ad info  technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  




Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent



More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections


4:30pm ET, 4/16










CNN Websites
Networks image

Second line of defense: Distributed firewalls

Network World Fusion

June 6, 2000
Web posted at: 10:34 a.m. EDT (1434 GMT)

(IDG) -- The firewall has traditionally served as the sentry between the outside world of the Internet and the internal corporate network. But the next generation of firewalls will be inside the corporate network's perimeter on Web servers, PCs, modems and silicon chips.

They're known as distributed firewalls, and they're the next line of defense against hackers who breach traditional firewalls guarding the edge of corporate networks by exploiting open firewall ports as well as e-mail servers.

Distributed firewalls, still in their infancy in terms of reporting, configuration and management capabilities, are gaining more attention. However, there's much debate among security vendors and analysts on their intrinsic value.

Added firepower


Network managers tend to see distributed firewalls as added firepower against an implacable foe, the hacker.

"It's a dual protection," says Rick Shantery, senior network engineer at Intellinetics, a document management firm in Columbus, Ohio. He added CyberWallPlus embedded firewall software, a product from Network-1 Security Solutions, to his internal servers after he reached the painful conclusion that hackers occasionally made it though the WebRamp Internet access and firewall box Intellinetics uses.

  Firewalls: One size does not fit all
  6 firewalls compared
  Setting up sendmail on a firewall
  The best security action plan for your site
  Reviews & in-depth info at
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for network experts
  Search in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

"I could see from the log data they were coming in," he says. "These deliberate hack attacks happen daily, along with SYN floods. If they make it through, the embedded firewall in the server is there to stop them. You don't really have to have the perimeter firewall."

However, many would argue that point.

"The perimeter firewall is a necessity," says Raphael Reich, product marketing manager at Check Point Software, which has augmented its Network-1 perimeter firewall line with two types of distributed firewall software. The first is Secure Server software, which is a distributed firewall for Windows NT or Unix; the second is Secure Client, a desktop firewall.

"The perimeter firewall doesn't protect you from the bad guys inside the network," Reich says. "But people should not be replacing perimeter firewalls with distributed ones."

Drawbacks to the conventional firewall have been given greater scrutiny of late by some of the top firewall experts.

In the paper "Distributed Firewalls," Steven Bellovin, an AT&T Labs researcher and author of the classic "Firewalls and Internet Security," casts a critical eye on the traditional DMZ-style firewall guarding the Internet zone. He calls such firewalls network chokepoints that do little to stop inside attacks.

"On the other hand, distributed firewalls can reduce the threat of actual attacks by insiders, simply by making it easier to set up smaller groups of users. Thus, one can restrict access to a file server to only those who need it, rather than letting anyone inside the company pound on it," Bellovin states in his paper.

In Bellovin's view, the distributed firewall on servers and desktops should provide a mechanism for policy control administered through systems management tools, augmented with intrusion detection and preferably, IP Security-based encryption.

Falling short

However, the products available today fall far short of that vision. Network-1 CEO Avi Fogel acknowledges the CyberWallPlus line for server and desktop firewalls has no reporting capability. Check Point's personal desktop firewall also can't be reconfigured. "Today, it's one policy for all," says Greg Smith, Check Point's director of marketing.

Axent Technologies, which markets the Raptor perimeter firewall, has had a personal desktop firewall out for about three months. There's no central way to manage it, though that's expected to change in a future release.

Some security vendors have mixed feelings about distributed firewalls.

Network Associates bought the company Signal 9 six months ago for the firm's personal desktop firewall, and the company is now adding alerting and reporting to it so the next release will be an integrated intrusion-detection, firewall and VPN product.

But Mark McArdle, a vice president in Network Associates' managed security services division, questions the value of running firewall software directly on the Web server. The traditional method involves placing a firewall on a separate box in front of the server for departmental LANs or at the perimeter.

"Applications on servers are usually managed by different people than the ones who manage firewalls," McArdle says. "Application servers tend to be changed with a little more of a cavalier attitude, which could affect the firewall on it."

In addition, having the firewall on the server rather than in front of the box might make it harder to filter attacks.

John Pescatore, research director for network security at the Gartner Group consultancy, concurs.

"The problem is the Webmasters control the Web server," Pescatore says, noting that when they make wholesale changes, it could destroy the efficacy of the firewall software on it. "There's no chance firewall software will survive on the server. Web server firewalls won't be widely used."

Pescatore is bullish on the idea of embedding firewalls in silicon, something that Secure Computing is undertaking with 3Com in the Typhoon network processor and WatchGuard is trying to do by licensing its Firechip silicon for modems. Hardware will support faster packet processing than software, he says.

Expressing a view shared by many others, Pescatore doesn't advise ditching the perimeter firewall for host-based firewalls.

Framingham, Mass., market research firm IDC says approximately $1 billion worth of firewall gear was sold worldwide last year. The organization notes that demand for personal firewalls will increase as more corporations adopt DSL and cable modem connections for branch offices and telecommuters.

With these high-speed services always "on," end users' computers are more vulnerable to port scans and attacks. But some observers believe hardware-based firewall appliances, perhaps embedded in modems, may trump host-based software firewalls because they can be better managed at present and provide better protection.

There's one point nobody seems to debate: Corporations will likely spend more money to fortify their networks with the new generation of distributed firewalls.

"It does cost more money than just having a perimeter firewall," Intellinetics' Shantery says.

FBI, DOJ issue list of worst Net threats
June 2, 2000
Security hole found in Network Associates firewall
June 2, 2000
The promises and dangers of instant messaging
May 29, 2000
Top 10 security utilities
May 22, 2000
Security experts say hackers have the edge
May 11, 2000

Firewalls: One size does not fit all
6 firewalls compared
(Network World Fusion)
A firewall for phone-lines
Setting up sendmail on a firewall
The best security action plan for your site
(Network World Fusion)
Big firewall for small business
(PC World)
All-in-one security device
(Network World Fusion)
End-to-end security for data delivery
(Network World Fusion)

Distributed Firewalls
CyberwallPlus overview

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.