News

Firewall Threats Shifting Up the Stack

• By William Jackson
• 09/28/2009

Networking threats are migrating from the network perimeter to the interior and up the networking stack, often making older firewall technologies and policies inadequate. The National Institute of Standards and Technology (NIST) has updated its guidelines for firewalls to reflect these changes.

Special Publication 800-41 Revision 1 (PDF), "Guidelines on Firewalls and Firewall Policy," updates the original publication released in 2002. It provides recommendations on developing firewall policies and on selecting, configuring, testing, deploying and managing firewalls. The publication covers a number of firewall technologies, including packet filtering, stateful inspection, application-proxy gateways, host-based and personal firewalls.

"At one time, most firewalls were deployed at network perimeters," the guide says. "This provided some measure of protection for internal hosts, but it could not recognize all instances and forms of attack, and attacks sent from one internal host to another often do not pass through network firewalls."

The growing recognition of threats originating and spreading from inside the network has shifted the use of firewalls. "Because of these and other factors, network designers now often include firewall functionality at places other than the network perimeter to provide an additional layer of security, as well as to protect mobile devices that are placed directly onto external networks."

The types of threats firewalls are protecting against have changed, as well.

"Threats have gradually moved from being most prevalent in lower layers of network traffic to the application layer, which has reduced the general effectiveness of firewalls in stopping threats carried through network communications," the guidelines say.

The TCP-IP networking stack goes from the Application Layer at the top through the Transport Layer and the IP or Network Layer, to the Hardware or Data Link Layer at the bottom. Basic firewalls typically operated at the lower layers, but new firewalls now can operate at all four layers. The ability to work the application layer can provide more protection against threats at the application layer and provide services such as identification of specific users to help enforce authentication requirements and log user-specific events.

"However, firewalls are still needed to stop the significant threats that continue to work at lower layers of network traffic," the guide says.

Updated recommendations for firewall implementation include:

• Creating a firewall policy that specifies how firewalls should handle network traffic. Policies for handling inbound and outbound traffic should be based on the specific security requirements, based on risk analysis.
  
  
• Identifying all requirements that should be considered when determining which firewall to implement. Organizations need to determine which network areas will be protected by firewalls and what technology is needed. Firewalls must be matched to existing network and security infrastructures.
  
  
• Creating rule sets that implement the organization's firewall policy while supporting firewall performance. Rule sets should be as specific as possible and be based on the types of traffic needed on a particular network.
  
  
• Managing firewall architectures, policies, software and other components throughout the life of the firewall solutions. Policy rules need to be updated as the organization's requirements change and when the network and the applications it supports change. Firewall software should be patched as updates are provided.