Advertisement
Promo

Security management Toolkit

Evolving firewalls

Del Smith CCNA, CCA, MCSE

Published: 13 Aug 2002 12:52 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Second-generation firewalls: Proxy services
The next generation of firewalls attempted to increase the level of security between trusted and untrusted networks. Known as application proxy or gateway firewalls, this approach to protection is significantly different from packet filters and stateful packet inspection. An application gateway firewall uses software to intercept connections for each Internet protocol and to perform security inspection. It involves what is commonly known as proxy services. The proxy acts as an interface between the user on the internal trusted network and the Internet. Each computer communicates with the other by passing all network traffic through the proxy program. The proxy program evaluates data sent from the client and decides which to pass on and which to drop. Communications between the client and server occur as though the proxy weren't there, with the proxy acting like the client when talking with the server, and like the server when talking with the client. This is analogous to a language translator who is the one actually directing and sending the communication on behalf of the individuals.

Many information security experts believe proxy firewalls offer the highest degree of security because the firewall does not let endpoints communicate directly with one another. Thus, a vulnerability in a protocol that could slip by a packet filter or stateful packet inspection firewall could be caught by the proxy program. In addition, the proxy firewall can offer the best logging and reporting of activities.

Of course, this security solution is far from perfect. For one thing, to utilise the proxy firewall, a protocol must have a proxy associated with it. Failure to have a proxy may prevent a protocol from being handled correctly by the firewall and potentially dropped. Also, there is usually a performance penalty for using such a firewall due to the additional processing for application-level protocols.

Firewalls evolved: The third generation
The newest generation of firewalls may be defined as state-of-the-art perimeter security integrated within major network components. These systems alert administrators in real time about suspicious activity that may be occurring on their systems. Although it's a lot to swallow, this new generation of firewall has evolved to meet the major requirements demanded by corporate networks of increased security while minimising the impact on network performance. The requirements of the third generation of firewalls will be even more demanding due to the growing support for VPNs, wireless communication, and enhanced virus protection. The most difficult element of this evolution is maintaining the firewall's simplicity (and hence its maintainability and security) without compromising flexibility.

The most recent category of firewalls attempting to meet this demand performs what has been termed stateful multilevel inspection, or SMLI. SMLI firewalls eliminate the redundancy and CPU-intensive nature of proxy firewalls. SMLI's unique approach screens the entire packet, OSI layers 2 through 7, and rapidly compares each packet to known bit patterns of friendly packets before deciding whether to pass the traffic. Coupled with or integrated into an intrusion-detection system (IDS), SMLI offers the first glimpse of this new definition of a firewall. Among the products that use this new technology are Check Point's FireWall-1, Elron Software's Internet Manager, and SonicWall's line of access security products.

Final word
Whatever generation of firewall you currently use or are considering, the most important thing is to match the product with the specific security requirements of your organisation. You don't want to pay for more than you need or end up with less protection than your organisation demands. You may find it helpful to take a look at the list of ICSA-certified firewalls in your evaluation process.

Have your say instantly in the Tech Update forum.

Find out what's where in the new Tech Update with our Guided Tour.

Let the editors know what you think in the Mailroom.

Next

Previous

1 2


  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
110 out of 187 people found this useful


In association with HP

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security management


Company/Topic Alerts

Create a new alert from the list below:








Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

Official Organizations Losing Data

How does this article from earlier today make you feel? How many more government, health service, or military officials are going to lose pen drives, DVDs, USB hard disks and even entire... More

1 comment

Twitter hack was DNS redirect

Twitter has said an attack on Thursday which took the site offline for many users was the result of a DNS redirect. A group calling itself the Iranian Cyber Army redirected users... More

1 comment

McKinnon lawyers seek judicial review

Lawyers seeking a judicial review for Nasa hacker Gary McKinnon lodged fresh evidence of his psychiatric state at the High Court on Thursday. Karen Todner, McKinnon's solicitor,... More

1 comment

Win a Teufel Cinebar 50 system

Win a Teufel Cinebar 50 system

What is ZDNet UK's usual tagline?

Competition closes - 14 Jan 2010


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters