Are you looking for my non-technical blog?

This is now my technical-only blog, my non-technical blog is here.

20 December 2007

Firewalls Evolution - From Application Aware to UTM

As mentioned earlier, Firewalls were very successful in segmenting the Network into different Zones and protecting those different zones from each other by controlling who is supposed to talk to who using which protocol or application. But later on, applications such as FTP, SIP, etc. started to open dynamic ports, and firewalls were forced to evolve and become more application aware. So firewalls were not limited to Layers Three and Four (Network and Transport Laters) as they used to be, but they were able to decode the Application Layer as well.

On the other hand Proxy Firewalls such as Microsoft ISA - I know it’s a piece of crap - but such firewalls were able to see the application layer, add rules to prevent people from downloading ZIP and MP3 files, Inspect SMTP for spam, etc. So firewall vendors were forced to compete with them in this, especially that such Proxy Firewalls are popular in SOHO (Small Office and Home Office) and SMB (Small to Medium Business) networks.

So Firewall vendors decided to focus more on the Application Layer, but this time it wasn't just an evolution. A new device was introduced to the market which is UTM.

A Network Layer is a Network Layer, but when it comes to Application Layer, we have dozens of Applications and each have its own security requirements. For SMTP, Spam is your enemy. When it comes to File Sharing, CIFS, FTP, HTTP, SMTP and POP3, you should check the files being transferred to make sure they do not contain Viruses. IPSs and IDSs are needed to protect you from the different worms and exploits that span from layer 2 up to layer 7. So, this is what UTM’s are doing, it’s a box - mainly a firewall - with many other addons such as Network Based Antivirus, Network Based Antispam, and Network Based IPS.

Some people may argue that UTMs are not mature enough and they add complexity to the network. They also believe that an all-in one solution may not be suitable for large networks with high throughput. That's why when it comes to ISP's and large Data Centres they prefer to install separate best-of-breed devices - Firewall, IPS/Deep-Inspection, AntiSpam - each is responsible for a certain task. But in some other locations an all in one box (UTM) can reduce the cost and complexity. Also it's sometimes hard to find a good stand-alone Network Based Antivirus or Web Filtering Solution and in such case having those components in a UTM may be your best choice.

Finally, most of the Firewall vendors now are moving towards the all-in-one solution and I guess in the near future the UTM's will be mature enough so that stand-alone devices will be something from the past.

Tags: , ,