News Stay informed about the latest enterprise technology news and product updates.

Firewalls charred by network complexity

Experts discussing the future of firewalls at the recent Burton Group Catalyst Conference 2003 say that the complexity in networks and applications desperately needs to be addressed.

SAN FRANCSICO -- In a panel discussion on the future of the firewall at the Burton Group Catalyst Conference 2003, experts agreed that one of the most pressing issues facing firewalls today and in the future is finding ways to address growing complexity in networks and applications.

Firewalls have changed roles many times since their inception because of a number of factors: ease of manageability, growing concerns about connectivity with the Internet, and now the threats that arise from application-layer security breaches, said Fred Cohen, a principal analyst with the Midvale, Utah-based research firm sponsoring the event.

In the past, firewalls filled roles as device-level filters and were used to centralize the movement of traffic in and out of the network. Later, they were used to segment the network. Now they are beginning to go back to their roots, appearing in routers and switches and even in network interface cards (NICs).

Part of the reason for this historical shift is that firewalls were never a perfect solution. "We're better with them than without them, but they are just one of many tools in the toolbox," Cohen said.

But with firewalls migrating into diverse parts of the network, management has become a significant problem. Vendors need to create centralized means of writing rules for distributed firewalls, Cohen said.

Another problem with firewalls is that they are largely black boxes. One cannot analyze the rules in the firewall and ascertain whether new rules will cause conflicts. For example, most people don't even know whether their firewall examines non-IP packets, Cohen said.

Vendors are coming at these problems from many different angles. Brian Allain, president of with Morganville, N.J.-based Ranch Networks Inc., said that his company has combined multiple features in its firewalls, including the ability to load balance and the application of multiple policies. He said that it is easier to apply multiple policies to a packet once it is broken open rather than to repeat that process multiple times with many boxes.

But Paul DeBernandi, director of product marketing for the San Jose, Calif.-based security company Secure Computing Corp., said that conducting so many functions in a single box has to either limit the speed or limit the functionality of the device. He recommended scaling with multiple boxes to facilitate faster throughput.

Other vendors are putting firewall capability in routers and even in network interface cards, which creates a management headache. Now security professionals need to create policies for firewalls in hundreds if not thousands of devices. That will require better centralized management capabilities, Cohen said.

Because of growing security vulnerabilities in everything from applications and operating systems to content, the role of the firewall is likely to increase rather than decrease, Cohen said. There are no standards or even agreed-upon approaches to how the firewall will evolve. Right now, it is the IT manager's job to make sense of the mess and determine which approach works best for him, Cohen said.


Get insight on auditing your firewall setup

Browse our Topics on firewalls and security devices

Need expert advice? Ask security expert Luis Medina

Dig Deeper on Network Security Best Practices and Products

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Ha, I thought this was a new piece but it's not - and it doesn't matter. Enterprises *still* struggle with this! If you're not using a tool such as AlgoSec Firewall Analyzer or Firemon to manage your firewalls, you're overlooking a GRAND opportunity to tame this beast.