Recently Joel Snyder of Network World wrote an article on next-generation firewalls. Within the article he describes that with next-generation firewalls visibility into the network is a requirement as opposed to a nice-to-have option with traditional firewalls:
In a traditional firewall, visibility is a nice-to-have, because security policy dictates what ports are allowed inbound and outbound and other tools, such as Netflow analyzers, can be used to dig into traffic. In next-generation firewalls, where the emphasis is on controlling application usage, visibility is a requirement.
The key differentiator of next-generation firewalls is the use of heuristics to decouple the protocol or application from its usual port. Proper policy enforcement therefore relies on correct protocol identification. Auditing firewalls using information from the firewall itself, such as logs, inherits the same benefits and the same weakness. If an application is misidentified for any reason, the wrong policy will be applied. Additionally, if firewall reporting is based purely on the output from the same firewall, the logs won’t indicate there was an error – meaning that the mistake won’t necessarily be apparent in the analytics, nor will it be easy to detect or understand. It’s critical to know what the firewall’s definitions are for applications so policies can be written correctly and the reporting output can be trusted.
Or, as Snyder states:
Applications may have many different names and categories, and compared to ports and IP addresses, we found tremendous variation and ambiguity. Without visibility and knowing how the firewall classifies each application it identifies, you can’t write the rules that make a next generation firewall “next-generation.”
A useful tool for understanding these next-generation firewalls – how they classify traffic for both policy enforcement and reporting – is a separate external device which monitors the traffic. WildPackets makes a line of network traffic recorders which constantly monitor the network data flow and provide a traditional 5-tuple breakdown: IP addresses and TCP/UDP ports. Viewing the traffic using vocabulary familiar to network and security engineers provides the necessary translation to understand the abstracted application definitions in next-generation firewalls. In short, a network traffic recorder lets you “trust, but verify.”
It is good practice to audit network traffic, much like businesses audit their accounting. Just as companies use an external auditor to track money, IT should use “external” auditing to track data. The good news is that, in networking, this external perspective is provided by the network recorder: it watches the inputs and outputs objectively without relying on the proprietary jargon of a new device. Additionally, if an anomaly is detected – like a suspected deviation from security policy – the network recorder will have a full record of the recent traffic, so a network forensic search will reveal the full details of exactly what happened.
Synder concludes his article with this note:
Overall, we think that the visibility tools we found offer a good start into what is needed for next generation firewalls. All of the products have slightly different approaches, but it was clear that an off-box reporting engine — even if you only have a single firewall — is a minimum requirement to effectively build next-generation firewall policies.
We at WildPackets agree – in security, it’s imperative to know what the firewall is doing. The tools from the firewall vendor are indeed “a good start.” However, we at WildPackets have to disagree with Snyder’s suggestion that more tools from the same vendor are the next step. For full visibility into policy enforcement, take the same step that businesses take when they’re serious about accountability: use external verification. A network traffic recorder provides that assurance by looking at the packets, because, regardless of the variation of the network applications and the firewall classifications, a traffic recorder shows that the packets don’t lie.