The humble firewall has come a long way since the packet-filtering days of yore. The first firewalls were developed by the Digital Equipment Corporation (DEC) back in the late 1980s.
These early firewalls operated mainly on the first four layers of the Open Systems Interconnection (OSI) model, intercepting traffic on the wire and inspecting the properties of every individual packet to determine if they matched a configured set of rules (source and destination address and port numbers, for example). These packets would then either be dropped or forwarded as appropriate.
This method of traffic inspection, while rapid, was soon found to be unnecessarily resource-intensive and led directly to the introduction of circuit-level firewalls, later known as “stateful” firewalls, pioneered by Check Point Software Technologies.
This "first" next-generation of firewalls looked deeper into the transport layer headers and maintained a table of currently active connections allowing the “state” of a connection (new, active, non-existent) to be used as a part of the rule-set. The introduction of the stateful firewall led to the packet-filtering firewall, somewhat melancholically, becoming known as stateless.
The new next-generation firewall
Firewall development did not take a breather between then and the next-generation firewall of today. In fact, the ride from there to here has been largely organic – developments in firewall technology, intrusion detection and prevention, and user or content management have all been assimilated into the unified threat management (UTM) platform of today.
Application-level firewalls took an important leap forward with the release of the first open source firewall, Firewall Toolkit (FWTK) by Trusted Information Systems in 1993, although layer 7 firewalling was again pioneered by DEC, with SEAL the first firewall “product” in 1991.
This third generation of firewall technology pushed packet inspection all the way up to the application layer (layer 7). This meant that not only the information pertaining to connection and connection state could be incorporated into a rule-set, but also information relating to the operations being carried out under an individual protocol, for example allowing a GET request over http, but denying a POST.
TIS commercialised FWTK as Gauntlet Firewall, a product I had the pleasure of working on. Gauntlet firewall was perhaps the first commercially available next-generation firewall, eventually incorporating user authentication, anti-malware, URL filtering and application-level firewalling with customisable application proxies – and all this more than a decade ago.
Layered security is here to stay
While many security professionals will argue that the network and perimeter firewall is simply an economic solution to poor security practice, that of ineffective host security, there is no denying that economics remain a key business driver. It is true that the advent of virtualisation and cloud has revolutionised network infrastructure, but is has not entirely negated the need for strong border controls within privileged environments. The layered security model is not going away any time soon.
For these reasons we see the continued evolution into the next-generation firewall in today’s terms. These latest offerings incorporate formerly discrete technologies, such as network intrusion prevention, deep-packet inspection, user authentication and more, into a high-performance hardware platform.
The only problem we are left with when it comes to next-generation firewalls is, what do we call the subsequent evolutions?
Rik Ferguson is director of security research and communication at Trend Micro
This was first published in July 2012