Table of contents
No headings in the article.
The very first order which Netzary Infodynamics bagged about a decade back was to set up a secure network for a manufacturer, with a prime focus to ensure that their data does not get stolen. We set up a mail server on Postfix and created a web app where you could add a bunch of rules on how the email server should work, and who (and how) can users send and receive emails. We then ended up writing a Django front end to Shorewall, where you could manage shorewall with a simple UI. At that specific point of time, no firewall was available for less than Rs 70,000 plus taxes, and we started productizing our firewall (in fact Netzary was the name of the product). The company was named after that product later. Ours was at best a Stateless firewall. It neatly wrote the shorewall configurations, and allowed a number of rules (with permutations and combinations), recompiled IP Filters and ensured the bare minimum security which the customer wanted. Rules such as no internet connection on certain desktops, and provided Internet access on demand approved by admin and so on. We added a web management console to popular web proxy Squid, then added OpenVPN,Snort and ClamAV to our arsenal. One of our resourceful friends organized a dual ethernet Atom processor based board and cute little chassis and we had a base machine for Rs 15,000. We added another Rs 15,000 and priced our product at Rs 30,000. We marketed it as a Universal Threat Management Device(UTM). We also added a complex rule based email system, which included some secret BCC mails being forwarded to the bosses. Kind of stuff which will put us and the customer into trouble with modern privacy laws. In the next 2 or 3 years we sold a dozen odd of these boxes and installed the base software combination for a few more customers. My design skills were very poor, the UX/UI lacked any appeal, and despite an overhaul by a professional designer we could not find any more buyers. But the real reason was that by that time every manufacturer was shipping stateful firewalls. Firewalls that would do deep inspection of packets, and not merely read the headers which IP filters would and do that pretty well.
If we had to compete with them, we would have to build strong engineering skills. Move away from Python which is the only language where I could claim some understanding and do at least a portion of coding in a low level language such as C or C++. We applied for some funding, but could not generate any interest, and in 2014 we scrapped the project. Today even the smallest vendor in this space ships stateful firewalls. All of them ship IPS/IDS detection in their firewalls. The Universal Threat market has even boxes cheaper than Rs 30,000 targeted at less than 25 user organizations. And with the cloud becoming ubiquitous, the security needs of customers have changed. More critical data and apps have moved to the cloud. Many CIOs who are using tech refresh as a reason are scrapping infrastructure on premises completely and moving onto public or private cloud. While the big manufacturers in this space such as Fortinet, Cisco, Palo Alto and others have long written the obituary for Stateless Firewalls, I believe it’s not dead yet. We will discuss the reasons later in this post. Let’s summarize the points at this stage. Packet filters look at the technical features of all packets traveling in and out of a network and drop those that don’t match a given pattern or do match a list of blacklisted characteristics. They are Stateless Firewalls. Stateful packet inspection (SPI), also known as dynamic packet filtering, also operates at the Network Layer, but it records individual packet characteristics so it can spot attacks that are split across several packets. They are called Stateful Firewalls.
Emergence of Web Application Firewalls. Casual and freelance hackers have increasingly shifted their focus on attacking via the network ports to attacking via the application. The vast number of applications and their security loopholes are easier to hack than brute force methods to hack SSH or FTP ports. The trick is to play it safe for network access using strong restrictive rules and limiting access via white listed IP Addresses or VPNs.
Traditional stateful and stateless firewalls are limited to Layer 3 and Layer 4 of the classic OSI Layer pyramid.
An application firewall or Web Application Firewall is a proxy server firewall because all traffic is directed through the WAF on its way to the server. It operates at the Application Layer(Layer 7) and substitutes the protected server’s IP address with its own. Its ability to identify thousands of attack patterns, makes them an attractive option. There are again three types of WAF out in the market. There are pure cloud based WAF, there are appliances based WAF, and the hybrid cloud and agent based model. Depending on the features these services costs between Zero and 3000 US Dollars a month. Appliance based WAFs run into hundreds of thousands of dollars for acquiring it depending on the model. Is WAF the future?
Undoubtedly! Outside traditional CIOs and old school IT organizations, practically everyone is considering moving workloads on to the cloud. And even those who are betting on on-premises are building API driven applications, which are likely to be used by more people outside the corporate LAN/WAN than those inside. Network firewalls whether stateful or stateless are frankly overrated. Most of them do a decent job of blocking network ports and implementing fundamental IP and port combination rules. However IP Filters have evolved into a decent enough utility to deliver precisely the same. At Netzary we manage thousands of servers and virtual machines without using an enterprise firewall. We have not faced network related compromises, unless a user or customer had opted for a weak password or installed software which was having a major security loophole which allowed a backdoor entry into the system. However, we have been hit badly by application related issues. We have customer with development teams which ranges from hard core professionals to novices, and there are always some code getting slipped in where there is potential for SQL injections and other vulnerabilities. Since we do not own the code there’s little we can do except explore the world of web application firewalls. In the next two articles, I will explain to you the various web application firewalls available in the market and provide you a simple buyers guide to what to buy and why to buy them.
(The article is written by S Ramdas. He is the founder CEO of Netzary Infodynamics)(