The first generation firewalls ran on general purpose operating systems. The operating systems were not specially configured to support the firewall software. The core operating system depended on the firewall software to protect the underlying operating system. Checkpoint was one of the first and most successful of the first generation software firewall vendors. The advantage of first generation firewalls was that they could be quickly and easily updated to meet the demands of current network threats.
It became clear that first generation firewalls were not able to handle the high volume of traffic seen on enterprise networks. In addition, first generation firewalls were difficult to configure because you often had to make changes in the underlying operating system to get the firewall software to work correctly or in an optimal fashion. The second generation firewalls are hardware devices running proprietary operating systems designed to support the firewall software running on them. In order to optimize performance, the hardware firewall vendors designed ASICs (Application Specific Integrated Circuits) that ran the firewall OS and software. The ASIC implementation greatly increased the performance of these second generation firewalls but they suffered from their inability to perform sophisticated application layer inspection.
Third generation firewalls blend the advantages of the first and second generation firewalls. A third generation firewall is software based and isn’t hamstrung by the limitations of ASIC technology. Third generation firewalls can be quickly updated with add-on software that allows them to meet the demands of today’s evolving network threats and attacks.
In addition, the third generation firewall takes a page from the second generation hardware firewall and uses a general purpose operating system that has been specially configured and locked down to support the box’s role as a dedicated network firewall. Finally, the third generation firewall is installed on an open spec hardware platform that is designed to optimize the performance of the third generation firewall’s core operating system and firewall software.
The new hardware based ISA firewalls represent the cutting edge of third generation firewalls. A number of vendors have partnered up with Microsoft and have designed third generation firewalls based on ISA Server 2004. These ISA firewalls provide all the power and flexibility that the ISA firewall provides out of the box, but with the enhanced security and performance you get with specially hardened Windows Server 2003 operating systems and hardware that significantly increases the security and performance of these third generation firewalls.
These third generation hardware firewalls are also fully supported by their vendors and some of them include add-ons such as Web filtering, spam filtering, IM filtering and support for network load balancing (which isn’t natively supported on ISA 2004 SE) and multiple ISPs. For more info on the new ISA based third generation firewalls, check out http://www.microsoft.com/isaserver/howtobuy/hardwaresolutions.asp
Editor’s Note: Last month we did a piece on how to make the ISA firewall as dumb as a conventional hardware firewall. That article generated a ton of e-mail from ISA firewall admins. Most of you expressed a sigh of relief because finally someone said what you were thinking: the hardware firewall admins are clueless regarding how to secure modern networks, and that they were depending on their knowledge of packet filtering routers to configure and manage firewalls. Several of you mentioned that these “old timer” firewall admins confused firewalls with routers and expected firewalls to have the same routing capabilities as a dedicated layer 3/4 router. Another issue several of you mentioned was that you got a lot of pushback on putting a firewall on a Windows platform, but when you put your hardware firewall friends to the wall on the specifics of why an ISA firewall on a Windows Server 2003 platform is unsecure, all you got where blank looks and epithets.
Another group of respondents said that I misunderstood modern hardware firewalls and that these hardware firewalls do have some of the aspects of the ISA firewall and that I might have misrepresented the ISA firewall as the only firewall worth having. The tenor of the article might have made it sound that way, but I’m fully aware that if you have an existing firewall infrastructure, or if you have very high-speed connections to the Internet, the ISA firewall might not be the best one to put on the front line, depending on your specific environment.
In fact, the best firewall topology has the packet filter hardware firewalls in front of the ISA firewalls. This allows the high-speed packet filters to do rudimentary packet filtering (stateful packet inspection) on incoming and outbound connections and offloads a lot of processing from the ISA firewalls. The ISA firewall can then do the firewall heavy-lifting (stateful application layer inspection) on the traffic the packet filters allow through.
I want to thank everyone who took the time to write. I really appreciate the time and effort you put into your e-mail messages to me and I hope to hear more from all of your in this and subsequent newsletters. Thanks! -Tom.
Comments
There are no comments yet for this entry.