The team in charge of maintaining the firewalls at the National Institute of Standards and Technology — the federal agency that provides guidance on firewalls to civilian government agencies — knows that its own firewall technology must be up to par.
The firewall team upgraded the institution’s firewalls during Fiscal Year 2009, choosing modular, upgradable models that would improve the flexibility, performance, resilience and scalability of its previous generation of firewalls.
NIST’s appliance-based firewalls allow the team to add features and capabilities as they are needed, which means the agency pays only for the features it uses, says Gale Richter, firewall team leader.
One feature added at the outset was bundled intrusion detection to complement NIST’s existing independent intrusion detection system. “Networks are complicated, especially when you get into redundancy, so firewalls are a logical way to incorporate intrusion prevention for more effective control,” Richter says.
Like NIST, many organizations are replacing their firewalls with next-generation models, says Jeff Wilson, a principal analyst at Infonetics Research. Unlike earlier models, next-generation firewalls provide a much more granular level of application inspection and control — down to the individual user. In general, these firewalls also bundle traditional firewall functionality with intrusion prevention, antivirus and protocol filtering, providing better manageability and flexibility. Products are available from manufacturers such as Cisco Systems, Fortinet, Juniper Networks, SonicWALL and WatchGuard, among others.
NIST chose a firewall model that comes with basic application manageability and control capabilities, which the team has tapped. For example, the organization doesn’t allow peer-to-peer activities and uses the firewalls to detect and block such activity. The team also has purchased additional application management capabilities to protect web applications and is working to deploy them now.
Although further application management and control capabilities can be added — capabilities that would examine in depth many of the applications users might access — Richter is conservative on adding that capability.
“We have to keep in mind that we have scientists here who aren’t using the standard run-of-the-mill applications, and might use some unusual applications,” she says. “We don’t want to have a negative impact on our users.”
Richter also says the team appreciates the firewalls’ ability to perform deep packet inspection down to Layer 7. “If we need to get down to that level to enforce something, such as a web exploit, we might use that Layer 7 capability to block it.”
App Awareness Ahead
When the Nuclear Regulatory Commission upgraded its firewalls two years ago, its security team opted for industry-standard models, relying on separate intrusion protection and other security devices to round out its protection scheme.
The number of security vulnerabilities documented in 2010, a 27 percent increase over 2009.
SOURCE: IBM X-Force 2010 Trend and Risk Report (March 2011)
Like all federal agencies, the NRC continues to seek ways to expand its capabilities to keep up with new technology developments. In its next generation of firewalls, the NRC will be looking for ways to combine its threat protection into one comprehensive, full-functioning system.
“We’re always investigating what’s out there to better protect our environment, especially from Web 2.0-based applications and websites, which have potential for malicious content,” says David Offutt, the NRC’s IT operational security team leader. “We’re looking at products that are more application-aware so we can tell not only what applications are being accessed, but what’s happening at a more granular level, so we can take appropriate action.”
The goal, Offutt says, is to enhance the overall security posture of the NRC while improving manageability and features.