Climbing firewalls
As new threats emerge and old ones mutate, the firewall is becoming an increasingly important part of the security infrastructure - and its role is changing. Simon Meredith reports.
In the past, if you were looking for a mental image for the ubiquitous firewall you could have pictured it as that old western film stand-by, the circled wagon train.
But these days, as well as being extremely politically incorrect, this IT illusion is out of date. Because as well as protecting the perimeter, the firewall now helps to create a defence in depth, cropping up in new areas such as the desktop and multifunction appliances.
The role of the firewall is generally becoming more important, and instead of deploying one firewall, many companies are using two or more. Stuart Wright, business development manager at HarrierZeuros, a security consultancy and reseller in Hook, Hampshire, believes the role of the firewall is also broadening.
"We're seeing it become less of a perimeter defence and moving more towards the centre. Rather than having it just at the edge, it's being used to protect internal sites and Wans," he says.
Jon Busfield, technical and professional services director at System Software Solutions, a security specialist reseller and Check Point partner in Birmingham, says of the firewall: "Its fundamental purpose - to block unwanted attention from outside - is not changing. However, it's getting to be seen as an absolute necessity."
Tony Larks, business development manager at west London security VAR Peapod, believes you need to find the right solution for the right part of the network. "We've deployed a lot more inter-departmental firewalls recently," he says.
"We've just put eight or 10 into a county council, between themselves and social services, the health department and local district councils."
The threat from inside the organisation can be much greater. Firewalls on the perimeter do nothing to prevent internal access, but used inside they can provide some additional protection from known sources of potential threat.
Segregating the network is really just good practice, notes Arthur Barnes, security consultant at Diagonal Security, who feels firewalls can help but only in a limited way. "If you are using an inter-departmental firewall you are saying that authorised users are not allowed access to certain resources, but they are still authorised users.
"You cannot cut off access to that resource completely. It limits the options for a malicious internal attacker because you dictate the protocols and devices that they can use," he warns.
Also, firewalls are having to work harder. Performance is more important because the lines they are protecting now are often carrier-class multi-gigabit connections, and this means deploying bigger, meatier hardware platforms.
To keep costs down and defences up, Wright notes, many larger organisations are consolidating their firewalls. "Rather than having 50 or 100 they can consolidate into two or three chassis on which all of the licences will sit at the centre of the network," he says.
Another driver for consolidation is the worm. Blaster was a real wake-up call for a lot of organisations, "It showed that they were not doing enough to protect internal networks," adds Wright.
"While it was rare for Blaster to get through a firewall on the edge, it was still getting through via remote access or some other link, and once it was in there was no protection to stop it spreading internally and bringing networks down."
One of HarrierZeuros's customers claims to have lost about £2m as a result of Blaster. Vendors have woken up to the need for better internal protection and have started to offer products designed to put barriers in place right across the network.
But on their own firewalls offer scant protection against the mutating virus. Barnes says: "They are a little bit smarter and application-aware and will now block the top 10 viruses. But to be effective a worm has to be different to the last one, and the vendors are always chasing the game a little bit."
Firewall as VPN end-point
Another rising trend is the use of the firewall as the virtual private network (VPN) end-point. Remote access workers are given an As ymmetric Digital Subscriber Line so they can gain access to the network using encryption. "I'd say that 90 per cent of people that have got a firewall have a VPN built in, and they are using it," says Busfield.
While broadband is driving more VPN uptake, and therefore increasing the potential for integrated appliances, wireless networking has little real impact on the overall market. "Wireless is just the same as cables when you are logging on. The problem is when the data travels across the airwaves," adds Busfield.
"You can't sniff at a cable unless you can get to it, but you can sit 200 yards down the road with your laptop and pick up a wireless network. So you need to secure data by encrypting it."
Incidentally, there are wireless firewalls now but they are simply firewalls without cables. They are not designed to protect just wireless Lans but to function as any other firewall would on the network.
Wireless and remote networking is driving some growth in firewall sales. Users can be on the network virtually wherever they are, and the devices used for remote or virtual access may be used outside the firewall much of the time.
Ian Kilpatrick, chairman of specialist security distributor Wick Hill, believes the potential in this segment of the market to be enormous. "Particularly in the SME sector, wireless is fairly endemic because it is so easy to deploy. But there is very low awareness of security issues," he says.
Given the high level of publicity that worms and break-ins now attract, you might get the impression that firewalls had become little more than an inconvenience to the determined hacker. But this is certainly not the case, according to Busfield. "If it is all set up properly you can keep everybody out," he says.
Mobile working has increased, but the key to security over the VPN is encryption, which is another story. The fact that more of them are being used as VPN end-points and the threat is now seen to be multi-faceted, is driving a trend towards integration of other functions with the firewall and the growth of appliances.
Integration of different security functions, such as intrusion detection and audio visual, is very much in vogue with vendors. Even so, the best-of-breed argument still holds water and firewalls continue to develop.
Larks says: "Firewalls are trying to move up the applications stack and looking at levels four to seven. But with areas such as intrusion detection and denial of service we are still trying to go for best-of-breed solutions.
"Vendors will always be good at one thing but not at everything. Organisations are trying to remove latency from security. If you have got a Gigabit connection you don't want your IDP (intrusion detection and prevention) to slow that down."
No shortage of choice
According to Barnes, application firewalls, such as Kavado and Teros, are moving down the stack and the network-level ones, such as Cisco and Check Point, are moving up it. "The point about network-level firewalls is they are very fast.
"At application level they are much smarter, but that tends to introduce a degree of latency," he adds.
While they are moving closer to each other, there are still very real differences between firewalls. Check Point, Cisco's Pix series and also NetScreen have more enterprise-management and deployment functionality and tend to be favoured by larger users.
Symantec, SonicWall, Internet Security Systems and WatchGuard are more often selected by SMEs or for their specific functionality and the type of protection they provide.
David Ellis, director of e-security at distributor Unipalm, suggests there is certainly no shortage of choice, and while the market has changed a good deal over the past year it is still developing. "Four years ago larger organisations were putting a firewall at the perimeter," he says.
"Now they are using them to segment the network and built up multiple layers of defence, rolling out personal or desktop firewalls to protect key application servers or parts of the network.
"In the mid- market there is a move towards integrating other security products onto the appliance - intrusion detection, antivirus, URL filtering, content checking and so on.
"And vendors such as Internet Security Systems and Symantec, and even Check Point to a certain extent, are introducing all-in-one appliance products that probably give you 80 per cent of the functionality at 20 per cent of the cost."
For the SME, integrated solutions provide a way to get enterprise-class security that is easy to deploy and manage. They are not that cheap, says Wright, but there has been a noticeable increase in spending on integrated appliances, even among corporate companies.
Larks says smaller firms have become more aware and discerning with regard to security. However, he adds: "At the lower end of the SME space they are still just looking at the cost. At the higher end of SMEs it's more about the ease of deployment and management."
Large numbers of customers seem to be moving towards firewall appliances that have multifunctional capability, observes Simon Hill, product director at networking and security products distributor Azlan.
"All-in-one appliances do seem to be the way many customers are going, and this is certainly a strong driver for growth in this SME and mid-market. We are seeing very strong sales in this area," he says.
Even so, selling appliances still requires some understanding and security skill, he adds. "Many users do want a simple solution but you still need expertise to identify and deploy the right one.
"We're always looking to bring on new security partners but it's important for us to maintain a high level of expertise in the products we offer, so we can provide the level of pre-sales support and training that resellers that are relatively new to security will always need," he says.
More resellers are now venturing into the security market. Vendors simply cannot ignore the issue, because it has become integral to all users, who now need to be reassured that any investment in IT will be safe.
Microsoft is trying to get all of its resellers much more security-aware with a series of road shows that talk about different aspects of security in its systems.
With most end-user organisations, especially SMEs, having no IT security skills, there is plenty of room for everyone in this market and space left over for the dedicated security experts. One area of rapid development and opportunity, for VARs that have the skills, is the provision of managed services.
The market for managed firewalls
Ben Allan, managing director of I-Sentral Security, which specialises in this area, believes customers feel they get a better level of technical service, lower costs and better overall security from a managed firewall. "Most IT teams are stretched for resource and the firewall usually receives little attention," he observes.
"Outsourcing firms will have protocols and procedures in place for systematic management, so the firewalls will receive more detailed attention, more frequent updating and patching, policy and log reviews and health checks."
The managed service provider will have an in-depth understanding of the firewall and will be able to solve problems faster. The result is a better standard of overall security, and this is especially true when the management of the firewall is taken off the network.
"The firewall policy no longer sits on the appliance, so even if the firewall is compromised the policy will still be secure, avoiding the risk of back doors being left open," Allan adds.
But you do need considerable security skills and resources to be able to offer a managed service, and while some medium-sized companies are becoming interested it is mainly the larger enterprises that are leading the way.
"Effective firewall management requires significant on-going training. An IT department needs to be very large for a dedicated firewall resource to be justified, so it makes economic sense to outsource that resource to a third party," says Allan.
This argument is considerably strengthened where an organisation feels that it will need round-the-clock monitoring of the firewall to ensure the defences are always water-tight.
Using an external provider might, in some eyes, entail taking some risk, because individuals outside the company will have intimate knowledge of its security systems.
However, stringent terms and conditions have to be met and compromising the security of a customer would spell immediate disaster for any managed service provider.
Demand for firewalls remains strong and there is no sign of any slowdown, says Kilpatrick. "There is a large unsatisfied market out there, with the continued growth of remote offices and connections and the need to secure those. And awareness is driven by the threats that are around," he says.
Kilpatrick also points to the distinct trend towards using firewalls as the cornerstone of the VPN, and to the growing popularity of multi-function devices.
Larger and medium-sized organisations that have had firewalls for two years or more are now upgrading, and more SMEs are coming into the market.
While prices have been under some pressure there is no shortage of customers, according to Busfield. "The manufacturers that have fallen by the wayside de-focused, so people are looking to upgrade to the latest technology," he says.
The opportunities for firewall sales depend very much on the type of customer you deal with, says Ellis, who believes there is still growth in all sectors.
"Corporate resellers can go to customers that have in the past deployed firewalls at the perimeter and can try to sell deeper into the organisation, and look at content checking that fits alongside.
"In the mid-market I'd look at appliances, because that's quite a good opportunity. For the dealers, as they used to be known, I'd be looking at DSL and how security can fit alongside it," he advises.
Due to the high level of concern over the current dangers, and the growth in wireless communications and remote access, Barnes believes that desktop firewalling will be the next big thing.
"If a worm gets introduced to the network it will propagate via the servers and whatever is vulnerable. Firewalling at the desktop can hinder this process significantly," he says.
This will give the market a further boost because any device that is important will need its own protection. Barnes adds: "You've got to look at firewalling everything.
"Because in the wireless world, for instance, it's no longer a case that I have to plug into the network. I can be on the network anywhere, so you have to take reasonable precautions."
CONTACTS
Azlan (01189) 897 700
www.azlan.com
Diagonal Security (01256) 868 900
www.diagonalsecurity.com
HarrierZeuros (01256) 760 081
www.harrierzeuros.co.uk
I-Sentral Security (0870) 060 9700
www.i-sentral.com
Peapod (020) 8606 7171
www.peapod.co.uk
Systems Software Solutions (0121) 453 0033
www.system-software.co.uk
Unipalm (01638) 569 644
www.unipalm.co.uk
Wick Hill (01483) 227 600
www.wickhill.com