New firewalls defend the interior
- By Ellen Messmer
- Jun 20, 2000
The firewall, which has served as the sentry between the outside world of
the Internet and the internal agency network, may be moving inside the network
perimeter to World Wide Web servers, PCs, modems and silicon chips.
Such internal firewalls known as distributed firewalls are the next
line of defense against hackers who breach traditional firewalls by exploiting
open ports and e-mail servers.
Network managers tend to see distributed firewalls as added firepower against
"It's a dual protection," said Rick Shantery, senior network engineer at
Intellinetics Corp., a document management firm in Columbus, Ohio. He added
CyberWallPlus embedded firewall software, a product from Network-1 Security
Solutions Inc., to his internal servers after he realized that hackers occasionally
made it past Ramp Networks' WebRamp Internet access and firewall box Intellinetics
"I could see from the log data they were coming in," he said. "These deliberate
hack attacks happen daily, [but] if they make it through, the embedded firewall
in the server is there to stop them."
The second line of defense may also be necessary because traditional firewalls
do little to stop inside attacks, according to top firewall expert Steven
Bellovin, an AT&T Corp. Labs researcher.
"Distributed firewalls can reduce the threat of actual attacks by insiders,
simply by making it easier to set up smaller groups of users," Bellovin
wrote in the paper "Distributed Firewalls." "Thus, one can restrict access
to a file server to only those who need it, rather than letting anyone inside
the company pound on it."
But some security vendors have mixed views about distributed firewalls.
Mark McArdle, a vice president in Network Associates Inc.'s managed security
services division, questioned the value of running firewall software directly
on the Web server.
"Applications on servers are usually managed by different people than the
ones who manage firewalls," McArdle said. "Application servers tend to be
changed with a little more of a cavalier attitude, which could affect the
firewall on it."
John Pescatore, research director for network security at the Gartner Group
Inc. consultancy, concurred.
"The problem is the Webmasters control the Web server," Pescatore said,
noting that when they make wholesale changes, it could destroy the efficacy
of the firewall software on it.
Rather, Pescatore is bullish on the idea of embedding firewalls in silicon,
something that Secure Computing Corp. is undertaking with 3Com Corp., and
WatchGuard is trying to do by licensing its Firechip. Hardware will support
faster packet processing than software, he said.
For more information about enterprise networking, go to
Network World Fusion. Story copyright 2000 Network World Inc. All rights reserved.