Firewalls

One of my most treasured memories from college was the time my buddy Alex and I went to a fraternity rush event where they were serving Tom Collins. Lots of Tom Collins. Neither one of us could make it back to the dorm on our own, so we basically leaned on each other, took one ginger step at a time, and made it back in one piece. We were literally two drunks holding each other up and remain very close friends 20 years later. To this day I cannot drink Gin.

I get the same feeling looking at the Symantec/Juniper announcement this morning (here). I can imagine Scott Kriens of Juniper and John Thompson of Symantec meeting at one of those cocktail parties where your personal net worth needs to be in the 9 figure range to get in, and one goes to the other: "Hey, you're not Cisco! We should do something together."

I'm not sure how much wine they each had at that fateful party, but this is clearly two vendors who are not Cisco trying to prop each other up.

On the surface, I'm not as negative as Stiennon on this deal (here), but I think the impact will be largely at the product level and transparent to customers. Juniper gets to build in some of Symantec's "intelligence" into their perimeter network security gear. Symantec gets to reference sell a legitimate perimeter platform.

I do agree with Richard that this is clearly a reactive deal driven by the fact that Cisco has a better story, bigger channels, and more momentum in the security space. Neither could do an outright acquisition, so this is what they are left with. I concur that the channel stuff is going to be hard to navigate, especially for the Juniper folks - that don't really understand the enterprise and don't really understand security either (many of their Netscreen folks have left).

But adding Symantec's anti-spam, IPS signatures, and vulnerability research to Juniper's products will make them better and I think it will actually happen. Why wouldn't Juniper do this, given they are pretty much irrelevant in the IPS space and don't really have a compelling UTM platform? They've got nothing to lose.

And Symantec gets access to a legitimate perimeter security platform. After killing their own platform a few months back, this is the other piece of the puzzle they couldn't answer back then. Clearly they couldn't abandon the market, but they also didn't want to continue investing in a non-competitive platform. This solves those problems IF (and that is a huge IF) they can execute, which certainly hasn't been Symantec's forte of late.

So I would be positive on this deal if it involved money changing hands. Or an asset transfer (like SYMC bought the Netscreen business). Or anything besides a press release in a purple suit. But it doesn't, so I'm negative and skeptical.

But clearly both Kriens and Thompson now can proudly display their ABC (anyone but Cisco) membership cards. That's what this is all about.

 

The folks at TechTarget were kind enough to let me republish my posts at the Expert Answer Center here. This post first appeared on July 13. Link here.

Over the past week or so, I hope you've gotten a feel that I'm not really a touchy-feely type of guy. And I need to work hard to be optimistic about things because I'm wired to find problems and try to figure out solutions. It makes my wife crazy ("Can't you ever just be happy?!?!"), but that trait also makes me well suited to being an analyst.

But this isn't about optimism or even pessimism; it's about securing your networks and critical information assets. If something goes down the only touchy-feely you are going to get is a boot on your backside. Wishing your network is secure doesn't help either. As my father-in-law says, "If you hope, you are a dope." I tend to use the "hope is not a strategy" cliché more than I would prefer. The fact remains; you are either a hero or goat depending on whether the myriad of attacks you see every day are successful.

To be clear, I'm not talking about thinking positively here (though I heard it does help, maybe I should try it someday), I'm talking about acting positively. And in a security context, that means only allowing the stuff you specifically want to run on your network, and blocking everything else.

You can first start this on your perimeter. Basically, your access router shouldn't allow anything unless you specifically decide it should. This technique is called "default-deny." Depending on what you have running, that probably means SMTP and HTTP at a minimum. Maybe a few other protocols as well, but nothing else. Shut it down. If you block stuff before it even gets to your network, you are much better off.

Same deal goes for your firewall. Take a look at what is probably a panoply of firewall rules that may not even be relevant anymore. Have you compared what you are allowing and blocking to the router? Make sure every rule in there is for a VERY good reason and that the firewall and router configurations are in sync. Don't take chances by leaving your perimeter sloppy.

Unfortunately, with more and more applications looking like HTTP and coming in over port 80, this technique is not as effective as it used to be. That's why we need stuff like intrusion prevention, deep packet inspection, and anomaly detection to ensure that port 80 traffic isn't malicious. But doing this little stuff on your existing firewall and router is still effective and will make a difference.

Next, let's look at the desktops (or laptops, as it may be) that access your network. Lots of folks get compromised because their employees surf to a bad site (either through phishing or pharming). They can also contract something in a coffee shop, which they so kindly proliferate through your network upon their return.

What you are looking for here is a strong, positive endpoint security posture. Basically, malware infects a machine by running executables that compromise the machine, turn off its defenses and then spread to other devices. If you use the trusty old "default-deny" approach, specifying which applications you allow to run on your devices, the malware has a hard time spreading.

Of course, this technique can be controversial, especially if you decide that iTunes is not an authorized application. And it's not foolproof -- nothing is. But I've seen this approach be very successful in stopping the contraction and spread of malware.

So the next time someone tells you to think positive, you can say with a straight face that you always do. Maybe smile for good nature and say "Kumbaya!" It'll make everyone feel better.

I was intrigued by Alan Shimel's post this AM (link here) about the inevitable morphing of IDS/IPS into something else. The metaphor he uses is the dinosaurs evolving into birds. I thought dinosaurs were extinct, but that's why I studied engineering and not history in school. Speaking of dinosaur birds, how cool is Rodan? Alan does your 4 year old grok Rodan yet? Man, sometimes I'm a total tool.

Back to the point. Alan uses the post to seemingly poke at some of the vendors that are now chasing sexier terms like UTM and NAC. Sure, there are quite a few struggling IPS vendors that are trying to reposition in the NAC space. That's not news, nor is it interesting. You'll always have those ankle biters chasing the next best thing hoping to hit the Cisco, Symantec or McAfee acquisition lottery. So aside from the stupid vendor marketing tricks, there is actual technology evolution happening here, which are both predictable and inevitable. At some point pretty much everything technology hits the commodity curve. That happens when volumes go up, and in the IDS/IPS space we are seeing volumes (or my contacts are at least).

Why? Because IDS/IPS is not sexy anymore. It's mature. It's stable. The channel knows how to sell it and implement it. It's low risk. We can certainly argue whether it does anything or not, but that's not the point. Customers THINK it does something, so they are buying it. I've got lots of contacts in the channel and end user community and IDS/IPS is on main street (in Geoffrey Moore's parlance). TippingPoint is keeping 3Com afloat, Sourcefire continues to grow rapidly and ISS is holding its own. It's largely because the unsophisticated masses are now buying IDS/IPS.

I don't think about markets in terms of HOW, I think in terms of WHAT. Huh? IDS/IPS, firewalls, network anomaly detection, email security and probably 10 other things are HOW's to me. How you do something. I like to examine the WHAT. You are protecting your perimeter - that's WHAT. I don't much care how you protect your perimeter, but you need to protect it. There are lots of ways to skin the cat. The right approach will have everything to do with what your environment needs, not what arbitrary category a vendor's product is placed at some point in time.

I had an Incite at the beginning of the year called "Losing the Religion" (link here) and this is further confirmation of that path. UTM is all about using the right technique to block different attacks, while hopefully giving customers some management leverage. Of course the IDS/IPS vendors are going there because customers want them to. Only the big of the big can afford to support all sorts of different functions on different boxes with different management (see No mas box). The great unwashed want the IDS/IPS built into something bigger and simpler.

We are seeing the natural order of things. Getting back to Alan's bird metaphor - you've got lots of different birds and customers want something that tastes like chicken. It could be a Cornish hen or a turkey, but it better resemble poultry.

The second part of Alan's post is about Sourcefire basically focusing on post-admission control. It seems his biggest problem is that Sourcefire's RNA doesn't do pre-admission control. Yes, Alan sells pre-admission control, so he has strong feelings about it's usefulness and you know on what side of the fence he's going to end up. But customers shouldn't be playing favorites. At some point, you'll need both.

Pre-admission only solves half the problem. What happens if a machine is compromised AFTER it is admitted to the network? Likewise post-admission doesn't prevent a compromised or foreign attacker from doing damage until it is picked up by the passive monitoring approach and quarantined. So neither solves the entirety of the problem, how do you make sure only the right devices get onto the network and then do the right stuff when they are connected.

Over time the question becomes WHERE you perform these functions. My bet is that you do pre-admission control on an access gateway. Maybe a SSL VPN box on steroids to handle LAN speeds. Maybe on access points that terminate in-building wireless networks and public meeting spaces.

I think you do post-admission control in the network fabric. Initially you need to passively monitor traffic and centralize decision making, but over time (like 5-7 years) as more intelligence and capability makes its way into the wiring closet then you will actively enforce local policies in the closet and have a passive "overlord" watching everything to ensure network integrity and enterprise policy compliance.

It's a compelling vision and we are a long ways off, but that's one guy's vote on how things shake out.

Following up on my NetworkWorld column (link), I want to dispel the notion that changing equipment is easy. Well, it actually can be easy, but we'll get to that. The word of the week is still evolution, not revolution. Whether you are talking about a LAN switch, a gateway firewall, content filtering, IDS/IPS, pretty much anything - your switching costs are DIRECTLY correlated to the number of policies you've deployed on the box.

Let's use a very simple example to illuminate my point. You see, I could go down to Best Buy and get another wireless AP (I've actually been eying a new MIMO model), and within 10 minutes I'd have it installed and ready to go in my home network. Yes, it's that easy - why? Because I don't do anything fancy. No specific policies. No special applications that I need to manually configure. No nothing. For the most part, I do out of the box stuff. So there is no switching cost. Without policies migration is easy. But that's not most people.

Most enterprises spend years getting their content filtering rules (or anti-spam defenses) tuned enough to block the bad stuff and let through the good. There are usually hundreds of custom firewall rules implemented for a sophisticated user. Rules that makes the firewall do it's job, without impact the availability of key applications. Reading a recent NWW article about the topic makes it very clear.

Sure it's cheaper in a lot of cases to buy a new box than to renew the existing firewall maintenance. But, it's a lot harder. Writing a check is easy, building all of those policies again on new hardware is hard. Which one do you think wins, pretty much every time? 

One of the things that did make me scratch my head in the article was the frustration that vendors have not introduced migration tools. I hadn't really thought of that too much, but as markets mature and aggressive upstarts (or bigger companies trying to gain market share) look to steal share, these kinds of migration tools become invaluable. Remember Microsoft was able to read in the Novell Directory (this was before LDAP made these tools obsolete)? It was pretty much game over soon after that. It made a huge difference to customers to ease the pain of moving to a new environment.

I can tell you when I was in the anti-spam business that we routinely ran into customers that were married to their ClearSwift (formerly MIMEsweeper) content filtering products. Sure the company was like the walking dead, the product didn't keep pace and they didn't know much about spam, but their customers had built hundreds of policies into the devices and they didn't want to have to start all over again. I don't recall ever having a discussion about building a little widget to suck ClearSwift rules into the box. That doesn't mean it didn't happen, but I wasn't involved. Maybe we should have.

Now giving the topic some thought, I think it's working out the way it's supposed to. We are benefiting because most of the vendor were just too lazy to build these tools. For security, I believe migration tools are bad. Huh? Didn't I read the article? It took one company a year to migrate all of their rules to protect their 3500 users. First, they are doing something wrong. It shouldn't take that long.

Second, your security rules are kind of like your closet. If you don't go in and throw stuff out every couple of months, it becomes a mess.

When outdated rules are kept in place, you create security exposures. A port that was opened for a two month application initiative needs to be closed with the project is done. If you just blindly pulled your firewall (or IDS or content filtering) policies into the new box, you wouldn't have the discipline to go and prune what needed to be pruned. If you go back in and check those devices, I think you'd be surprised at what policies are still in place.

So it's a pain in the ass, but going through your rule set is worth the effort. And let's be very clear that the more time you spend configuring policies, the more entrenched your security vendor becomes.

 

 

Having to jog my memory to remember the inventor of the firewall got me thinking about the early days of the network security market. As I'm writing this, I'm not exactly sure where it's going to end up. I'm thinking that providing some firewall history will help folks understand today's market dynamics a bit better.

The first thing that is abundantly apparent is that the world is far more complicated today. Way back when, customers had to worry about strong authentication and firewalls. That was about it. I guess you could count mainframe security, but that was more of the data center guys than the network guys that I dealt with daily. Nobody really thought about enterprise security, it was really focused on domains like network and host.

In terms of examining the two spaces, they couldn't be more different. Security Dynamics (now RSA) dominated the authentication space because they had built their agent into every remote access product out there. The other folks (Enigma Logic, LeeMah Datacom) couldn't compete. RSA still enjoys a huge market share position today.

The firewall market was brutal. You had DEC initially, but they couldn't get out of their own way. Then you had Trusted Information Systems, Raptor, Secure Computing, and Check Point trying to get established. So very similar to today, you had a bunch of companies that were chasing the same market, telling roughly the same story and making every deal a blood bath.

So when I say I've seen the movie about today's market dynamics, I'm not kidding. There are more moving pieces and product cycles are a lot faster, but things are roughly the same.

Now TIS was an interesting company. To my knowledge, they were the first company that offered a security product for free over the Internet (the Firewall toolkit) and then sold a more functional and polished commercial version on top of that. I think a couple of company's have made that model work since then, eh?

Ultimately one company survived the firewall war, and it was Check Point. Why? They had better distribution and marketing. Check Point's approach was different (stateful inspection vs. application proxy) and they played that up. They vilified application proxies as slow and the wrong approach.

At the same time, Check Point nailed down a distribution deal with Sun, so an entry level version of Firewall-1 shipped on every internet server that Sun sold - and that was a lot. Check Point also got very good at getting the Sun direct reps to bundle in the upgraded version as part of the deal. The cost of sales on these deals was minimal, Sun did all the work. That's why Check Point had gross margins like Microsoft and net margins over 50%.

Interestingly enough, Raptor tried a similar deal with Compaq. That went over like a lead balloon. Basically, Compaq didn't sell much of anything - their channel did. Raptor just couldn't get Compaq's channel interested in upgrading the firewall. There were too many other things to do.

Check Point also started OPSEC, their partnership program, positioning their firewall as a platform, not a product. Once they built an ecosystem around their stuff, it was a lot harder for the other guys to compete.

But all of the firewall companies were able to go public and all benefited from the rising tide for a while. Then economic reality set in. Secure Computing used their overvalued currency to acquire a bunch of other companies and then hit the wall big time. They almost went down during the bubble, and ceased to become a firewall player. They are still in the business and even acquired what was left of TIS after the Network Associates deal, but they never regained their luster in the space.

Speaking of TIS, they sold out to Network Associates and then watched as CEO Bill Larsen's dream of a suite of security and management products turned out to be a few years premature. They tried to be big when small was still cool.

Then, of course, a little company called Netscreen started doing a firewall packaged as a secured appliance. I remember meeting with them when they were first launching the company. I couldn't believe what a dumb idea it was. Didn't they realize that Check Point owned the firewall market? Who wants it on a box anyway? Not one of my shining analytical moments.

So what? I ask that question all the time. Who cares about this ancient history? Well, I think every user needs to because history has a way of repeating itself. If you pay attention to the signs and recognize the patterns, you can save yourself a lot of heartburn. Vendors lose their edge, they don't navigate product or market transitions very effectively and many customers are left holding the bag.

Look at your current stable of "key" security vendors. Are you comfortable with their strategy? As big becomes the new small, are they poised to prosper? Are they willing to acquire the right products and partner to build a broader product set? Are they financially stable and have the resources to keep investing ahead of the next threat?

If you are not comfortable with any of the answers to those questions, it's time to start building a contingency plan. You don't need to pull the trigger too early, but you should give some thought to what you'd do if one of your key vendors is acquired or doesn't keep pace with the rate of change.

I mentioned in a recent Daily Incite about how Network World took some editorial liberties in naming Shlomo Kramer, one of the founders of Check Point as the "inventor of the firewall." In a subsequent TDI, I mentioned how Dave Piscitello called them out on that, mentioning a number of folks that had done research and published papers that seemed awfully "firewall-like."

But now evidently one enterprising chap has voted for Marcus Ranum and Fred Avolio as the inventors during their days at DEC. I concur since this is my recollection as well.

I'm sure you are wondering how I would remember something like that from over 12 years ago, when I can hardly remember what I had for breakfast this morning. I tend to remember pricing and I distinctly remember being appalled when one of my clients at META Group called up asking what I thought of the DEC SEAL security device and whether it was worth $50,000.

$50,000 for a what? Of course, this was when the Internet was being referred to as the "Information Superhighway." Well before Internet access was ubiquitous. That was the first time I had heard of a "firewall." I had to get smart pretty fast on what it was and what it did.

So, I'll also cast my vote for Ranum and Avolio.

That being said, if the contest was to decide the inventor of the stateful inspection firewall, then it is indeed Shlomo, Gil Shwed and Marius Nacht of Check Point. These guys would also win the award for creating personal net worth from the network security market.

Secure Computing completes its acquisition of CyberGuard. Read the release.

This is all about consolidation of market share. Secure gains both in the firewall/VPN and web filtering markets. Secure also gets a bit more activity on low end.

It really doesn't make sense to support two lines of either firewalls or web filtering over time. Expect Secure to move to migrate Cyberguard customers to their platforms sooner rather than later. Don't believe the kubaya press release jargon, "we're going to take the best of both product lines and integrate." Blah blah blah. Economically, it doesn't make sense. Why force ALL of the customers to migrate when only half of them would need to? Pick a platform, communicate that to customers with a strong (and economically attractive) migration plan and move on.

For Cyberguard customers, this is a good opportunity to revisit your perimeter strategy since you are likely going to need to move platforms anyway. Call your rep (or VAR) and demand to understand the roadmap and how much investment your product is going to receive moving forward. If they can't give you a definitive answer within 30 days, get very worried. At a minimum, bring a couple of vendors in to see if you can squeeze Secure on the maintenance renewal.

There is also going to be some consolidation of VARs, so Cyberguard VARs will need to figure out if they want to add Secure to the mix or not. 

It also wouldn't be surprising to see some of the companies on the low-end (you listening Sonicwall and Watchguard?) aggressively courting Cyberguard customers, since uncertainty around M&A is the best breeding ground for vendor swap-outs.