From: William Knowles (wkC4I.ORG)
Date: Sat Apr 29 2000 - 18:48:30 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[Forwarded by: Darek Milewski <darek.milewskipl.pwcglobal.com>]

http://www.securityfocus.com/templates/forum_message.html?forum=2&head=1415&id=1415

What Firewalls Will Look Like in the Year 2003
by Scott C. Sanchez <scottgungadin.com>
Tue Apr 18 2000

What Firewalls Will Look Like in the Year 2003
By Scott C. Sanchez, CISSP ? scottgungadin.com

Current Firewall technology and operation is quickly becoming
outdated. Here, we present guidelines and predictions to keep
companies alert to the rapidly changing face of security.

Core Topics

Network Security, Infrastructure Security and Security Management

Key Issues
How will enterprise-level Firewalls look in the year 2003 and who will
be the dominant vendors?

How should management prepare for the rapid transformation that is
taking place in the Firewall arena?

Since their inception as simple bridges with access lists, Firewalls
have become one of the most crucial components in any successful
Internet initiative. They can provide for a single "choke point" on a
network in which traffic can be filtered, monitored and analyzed.
Many organizations go further and implement Firewalls to provide user
and process authentication, traffic shaping and load balancing
services to their networks. Some have taken Firewalls to the highest
level currently possible and integrated virus and content scanning for
web pages, email and other types of Internet traffic.

Current Firewall Technologies
The majority of companies are using a software-based Firewall such as
Firewall-1 by Checkpoint Software or Gauntlet Firewall by Network
Associates. These Firewall packages run on top of a Unix or Windows
NT server, and provide a very broad range of capabilities. Network
Associates has recently integrated their entire suite of products
(PGP, VirusScan, CyberCop) into Gauntlet's capabilities. It seems
that their hope is that by leveraging off of the large customer base
that already uses these products, they can increase market share on
the Firewall stage.

The first true Firewall that was not dependent on a commercial OS was
the PIX from Cisco. The highly successful PIX Firewall was recently
(and quite silently) renamed as "CiscoSecure PIX ? The Internet
Appliance". While Cisco may have been the first vendor to introduce a
Firewall that could be classified as an appliance, they certainly were
not the first to use it in their marketing.

Nokia signed a deal in 1997 with Checkpoint Software that would set
the stage for what has developed into a very successful product line
for both companies. Nokia designed and built various "boxes" of
varying sizes and capabilities running a custom operating system based
on a stripped-down version of Unix. The key being that no Unix
experience was needed to set up or maintain the box. Checkpoint then
modified their successful Firewall-1 product to run on this new box
from Nokia. Hence, the Firewall Appliance concept was born and the
marketing hype began.

Customer Pressures to Vendors
Increasingly, the level of satisfaction with Firewall technologies has
been diminishing. Customers want, need and demand more from the
capabilities presented to them by Firewall vendors. Major issues to
customers are ease of management, cost of ownership and learning
curves. Companies either are pressuring vendors to create Firewalls
that are easy to install and manage, yet highly secure and versatile.
Companies require a Firewall solution that can grow and change quickly
with their organization without significant cost or effort.

End Results and Predictions
This high level of customer pressure that vendors are feeling about
Firewall technologies is going to result in a huge success of the
appliance concept. Vendors such as Nokia/Checkpoint and Cisco that
already have high market share in the appliance arena are going to
continue their success. By 2003, an estimated 80% of all enterprise
Firewalls in use will be appliance-based.

Some of the major features to look for in Firewalls going
forward are:

· Highly secure "out of the box"

· Low cost of ownership and learning curve

· Simplified management screens being used to implement
      complex corporate and network security policies

· Proactive security monitoring, alerting and anomaly
      detection

· High availability and redundancy

In addition, Firewall vendors will be using the appliance model to
everyone's benefit. Gone will be the days of buying a solution where
you get everything in one package. Firewall and security product
vendors will work together to create an open standard for
interoperability among their products. This trend is already showing
itself in the capabilities of products such as ISS RealSecure, or
NetPartners WebSense (see Note 1). Both products integrate rather
seamlessly with both Nokia's Checkpoint Firewalls as well as Cisco's
PIX Firewall Appliances.

This will allow customers to create highly customized solutions to
their security needs. Customers will dictate to the vendors what
features and functionality the Firewall provides, not the other way
around. Security solutions will move away from the single "border"
Firewall and more towards a zoned or layered security model. This
method of implementing security is both highly effective and provides
for the most opportunity for ROI.

Bottom Line
Firewall technologies will change very drastically by 2003. Security
Management and Senior Management alike must be prepared. Future
security initiatives must consider a layered approach to Security in
order to create an environment that will benefit from the new breed of
Firewalls.

Note 1:

ISS (Internet Security Systems, Inc.) RealSecure is software that
provides proactive intrusion and anomaly detection and reporting.

NetPartners, Inc. WebSense allows companies to implement web site
content filtering for it's employees, to prevent unauthorized and
inappropriate Internet usage.

Glossary:

OS: Operating System (i.e. Windows 2000, Solaris)

ROI: Return On Investment

About the Author:

Scott C. Sanchez is a veteran in the field of Information Security.
Since 1994 he has been involved exclusively in the Security of
Internet, E-Commerce and Network Security projects. He has developed
and implemented comprehensive Information Security architectures for
many organizations in the Internet/E-Commerce and Financial Services
industries. In addition to holding the designation of CISSP
(Certified Information Systems Security Professional), he is a regular
contributor to publications such as SecurityFocus.Com and other
industry-related forums.

Original PDF version of this document is available at
http://infosec.gungadin.com

----------------------------------------------------------------
The information transmitted is intended only for the person or entity
to which it is addressed and may contain confidential and/or
privileged material. Any review, retransmission, dissemination or
other use of, or taking of any action in reliance upon, this
information by persons or entities other than the intended recipient
is prohibited. If you received this in error, please contact the
sender and delete the material from any computer.

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]