September 2003

Debunking the Firewall Hype

''Application intelligence'' is the latest buzz, but is it really new?

BY FRED AVOLIO

"That which has been is what will be, that which is done is what will be done, and there is nothing new under the sun." What the writer of Ecclesiastes was talking about easily applies to marketing claims about "new" technology.

A case in point is the recent marketing hype around Check Point Software Technologies' "application intelligence." Check Point claims it's a new response to new Internet threats. Is that so? No, it's marketing hype. The technology has been around and available in application gateway firewalls since the early 1990s. That being said, what may be new is implementing application intelligence in stateful inspection firewalls, such as FireWall-1 NG. To put this in perspective, let's examine how application intelligence has fit in historically with firewall technology.

In the 1980s, the few companies and organizations that had firewalls built them on routers with packet-filtering rules. Then, in 1988, the Morris worm changed everything. The worm exploited, among other things, application-layer vulnerabilities in two popular apps. Packet filtering was no longer sufficient for Internet security. Application-specific processing was required.

Coincidently, Marcus Ranum--building on the work of Brian Reid and others at DEC's Western Research Lab--created the first application gateway firewall, which examined data at the application level, and verified protocols and made other application-specific decisions. Application gateway firewalls could then--and can now--protect against e-mail content attacks (such as that used by the Morris worm), strip Java and other potentially dangerous content from HTTP application streams and block directory traversal attacks. Also, application gateway firewalls automatically keep state information.

"Application intelligence" is the latest buzz in the firewall world. What, if anything, is really new?

Check Point claims that all this is new "application intelligence" capability. Not so, but there could be real value, considering that stateful inspection and dynamic packet-filtering firewalls have lacked application intelligence. These firewalls make decisions based only on packet examination and can't tell what kind of packets are flowing through a connection. Just because a connection is made from some random port to a listener on port 25 doesn't mean it is legal SMTP. Similarly, not all connections claiming to be HTTP are HTTP traffic.

Further, firewalls that deal with one packet at a time can have "tunnel vision" when it comes to data analysis. Data is often broken across packet boundaries through normal fragmentation, so attackers have used IP fragmentation to trick firewalls into allowing unauthorized access to servers.

These firewalls can't reliably restrict FTP commands, make decisions based on file type, analyze DNS zone transfers, hide internal network information in an HTTP stream or protect against attacks that exploit vulnerable servers behind the firewall (such as attempts to cause buffer overruns in SMTP servers). They can't make application-level or data-specific decisions ("permit" or "deny"). Application gateways, on the other hand, examine application streams, not individual packets.

So the good news from Check Point--if their technology works as advertised--is that it offers the same potential for application-level awareness that application gateway firewalls have provided for years. This could be a good reason to consider upgrading.

Notice I wrote "potential." Buyers should ask questions like, "Which applications are supported with 'intelligence'?" and "What can I do to my firewall that would make this new intelligence moot?" Buyers should also ask questions of application gateway firewall vendors, too. Potentially, they can examine application data with some intelligence. But some proxy-based firewalls don't automatically do any application protocol or data analysis. They are just as capable of blindly passing packets as other firewalls. Buyers need to cut through the marketing claims for any type of firewall.

FRED AVOLIO is president and founder of Avolio Consulting, a Maryland-based computer and network security consulting firm.