Following up from my post about an Idealized Firewall , let’s look at what a Firewall does …
Again this isn’t novel or new…
First a picture:
A firewall provides three kinds of security services.
1. Computationally Cheap Security
The most important service a firewall provides and perhaps the entire raison d’etra is what I call cheap security. Not cheap from a cost, but cheap computationally. The amount of state that has to be kept and tracked is relatively small. This kind of security is what we traditionally call Layer 4 security. A lot of what passes off as security in this space is handled both in a firewall, and using other technologies like vlan’s, ACL’s etc.
This is the layer that transforms packets into flows ..
Everything else a Firewall does stems from this layer, and I’ll get to why in another post.
Remove the need for this kind of security as a stand alone box and you remove the need for firewalls.
2. Connectivity Services
Because a firewall gets deployed at a network choke point, and because it does cheap computational security and is already inspecting traffic flows or must inspect traffic flows, a firewall is a natural place to deploy some connectivity services like NAT or ipsec. You can, and Juniper does, deploy this technology elsewhere like routers.
This technology only gets deployed on a firewall if the box is deployed at the network choke-point.
3. Computationally Expensive Security
As you get better at solving the cheap security problems, the bad guys have to expend more effort to break in. As the efforts to break in costs more in terms of CPU and memory, then the amount of resources required to detect the bad guys increases. Like in a real war, as the weapons of defense improve, the offensive strategies adapt and force the defensive strategies to get more expensive.
Firewalls are able to play in this space because they do the heavy lifting of transforming the packet flood into a flow, and this layer is really just doing deeper and deeper analysis into flows and across flows.
Many innovative startup companies are working on this space because this is where the need is most pressing and most difficult to deal with.
If another layer were to transform the packets into flows, then this layer could live outside of the firewall. And in fact, as some companies have demonstrated it is possible to do this packet-to-flow transformation without being a firewall by hiding behind SPAN ports.
Because of the need for rapid innovation, resource requirements and lack of universality computationally expensive security can exist for a long time outside of the firewall before collapsing to the firewall.