP through a firewall may expose a substantial risk. And the risk gets worse once this is encrypted using SSL into a HTTPS connection as you may never be able to analyse the payload.
Firewalls need to be maintained by IP Operations NOT Security Operations
For many years, Security Practice has dictated that firewalls should be managed by a “special operational team” to ensure integrity. I believe that Security Operations is a liability in a modern network and should be joined into IP Operations.
Troubleshooting problems required a focus on end-to-end connectivity. Watching issues bounce between IP Ops and Security Ops is a frustrating exercise.
Security Operations needs to move into a new phase
If Security Operations is no longer about firewall ownership, what should they be doing ? My answer:
- Audit – Firewall configuration and integrity, devices security (switches and routers), internal and external scanning
- AAA maintenance and improvement
- IDS – (no need to have a separate team for IDS if Firewalls are managed by IP Operations)
- Process and Procedural Oversight – reviewing and selectively auditing firewall changes, developing secure procedures and guidelines for firewall rule implementation.
- Security Threat Mitigation tools – keeping CS-MARS tuned and working
- Responding to Security Incidents and assisting in Security Investigations with Network Design.
- etc etc
As you can see, I propose that Security Operations should expand their role into more interesting and more effective security technologies. Their role remains as vital and important as before, but takes on a new and proactive dimension.
The experience and skills that exist in a security team will allow them to move into these new areas without a great deal of training, they should already have most of these skills (although they might not be widely spread throughout the team).
At this time, I believe that Security Design is no different from any other design. That is, the Network Design team should deliver security as part of its day to day functions. Most likely, certain team members will have a specific focus on security for product and technical knowledge, and may well refer to them for specific aspects of Security Design as needed.
But separating Security Design from Network Design is sure to cause communication and disconnection. Most likely, the Security and Network engineers will have chest beating exercises and not work effectively together.
Do I make sense ?
So the purpose of this article is ask you whether you think this is a good idea ? Is the idea of moving Firewall Operation into Network Operation a good or bad idea ? Am I missing some area or consideration ?