Firewall deployment options increase for enterprises

Firewalls emerged during the Internet's hypergrowth a decade ago. At the time, corporations wanted to keep outsiders from accessing their enterprise networks, and the easiest way to do that was to construct a demilitarised zone around the perimeter of their networks. As networks have evolved, the goal of keeping outsiders away from corporate data has remained the same, but figuring out the best way to do that has not.

Companies know they need to deploy firewall functionality, but where they station it and what capabilities the firewall includes has become harder to determine. Jon Oltsik, senior analyst, Enterprise Strategy Group

Currently, security professionals find themselves with plenty of configuration options, said Jon Oltsik, a senior analyst, with market research firm Enterprise Strategy Group.

"Companies know they need to deploy firewall functionality, but where they station it and what capabilities the firewall includes has become harder to determine," Oltsik said.

One reason for the change is a shift in the design of security products: vendors have moved from a central to a distributed architecture. Another factor is the blurring of the lines once drawn among security products. The last element, the user profile, has changed dramatically. The net result is companies need to spend more time and put more effort into determining how to design and deploy firewalls.

Traditionally, enterprises had few choices with their firewalls. The devices had a hierarchical design so companies either positioned them at the network entrance or in the corporate data center. The pluses with this approach are that it is easy to manage and provides a standard security form across an enterprise. However, if every firewall packet goes to a central locale, then throughput is limited by the speed of device's processor and its processing power. Consequently, performance bottlenecks can arise.

Firewall deployments: What evaluation criteria should be used when buying an enterprise firewall? Choosing a firewall for the enterprise isn't always easy. In this expert Q&A, Mike Chapple provides three important points to consider before deciding on a product. How to conduct firewall configuration reviews: As any firewall administrator knows, it's all too easy for a rule base to become convoluted over time, containing rules that may be outdated or simply incorrect. How should multiple firewall rules be managed? Even with a change management system, firewall rule bases can become a nightmare for administrators. Closing the case on network firewall security with IPCop: With new threats constantly evolving, the basic network firewall is in dire need of a serious makeover.

Recently, vendors added distributed processing options to their products. They have been pushing the processing functions out to the network edge or in to the network core. This change offers companies more design flexibility. Security professionals can station firewall functionality at the wiring closet, the network edge, the core, or the data center.

This approach has its advantages. Processing is done by a number of different pieces of hardware. As firewall functions becoming more distributed (and in some cases funneled down to every port in a switch), the overall capacity of switches and routers increases and every port is fully secured. The downside is these devices become more difficult to manage, a challenge that vendors are trying to overcome by providing more automation with their products.

In addition to location flexibility, the new design enables companies to configure their firewalls in a more granular manner, said Eric Maiwald, a senior analyst at Midvale, Utah-based Burton Group.

"Most firewalls now include features, so they can examine transmissions at the application level rather than at the network level," Maiwald said. As a result, enterprises can guard their human resources data, finance, or engineering applications more closely than Microsoft PowerPoint data.

This change also helps companies cope with another networking evolution. The demarcation line between enterprise users and outsiders has become murkier. Initially, companies wanted to restrict network access from all non-employees. Now, they regularly invite customers and clients into their networks. A plus with firewalls' newfound granularity is that companies can sequester guest networks and make sure that these transactions do not negatively impact corporate data.

Because firewalls now examine application level data, they are also able to aid, or even assimilate, other security functions, Oltsik said.

"Corporations are integrating functions, such as IDS (Intrusion Detection System) and spam filtering traffic, into their firewalls," he said.

Consequently, the dividing lines between discrete security products are becoming murky – one trend behind growing interest in Unified Threat Management systems, which bundle all security functions in a single system.

Because of recent technical advances, companies now have more options than ever in deploying their firewalls. But the demarcation lines between corporate networks and outsiders, which was once straight and easy to draw, have become jagged and difficult to discern. As firewalls become have more flexible, their deployment has become more time consuming.