Firewall maker NetScreen is giving its products the ability to inspect application data, in order to protect networks better. However, other vendors such as NetContinuum, say the idea is not so new.
“We look at the application data, which is where the attacks are coming from,” said Robert Ma, director of product marketing at NetScreen, of the announcement that its firewalls will include deep inspection technology that the company acquired with OneSecure last year.
However, other vendors say that Netscreen – and Check Point which also announced plans deep inspection in its firewalls – are merely following the lead of more leading edge companies: “It’s great to see the big guys finally acknowledge that traditional firewalls simply don’t cut it when it comes to securing web applications,” said Wes Wasson, chief strategy officer at NetContinuum which sells a web application firewall that spots threats within web traffic. “Seventy percent of all real-world attacks today fly right past traditional firewalls by targeting application layer vulnerabilities. While deep inspection is clearly the right approach, securing today’s complex web applications will take far more than sticking a few features onto the side of their existing products.”
The move to deep inspection will change the security industry entirely in the next few years, said Ma. “The firewall needs a technology refresh,” he said, announcing the arrival of the ScreenOS 5.0 operating system for NetScreen firewalls. Deep inspection can make firewalls more powerful and reverse the fragmentation of the security industry into different kinds of products, such as intrusion detection services, which merely find attacks which can be used to adjust the firewall, he said.
Among other things, the device will protect against buffer overflow, where applications are hit with data that does not conform to requirements. “We reassemble complete streams, normalise and take out ASCII repetitions,” said Ma. “We look at the protocol to see if it conforms.” For instance, the firewall can see if DNS requests have the right number of bits. NetScreen’s products are different from existing web application firewalls, said Ma, suggesting that many of those run in reverse proxy mode, and arguing that NetScreen’s have faster silicon that lets them go deeper into the packets while still working at wirespeed. “How quick are the other people?” he asked. “We run ASIC and processor architectures together – because the ASIC does stateful inspection that gives us headroom in the processor for deep inspection.”
NetContinuum responds that its product “was architected from the ground up as a full termination, deep inspection firewall for web applications,” according to Wasson. “NetScreen and Check Point have not re-architected their products to really deal with web applications in anywhere close to the depth necessary,” he said.
What’s the truth behind these arguments about who has the fastest, deepest firewall? Whatever the answers, it’s pretty clear that IT managers have a new feature to look for in firewalls. How this will impinge on the other security boxes such as IDS and IPS remains to be seen, however.