This post is part 1 of a two-part series that addresses the rapid changes in security paradigms. Driven by the need to satisfy new requirements and keep pace with the digital world greatly impacts the level of security. The following post introduces the history of firewalling and security paradigms.
Internet Protocol (IP) networks provide services to customers and businesses across the sphere. Everything and everyone is practically connected in some form or another. As a result, the stability and security of the network and the services that ride on top of IP are of paramount importance for a successful service delivery. The connected world banks on IP networks and as the reliance mushrooms, so does the level of network and web application attacks.
Although the new technologies may offer services that simplify life and facilitate businesses to function more efficiently but in certain scenarios, they change the security paradigms which introduce oodles of complexities. Alloying complexity with security is like stirring water in oil which would eventually result in a crash.
We operate in a world where we need multiple layers of security and updated security paradigms in order to meet the latest application’s requirements. Here, the significant questions to be pondered over are, can we trust the new security paradigms? Are we comfortable to withdraw from the traditional security model of well-defined component tiers? How does the security paradigm appear from a security auditor’s perspective?
There are many unanswered questions and from the security point of view, trial and error is certainly not the best approach. The security perimeters today are in a completely scattered form. The more scattered, the easier it is for a bad actor to infiltrate and directly target an organization’s valuable asset such as the revenue-generating web application.
So why do we need to change the security paradigms in the first place? For better understanding, let’s address the history of firewalls and their evolving design.
History of Firewalls
The original term firewall was invented to do what someone from non-technical background might think it should do; frame a wall that is intended to fortify from actual fire. However, in the world of security, the firewall acts as a security appliance, providing a barrier between an untrusted and trusted network.
The trusted network is internal for example, where internal staff operates, whereas untrusted refers to anything that is suspicious or doubtful, be it a Demilitarized Zone (DMZ) or External Wide Area Connection (WAN) module.
Types of Firewalls
Initially, we started with basic packet filters working alongside an application proxy that is sitting in the middle. All sessions would terminate on the application proxy which would provide application-based security functions, while the packet filters at either end perform the basic scrubbing.
Simple packet filters only match on Layer 2 to 4 headers – Media Access Control Address (MAC), IP, Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port numbers. Just because a security device matches on port numbers does not mean it matches on session state. If you don’t match on, for example, the TCP SYN flag then you will not know if the session is established or not.
The next wave of firewalling could track the state of a session, known as second-generation firewalls. Here, things got a little better; we now have a single device that can do the basic scrubbing, combined with an application proxy. Although the second generation firewalls could track the state of the session but they couldn’t delve deeper into the application. They are unable to separate wheat from the chaff. They couldn’t, for example, examine applications specifically for HTTP GET or POST to determine user activity.
Fortunately, this security gap was filled with the next-generation firewalls that had all the features of the generation II combined with the benefits of Layer 7 inspection. From there we entered the wave of a long list of new styles of firewalling. Application-based firewalls to name a few are the Web Application Firewall (WAF), NIC-based Firewalls, Microsegmentation and Firewall VM based appliances.
Reasons behind introducing Firewalls
These firewalls were introduced to support new application types and workload mobility. The traditional physical firewalling device cannot follow workloads around the network as it’s stuck at one central place.
On the other hand, the new wave of firewalls is located closer to workloads and can follow workloads around the network, thereby supporting workload mobility and increasing the scalability. However, many of these firewalls change the security paradigm to different network points and can surface both technical and team ownership problems.
For example, if we have a VM based NIC firewall placed in a VM, would the hypervisor or security teams control the configuration and management? Will a hypervisor administrator perform simple day to day configuration changes while the security team members perform more advanced tasks? Do the hypervisor administrators have enough security knowledge to perform adequate security administrations?
Challenges shoot up when multiple teams which are often distributed in different time-zones administer the same device. The situation sounds like a managerial bubble waiting to burst. We can’t automate everything. We are human; mistakes will happen and there will be cross-communication difficulties between two different teams. Inevitably, this will lead to configuration mistakes. A simple error of firewall configuration can slide the door open for a not-so-skilled attacker to easily penetrate into the company assets.