By Kelly Jackson Higgins
The Firewall Behind The Firewall
The next battleground for firewall vendors: control of the traffic-policy server, which aims to manage the end-to-end security and flow of traffic across a network. This is something many organizations so far have only dreamed about.
Nevertheless, with so-called personal firewalls finding their way onto desktop operating systems like SunSoft's Solaris, multiple levels of firewalls in the network need to know specifically who can access what. This task is beyond the reach of traditional packet-filtering firewall technology--and as a result, perimeter routers are more apt to become part of the enterprise today than serve as a security guard for today's distributed computing enterprise networks.
And that's OK, says Kurt Kruger, the firewall product l
ine manager for Cisco Systems. Why spin cycles at the perimeter firewall, Kruger points out, when desktop machines or servers that are inside the walls of the company can do the work more cost effectively and efficiently?
VPNs Fuel Trend
Part of what's pushing this trend is the rise of VPNs (virtual private networks), which are springing up everywhere now that firewalls and other VPN products have adopted early versions of the IETF's long-awaited and long-delayed IPSec (IP Security) protocol for encrypting IP communication links.
The stage is set for managing the flow of IP traffic both into and out of the enterprise network with a next-generation policy server that sees all and knows all when it comes to firewalling, encrypting, authenticating and managing network bandwidth.
Key players include Cisco, which is working with Microsoft Corp. under the Cisco Enterprise Security Alliance, as well as Sun Microsystems, parent of SunSoft, whose new SunScreen software folds firewalling into Solaris.
 Cisco's Kruger says the company's development work on Microsoft's Active Directory in Windows NT will yield an important piece of the centralized policy infrastructure. Part of the challenge is that users usually don't stay in one place--they dial into the corporate network from their notebook computers or log on from another office within the company, and a security policy needs to adjust to this type of usage. That's where a centralized policy infrastructure would come into play, according to Kruger.
Filtering Layers
Content filtering already is getting more sophisticated. You no longer have to completely block or welcome all Java applets for security reasons, for instance. Sun's SunScreen firewall software lets in only those Java applets that are digitally signed by trusted entities or vendors. That's a more sophisticated and efficient way to filter Java applets than through ordinary "on-off" switches or methods like scanning the entire applet
from top to bottom.
Next enter the traffic-policy server. This centralized policy server--or, more likely, servers--would ensure that all secured nodes and devices are run by a unified security policy within an organization. Without a consistent security policy, your network isn't necessarily secure, Kruger says.
The emerging trend is for vendors to place some measure of security in every network component, says Chris Tolles, director of product marketing at Sun, in much the same way that firewalls eventually will be linked to LDAP directories and network management systems. Later this year Sun will integrate its SunScreen firewall into its directory and tie SunScreen into its Solstice network management system, according to the company.
Early versions of the new breed of traffic-policy server--such as Check Point Software's FireWall-1 management console--manage router access control lists, virus scanning tools, authentication, encryption, network address translation and some content security. But
the idea is for these servers to oversee the traffic policy of an entire distributed network, according to Jacqueline Ross, vice president of marketing at Check Point Software. She says it all goes back to the security manager's Holy Grail: to have a single security and traffic policy that encompasses the entire enterprise network.
|
REPORTS
ANALYTICS
Follow 
