This industry white paper takes the mystery out of the key differences in the main classes of firewall architectures. It was independently written by Marcus J. Ranum, a world-renowned expert on security system design and implementation. It includes fundamental lessons about building application layer firewalls, technical examples, and concludes with predictions about the future of firewall technology.
White Paper
Dude! You Say I Need an Application Layer Firewall?! Authored by Marcus Ranum
Table of ContentsIntroduction..................................................................................................................... 2The Premise of a Firewall.................................................................................................. 2Proxy Firewalls: Some History........................................................................................... 3N etwork Layer Firewalls.................................................................................................... 5L ooking OK...................................................................................................................... 5E nter IPS........................................................................................................................... 6S o Why Isn't It Working?................................................................................................... 7Some Predictions.............................................................................................................. 8Summary.......................................................................................................................... 9
About the Author:Marcus J. Ranum is a world-renowned expert on security system design and implementation. He is recognized as an early innovator in firewall technology, and the implementor of the first commercial firewall product. Since late the 1980's, he has designed a number of groundbreaking security products include the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving Sponsored by: as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC "Clue" award for service to the security community, and the ISSA Lifetime Achievement Award. Marcus is Chief Of Security for Tenable Security, Inc., where he is responsible for research in open source logging tools, and product training. He serves as a technology advisor to a number of start-ups, established concerns, and venture capitol groups.IntroductionInternet firewalls have been a popular tool for security practitioners since the early 1990's. Today, they are considered a mandatory component of any industry or government network. Unfortunately, many consumers of these fundamental networking tools buy and rely on them without understanding that there can be dramatic differences between firewalls that are manufactured by competing security practitioners and their unique engineering teams. Firewall products that are brought to market based www.securecomputing.com on significantly different technical design philosophies and different go-to-market strategies quite naturally introduce consumer trade-offs that should be weighed when making buying decisions. Certain firewall design trade-offs, for example, favor security over convenience, and certain firewall go-to-market strategies favor platform performance over security.As a result of robust global market competition in the firewall space, and the growing demand for ever-improving perimeter security, software and appliance products sold as firewalls have evolved into a collection of products falling along a broad spectrum of features, benefits and, in some cases, pitfalls to take note of. From the author's point of view, there is a clear and easily observable divide in firewall types available for purchase today when they are sorted into two simple categories based upon the manufacturer's security design objectives. There are firewall product designs ranging from highly conservative and security-focused architectures, to designs that are highly appealing to the broad market because they offer good security "theater" in the look, feel, and marketing story but under the surface offer only simple security controls. Not all firewalls are created equal.on purpose.In this paper, we will describe the evolution of firewalls from the standpoint of the controls that they apply on data, and we will explain why the currently accepted "state-of-the-art" firewall really represents a step backwards in most cases for securing perimeters. T... [download for more]
