Dec 20, 2010

Firewalls - Dinosaurs of The Past?

It is quite interesting that the two most common security mechanisms - antivirus software and firewalls are nowadays deemed insufficient.


Category: General
Posted by: dc352

Firewalls have started as port blocking devices - fairly simple, small, fast. They were able to filter traffic very efficiently. However firewalls have changed quite significantly since. An article made me think (again) about what could be done with firewalls.

Large firewalls are incredible expensive and complicated. There have been a number of attacks of firewalls' firmware - from home firewalls to big names like Cisco - mostly due to the complexity of their firmware.

The complexity of filtering rules and high speeds of internal networks means that users are paying premium for firewalls as they require very fast and very expensive processors. Can this be changed somehow?

I strongly believe that firewalls can be simplifed and made smaller (and much cheaper) by moving them from racks to small groups or single user computers. You may have gigabit network but you can hardly get more than a few hundred kilobytes per second of traffic on a single computer.

It now sounds quite a bit like defense-in-depth. It would make things possibly a little bit more complicated from the administration point of view but on the other hand, it creates a physical system that can benefit from some new paradigms in computing like distributed computing. It would also create an opportunity to implement new approaches to protection - profiling, comparing traffic on particular computers and flag suspicious behaviour.

I can imagine a firewall integrated into a RJ45 connector of your network cable - it would make it all fairly attractive from the deployment point of view.

Is it a possible way forward? Maybe. It definitely introduces some new interesting options for new generations of firewalls.