|
|
There appear to be two areas that will significantly affect the future role and development of Internet Firewalls :-
In the middle ages tunnels provided a safe means of communication for besieged castles. Encryption tunnels that lead from a firewall to a firewall are analogous to this and are provided by the next generation of Internet Protocols (IPng).
The popularity of Internet firewalls to provide access control and protocol filtering services between protected sites and the Internet is due to the lack of robust security mechanisms in the TCP/IP protocol suite. The lack of robust authentication, integrity and confidentiality facilities necessitate a firewall in order for useful services such as NFS and the "r" services to be used safely.
However a firewall is restrictive. It may be desirable to use certain vulnerable services such as X or NFS, between remote sites, but a firewall will normally block such services. To be effective all or most traffic must pass through the firewall which can lead to bandwidth bottlenecks and performance problems depending on the load and type of traffic. If the firewall does prove to be a bottleneck internal users who do not wish to use the firewall will often also be affected.
To address these and other issues associated with IPV4, the next generation of Internet Protocols (IPng) and IPv6 (specifically the next version of IP) incorporate optional security headers. Because the security headers provide the basis for robust authentication, integrity, and confidentiality, services deemed insecure with IPv4 could be quite secure with IPv6 (provided the security headers option is used !).
As a result the threat posed to a system using IPv6 should be significantly less than that posed to an IPv4 based system depending on the extent to which the security headers are used.
IPv6's security headers correct some problems that current firewall technology cannot correct, such as session stealing, in which an attacker can take over an established connection such as with TELNET. A practical method for defeating session stealing in IPv6 is continuous reauthentication, in which each packet would be authenticated to ensure it has originated from the legitimate user.
IPv6 security headers and related items have been defined, but how the headers will be used in conjunction with security gateways and other systems is still open to debate and experimentation. IPv6 security services could be used directly between hosts with no security gateway intervention, which would indicate that the security gateway may become involved only in those security functions that IPv6 does not handle, e.g., robust user authentication in TELNET.
Discussing firewalls, RFC1825 reads :-
"Firewalls are not uncommon in the current Internet [Ches94]. While many dislike their presence because they restrict connectivity, they are unlikely to disappear in the near future. Both of these IP mechanisms(1) can be used to increase the security provided by firewalls.
Firewalls used with IP often need to be able to parse the headers and options to determine the transport protocol (e.g., UDP or TCP) in use and the port number for that protocol. Firewalls can be used with the Authentication Header regardless of whether that firewall is party to the appropriate Security Association, but a firewall that is not party to the applicable Security Association will not normally be able to decrypt an encrypted upper-layer protocol to view the protocol or port number needed to perform per-packet filtering OR to verify that the data (e.g., source, destination, transport protocol, port number) being used for access control decisions is correct and authentic. Hence, authentication might be performed not only within an organisation or campus but also end to end with remote systems across the Internet. This use of the Authentication Header with IP provides much more assurance that the data being used for access control decisions is authentic.
Organisations with two or more sites that are interconnected using commercial IP service might wish to use a selectively encrypting firewall. If an encrypting firewall were placed between each site of a company and the commercial IP service provider, the firewall could provide an encrypted IP tunnel among all the company's sites. It could also encrypt traffic between the company and its suppliers, customers, and other affiliates. Traffic with the Network Information Centre, with public Internet archives, or some other organisations might not be encrypted because of the unavailability of a standard key management protocol or as a deliberate choice to facilitate better communications, improved network performance, and increased connectivity. Such a practice could easily protect the company's sensitive traffic from eavesdropping and modification.
Some organisations (e.g., governments) might wish to use a fully encrypting firewall to provide a protected virtual network over commercial IP service. The difference between that and a bulk IP encryption device is that a fully encrypting firewall would provide filtering of the decrypted traffic as well as providing encryption of IP packets."
Some firewall developers are deploying components of this technology already. The Secure Wide Area Network (S/WAN) Initiative was announced earlier this year and aims to provide encrypted IPv4 tunnels between different vendors firewalls. The S/WAN Initiative is intended to promote multi-vendor virtual private networks among firewall and TCP/IP vendors. The initiative will make recommendations and additions to the underlying IPSec standard to achieve this goal. Four key management protocols are included in the S/WAN initiative, SKIP [Aziz95], Photuris [Karn96] and Oakley [Orma96]. S/WAN is promoted by a group comprising RSA Data Security (who own the RSA encryption algorithm) and eighteen partners including IBM and Checkpoint software [Andr96b]. These vendors are already testing vendor to vendor interoperability.
As was shown in the case studies organisations have difficulty differentiating firewall products. To be able to understand the differentiating factors requires significant technical knowledge as most are based on the same technology. Vendors increase the level of confusion by focusing on small technical details, and presenting them as key differentiating features.
The firewall market is characterised by a mixture of large mainstream computer suppliers such as IBM Corp., SUN Microsystems Inc., Digital Equipment Corp. and relatively small start-ups. The firewall market has seen phenomenal growth with researchers estimating that it will grow 70% from 1.1 Billion USD in 1995 to 16.2 Billion USD in 2000 [CSI95b]. Commercial systems have 84% market share, however twelve different products each had 1% share in 1995 and the largest single share belonged to non-commercial systems (16%). The market is still very fragmented and analysts expect significant change including a large reduction in the number of suppliers as the market develops [CSI95b]. Some analysts have suggested that large suppliers will dominate the market and that smaller companies will sell their technology and leave the market [McGa95]. However there are indications that the familiar computer industry model of David beating Goliath may apply again. One company in particular is attracting the sort of attention Netscape received in its early days. Founded in 1993 V-ONE (Virtual Open Network Environment) is being heralded by security experts as "a shining example of Internet innovation - perhaps as much as a year ahead of the rest of the pack" [Netw96]. V-ONE announced on April 3, 1996 that they had been selected by the National Security Agency (NSA) to provide firewall protection to the United States Federal Government. They have developed software the company calls Security Middleware [Ranu96] that allows businesses to use smart cards to send and receive secure transactions on the Internet. Marcus Ranum, Chief Scientist at V-ONE and developer of Trusted Information System's Gauntlet, the first commercial firewall, claims this is pushing firewalls to the next level [Info96]. Security Middleware is a layer of security existing between an application and its remote user. It differs from browser based security methods in that it provides strong authentication, a stronger method of encryption, and fine grain access control. V-ONE's Smartwall product combines a dual homed application level gateway with strong token based authentication and encryption, and is seen by many as the future direction for firewalls [Basc96, Moel96, Info96, Mere96, Elec96, Wing95, Rodr95].
(1) This refers to the two IP security mechanisms provided by IPSec, IP Authentication Header (AH) and IP Encapsulating Security Payload (ESP).
The IP Authentication Header is designed to provide integrity and authentication without confidentiality to IP datagrams. The lack of confidentiality ensures that implementations of the Authentication Header will be widely available on the Internet, even in locations where the export, import, or use of encryption to provide confidentiality is regulated (RFC1827).
The IP Encapsulating Security Payload (ESP) is designed to provide integrity, authentication, and confidentiality to IP datagrams (RFC1826).