IT Security: The Evolution of Firewalls

Network security is a critical concern for enterprises, government agencies and organizations of all sizes — and thus, helping them to solve these problems should be a critical concern for you.

Today’s advanced threats demand a methodical approach to network security. In many industries, enhanced security is not just an option — it is a requirement. Federal regulations such as Sarbanes-Oxley, HIPAA, GLBA, and others require organizations, including financial institutions, health care providers and federal agencies, to implement stringent security programs to protect digital assets.

Network security and the devices used to protect the network have become increasingly confusing. With such high stakes, it is imperative that security integrators are fully aware of the technologies available to them to help mitigate the risk for these important clients and markets. Perhaps the most common and effective network security technology is the firewall — the backbone for most network security deployments. Firewalls have evolved over time to adapt to the changing risks, vulnerabilities and needs of end-users.

Here’s a look at how firewalls have evolved, along with complimentary firewall technologies that can be deployed for specific risk mitigation.


The Beginnings

The purpose of the original firewalls was to ensure that only those connections that were required were allowed into the enterprise network, which typically included services offered to the public, such as e-mail, Web, FTP, DNS and a few others. Firewalls were also used to limit the types of services that internal computers may access outside the enterprise; thus, somewhat limiting malware from contacting external servers.

These traditional “stateful inspection firewalls” have effectively become obsolete because of two significant limitations. First, they did not inspect the data payload of network packets. Second, while more and more network traffic uses Web protocols — including legitimate business and other applications — traditional firewalls did not have the fine-grained intelligence to distinguish one kind of Web traffic from another and enforce business policies.


Enter the Next Generation

Over time, vendors have integrated new approaches with the old to come up with a true “all-in-one” device, the “next-generation firewall.” These programs attempt to address the traffic inspection and application awareness drawbacks of the old firewalls without hampering performance.

The most significant difference between the next-gen devices and traditional firewalls is that they use a variety of techniques to identify applications, including Web apps. Thus, instead of allowing all traffic coming in via typical Web ports, next-gen firewalls can distinguish between specific applications and then apply policies based on business rules.

Next-gen firewalls also use deep packet inspection techniques to examine traffic for anomalies and known malware. Newer features, such as data leakage prevention, can further help organizations protect themselves from within. Often, even trusted employees can send sensitive data into untrusted zones, either intentionally or by accident. Next-gen firewalls combat this by using sophisticated pattern matching techniques and user identity to detect and prevent unauthorized communication of sensitive information and files through the network perimeter.



Intrusion detection systems (IDS) passively monitor network traffic, looking for malicious patterns, such as repeated attempts to log on to an account or server. When these devices notice a pattern, they send alerts to administrators and sometimes modify firewall rules to restrict access.

Intrusion prevention systems (IPS) work in conjunction with next-generation firewalls to identify and stop suspicious traffic. IPS are complex, and are designed to minimize false positives. IPS vendors include SourceFire, Palo Alto Networks and Tipping Point.


Zero-Day Attack Mitigation

A zero-day attack or threat exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on “day zero” of awareness of the vulnerability; thus, developers have had zero days to address and patch it. Zero-day exploits — the software and/or strategies to carry out a successful attack — are used or shared by attackers.

Solutions such as Palo Alto Networks’ WildFire are typically an adjunct subscription to existing firewalls. They actively analyze network traffic it in a safe, cloud-based virtual environment to observe the behavior of malicious malware. Through these a subscription services, updates are automatically generated and distributed to installed firewalls for global protection against the newly discovered malware.


Ronen Isaac is vice president of Continental Computers, a networking and video surveillance products reseller and integrator/VAR based out of El Segundo, Calif. He is also vice president of