PAN - Cloud is Overrated

I like how those Palo Alto Network guys come out with new ideas every now and then. Many times their new ideas aren't more than a marketing buzz, yet I like them. But this time I do not get their point at all.

Ok, they said that they came out with End Point security solution where agents on the end points will not inspect the traffic there but rather send it to the nearest PAN Firewall/UTM to inspect it!

"The Palo Alto endpoint protection takes a novel approach to overcoming this problem. Palo Alto is developing a small agent that will operate persistently on the host, detecting whenever the client connects to a public or private network. Rather than doing the traffic inspection on the client, the agent will compel all traffic to route through the closest home network. This means that all traffic will be inspected and passed through the existing network-based next-generation firewall", Channel Insider - Secure Channel Blog.

And this makes me wonder, how many Megas - if not Gigs - do we need to have on our PC's? Will it send every single executable I touch on my PC over the wire to inspected regardless of its size, whether it is few kilos or multiple Gigs? Why should a network device be bothers for inspecting activities than happen on hosts? I really don't get it. May be I am missing some points here, so would someone please help me understand their new approach.

Tags: PAN, Cloud, Gr33n Data

McAfee to buy Secure Computing

I'm used to make fun of McAfee when they present themselves as a Network Security Vendor especially that they don't even have their own Firewall product. So, now it seems that the people at McAfee decided to spend about $465M to stop me from making fun of them.

Ok, let's get serious now. I think this is a good move from McAfee anyway. Secure Computing security portfolio will sure fill some missing gaps in McAfee's product line. They have their own firewalls (Sidewinder), and Content Security (Webwasher). But on the other hand people may argue that Secure Computing products are not highly ranked compared to other vendors in the market. And to tell you the truth, I always believed that McAfee was going to acquire a Firewall vendor someday, and I thought that Fortinet is their best option. It's not only the best buy for McAfee, but if I were in Fortinet's guys shoes I'd have asked McAfee to acquire us too. Fortinet have good products and they sure were going to fill the missing gaps in McAfee's Network Security portfolio, and McAfee's guys would have been more proud to put their logo on Fortinet's products than Secure Computing ones. And on the other hand Fortinet is that kind of vendor that is there to be acquired. Come on, they may have good products, but they are small company and it is really hard for companies with similar size are narrow line of products nowadays to last for a long while before getting acquired or quitting the market..

Anyway, congratulations to McAfee guys, and I believe the Network Security market will benefit from one strong vendor which is getting even stronger.

Tags: McAfee, Secure+Computing, Gr33n Data

Network Element

During our Computer Network course in the university, we used to study the differences between LAN Switches and Routers, and one of the main differences between them was that Switches forward traffic using Layer-2 header (MAC Address) while Routers forward traffic based on Layer-3 header (IP Address). Later on, in my professional life, I realized that there are also Layer-3 switches, and these Switches can do Routing, ACL's, Network Address Translation, and all other Routers functionalities.

According to Wikipedia, "The major difference between the packet switching operation of a router and that of a Layer 3 switch is the physical implementation. In general-purpose routers, packet switching takes place using a microprocessor, whereas a Layer 3 switch performs this using application-specific integrated circuit (ASIC) hardware". And may be that's why Layer-3 switches have higher throughput and process more packets per second than routers. LAN Switches also have higher port density and the cost of an Ethernet port on a Switch is much cheaper than that of a Router. Ok, in fact, the behaviour of the traffic in a LAN environment is different than that in an ISP, and that's why the Router's interface hardware is different than that of a Switch. The Buffers and Queues of Router's interfaces are different than those of a Switch's interfaces, and that's why the Switch's interfaces is cheaper. But I am sure one day the Switch's interfaces will inherit those advanced features in their Router's equivalents, especially with the boom of Metro Ethernet. There Routers nowadays also support WAN Interfaces such as Serial Interfaces, E1's and STM-1's, while switches on the other hand do not support such kind of interfaces. MPLS is another protocol that you cannot find in Switches, however Foundry's NetIron for example supports it.

As you can see, in the following few years, the boundaries between LAN Switches and Routers are going to disappear.

Now, let's see what's is going on in the Network Security field. We used to have Firewalls, IDS's/IPS's, Network-Based Antivirus, Antispam, Anti-X. Each one of those, was a separate product. Now we just deploy a UTM, and it's just a Firewall, IPS, Antivirus, all in a single box. UTM's may be suitable now to SOHO and Medium Enterprises more than ISP's and Large Data Centres due to their performance limitations and so. But believe me the advances in Processors and ASIC's - Intel and Cavium Networks are doing great job here - are capable of getting the UTM's into your Data Centre soon.

But wait a minute, now the Network products are getting combined, and so are the security products. What about combining the Network and Security products together as well? Ok, let's see what the two main players are doing. Cisco is adding security features to their ISR (Integrated Services Router).

"Cisco Integrated Services Routers help maximize the power of your organization’s network with unified network services, integrated security, mobility, and application intelligence", Cisco Systems.

The also decided to open their ISR for Application developers to build their own applications and addons on top of it.

At the Cisco Partner Summit 2008 in Honolulu, the San Jose, Calif.-based networking giant unveiled the Cisco Application eXtension Platform (AXP). The AXP consists of open, Linux-based Cisco ISR hardware modules for application development and hosting to support a tighter integration of the network and applications. According to Inbar Lasser-Raab, Cisco's senior director of access routing and switching, several off-the-shelf and custom applications are already available for the ISR, along with a development and support ecosystem that includes a downloadable software development kit (SDK) and application programming interface (API) for application developers.
Lasser-Raab said opening the ISR to third-party applications, on top of the more than 30 services already available for the platform, creates a link between the network and applications and imbeds those applications directly onto the platform, instead of having them just hosted on the router. Services available for the ISR include VoIP, wireless, WAN access, unified communications and a host of security tools like NAC, IPS, content filtering and VPN.
Andrew R Hickey, ChannelWeb.

Juniper on the other hand introduced their SSG-Series of Firewalls/UTM few years ago, they can have multiple LAN as well as WAN interfaces, and they also can run all those well known dynamic routing protocols. Later on, Juniper wraps Security Services Into JUNOS, their Router's and Switches Operating System.

Juniper Networks (NSDQ:JNPR) took JUNOS one step further, announcing that it is now wrapping the security services typically found in its ScreenOS operating system into JUNOS, meaning ScreenOS firewall, IPsec VPN, NAT, DOS and D-DOS capabilities will run on top of JUNOS software.
Michael Frendo, Juniper's senior vice president of high-end security systems, said integrating security services into the vendor's line of J-Series services routers, with integration with EX switches to follow, solidifies Juniper's vision of "fast, reliable and secure networking".
Andrew R Hickey, ChannelWeb

Juniper have opened their Operating System to Application developers even before Cisco.

Juniper has announced a Partner Solution Development Platform (PSDP) allowing customers and partners to develop specialized applications on its JUNOS operating system.
The company claims the PSDP is the industry's first partner development platform for a carrier-class network operating system, and anticipates its customers and partners will deploy new services unique to their businesses, and improve network operations productivity.
Rodney Gedda , Computerworld.

In brief, I don't think in the coming few years, there will be dedicated, Firewalls, Switches, or Routers. There will be a Network Element instead. An all in one product that will be capable of doing all the Networking, Security and may be IP Telephony tasks.

Tags: Networking, Expectations, Gr33n Data

Firewalls Evolution - From Application Aware to UTM

As mentioned earlier, Firewalls were very successful in segmenting the Network into different Zones and protecting those different zones from each other by controlling who is supposed to talk to who using which protocol or application. But later on, applications such as FTP, SIP, etc. started to open dynamic ports, and firewalls were forced to evolve and become more application aware. So firewalls were not limited to Layers Three and Four (Network and Transport Laters) as they used to be, but they were able to decode the Application Layer as well.

On the other hand Proxy Firewalls such as Microsoft ISA - I know it’s a piece of crap - but such firewalls were able to see the application layer, add rules to prevent people from downloading ZIP and MP3 files, Inspect SMTP for spam, etc. So firewall vendors were forced to compete with them in this, especially that such Proxy Firewalls are popular in SOHO (Small Office and Home Office) and SMB (Small to Medium Business) networks.

So Firewall vendors decided to focus more on the Application Layer, but this time it wasn't just an evolution. A new device was introduced to the market which is UTM.

A Network Layer is a Network Layer, but when it comes to Application Layer, we have dozens of Applications and each have its own security requirements. For SMTP, Spam is your enemy. When it comes to File Sharing, CIFS, FTP, HTTP, SMTP and POP3, you should check the files being transferred to make sure they do not contain Viruses. IPSs and IDSs are needed to protect you from the different worms and exploits that span from layer 2 up to layer 7. So, this is what UTM’s are doing, it’s a box - mainly a firewall - with many other addons such as Network Based Antivirus, Network Based Antispam, and Network Based IPS.

Some people may argue that UTMs are not mature enough and they add complexity to the network. They also believe that an all-in one solution may not be suitable for large networks with high throughput. That's why when it comes to ISP's and large Data Centres they prefer to install separate best-of-breed devices - Firewall, IPS/Deep-Inspection, AntiSpam - each is responsible for a certain task. But in some other locations an all in one box (UTM) can reduce the cost and complexity. Also it's sometimes hard to find a good stand-alone Network Based Antivirus or Web Filtering Solution and in such case having those components in a UTM may be your best choice.

Finally, most of the Firewall vendors now are moving towards the all-in-one solution and I guess in the near future the UTM's will be mature enough so that stand-alone devices will be something from the past.

Tags: UTM, Firewall, Gr33n Data

Firewalls Evolution

As discussed in the previous article, a firewall simply inspects the traffic, and takes the decision to permit or block the packets based on the different fields in the third and fourth layers headers. In face, this task can be done by the Access Lists found on all the available routers in the market.

The Access List decided to permit or block the traffic based on the following 5-Fields:

1. Source IP-Address
2. Destination IP-Address
3. Protocol (TCP, UDP, ICMP, etc.)
4. Source Port
5. Destination Port

In the late nineties the idea of Stateful Firewalls was introduced. As you know, when two hosts communicate, they keep sending and receiving packets. So in the case of Access List, two rules have to be added in both directions for those hosts to be able to communicate. But Stateful Firewalls on the other hand are smarter than this. They keep track of the Session, and that's why in Stateful Firewalls you only have to create one rule from the Client to the Server, traffic from the Server to the Client will be treated as a part of the session, and that's why you won't need to add an extra rule in such direction.

Stateful Firewalls are also more secure than Access Lists, as packets that doesn't belong to an active session will be dropped. The presence of Session Table in Stateful Firewalls improves their performance as they only need to check the rules in the first packet of the session.

Notes:

1. Please tell me if the subject is not clear enough, or if you feel that I have to write more details in order to clarify it.

2. You can read more about Stateful Firewalls here and here.

Tags: Firewalls, Security, Gr33n Data

The Firewall

The Firewall, it's the cornerstone of the Network Security design. In today's networks, a Firewall is a device that divides the network into different Segments (Zones), and controls Who's is supposed to talk to Who, using which Applications (Service), across those different Zones.

Most of the time in enterprise networks, they have two layers of Firewalls, one at the Gateway - Just behind the Gateway Router - and the other one in the Data Centre.

The Gateway firewall is also called the Perimeter firewall, its main task is to control which resources on your local LAN are to be accessed from the outside world, normally from the Internet. And on the other direction, it controls what your local users are allowed to do when going outside, normally to the Internet. The Data Centre firewall on the other hand is intended to protect the resources in your Data Centre - mainly Servers - from the outside as well as from the different Zones in your local network.

Notes:

Sometimes, people who have a tight budget consolidate the Gateway and the Data Centre firewalls into one firewall. Also this is suitable for remote branches and small offices.

The computers in the networks world communicate by sending and receiving packets. These packets contain beside the date (payload), the source and destinations addresses (IP Addresses) of the sender and receiver, as well as the service they are using (Protocol and Port Number). So let's say, if you want to define a rule in your firewall to let user A in the Users Zone, connect to the Web Server B in the Data Centre, the rule will contains the address of A in the source IP field and the Address of B in the Destination IP field, and the Web Service (Protocol=TCP, Destination-Port=80) in the Service field.

It's really funny that a company like McAfee claims that they are a Security Vendor, while they do not have firewalls in their products portfolio. If I were in there shoes, I would have bought some firewall only company such as Fortinet, Checkpoint, Stonesoft or even a start-up like Palo Alto Networks.

Tags: Firewall, Security, Gr33n Data

Deep Inspection

Deep Inspection is the name of a technology created by NetScreen - acquired by Juniper now - in order to make the Firewalls able to look in the application Layer instead of being limited to the Layer-3 and Layer-4 fields - IP Addresses, Protocol, and Ports. The problem with normal Firewalls was that they were not able to do anything beyond blocking some traffic based on the source and destination addresses and the service used like HTTP, Mail, Telnet, etc. Some applications like FTP and some of Real Time Voice used two streams one for Control the other for Data, and the Data stream was created dynamically based on information passed in the Control stream, so traditional firewalls were not able to deal with such traffic as thy were not able to parse the control stream and open the required ports for the data stream. One more problems was the applications like Kazaa, ICQ, MSN, and Shareaza that use the same ports as other applications, e.g. HTTP and DNS. So the firewalls were required to look in the Application Layer in order to differenciate between these different applications and take actions based on that. That's why Deep Inspection (DI) and Application Layer Gateways (ALG) technologies were created. One of the main advantages of Deep Inspection on NetScreen firewalls that you can add some signatures and take action - Drop or Close the Connection - when the traffic matches them. This is to make firewalls inherit some of the Intrusion Detection capabilities and adding an extra layer of security to your network perimeter.

Tags: Networking, NetScreen, Gr33n Data

Basic NetScreen Firewall Configuration

Juniper NetScreen firewalls are one of the most popular firewalls when it comes to High End firewalls. They are installed in the major ISPs and Large Data Centers worldwide. So here is a basic intro to configuring a NetScreen firewall.

You first need a console and the default username and password are "netscreen"/"netscreen". Then you have to determine if you are going to install it in Layer-II mode or LayerIII. We are going to consider the Layer-II (Transparent) mode configuration.

First, put all the interfaces in Layer-II zones (V1-Trust, V1-Untrust, V1-DMZ)

set interface [interface-name] zone [zone-name]
Eg. set interface e1 zone V1-Trust

Then configure an IP address to VLAN1 interface (The management interface in case of Transparent mode operation)

set interface vlan1 ip [ip-address]/[subnet-mask]
Eg. set interface vlan1 ip 10.0.0.1/24

Now after adding the interfaces to different zones, there must be policies in order to allow traffic to cross the different zones ... policies is how you are going to decide who is allowed to communicate with who and with whcih TCP/UDP services

set police from [source-zone] to [destination-zone] [src-ip] [dst-ip] [service] {permit|deny} [log]
Eg. set policy from V1-Trust to V1-Untrust 10.0.0.10 10.0.0.2 FTP permit

Network Configuration

PC1: 10.0.0.10/24 (V1-Trust)
PC2: 10.0.0.2/24 (V1-Untrust)
VLAN1: 10.0.0.1/24

[PC1]------------[Firewall]------------[PC2]

Notes:

1. In Transparent mode the firewall acts as a bridge in the way the traffic is forwarded, so it is normal for the hosts connected to the different interfaces to have IP addresses from the same subnet.
2. The default behavior of the firewall is to block traffic between different zones, so you have to create policies in order to path traffic. However this default can be changed.

Tags: Networking, Security, Firewalls, Juniper, NetScreen Gr33n Data