Does a packet filtering firewall really add to your security? In my last post, I wrote about UTM and NGFW devices, and in this post I will look a bit deeper into the NGFW devices and explain why I believe that a packet filtering firewall has serious limitations.
When I look into firewalls and especially the throughput figures I am quite amazed that a quite a few show the the throughput for using their NGFW (Next Generation Firewall) as a packet filtering firewall. To exemplify this, look at this particular firewall series from FortiNet, the 1000 series.
The FortiGate 1500D has a maximum throughput of 80 Gbps when being used a packet filtering firewall. If you scroll right until you find the figure for the AV (Proxy) throughput which is 4.3 Gbps. That is roughly 18 times slower, and that is something to be aware of. If you are one of those people who says that AV is not part of a NGFW, I say different as almost all of the NGFW devices on the market can be used as UTM devices. There is a choice you as a customer do when you buy your device, choosing a NGFW or UTM bundle to go along with it, or simply just use it as a packet filter.
FortiNet is not in any way unique in this aspect. A lot of companies do the same, displaying their NGFW devices and make sure the throughput figure you see first is the throughput when used in packet filtering mode.
Packet filtering has been around for around 25 years and it has served us well, but their time is perhaps coming to an end. Instead of filtering on ports, we want to filter applications. Certain applications are very hard to filter out when using a packet filter as they are designed to use any open and available port to communicate, Skype is an example. Another reason for wanting to use application filtering is easier management, it is quite simply a lot easier to understand. Instead of knowing the port, you know your applications. Also, it adds to security as it follows the user due to a new feature in many NGFW devices, identity awareness. Identity awareness adds the ability to allow the firewall to know which user who is doing what on your network, and that can be very helpful. By combining functionality, a firewall can track which user that is using which applications, and the administrator can create policies to control which user that can use which application. Where on the network the user is becomes less important, it is what the user is able to do on the network that is more important.
It is impossible to do this with a packet filtering firewall, it is not designed for this. It has no application control and no identity awareness. Another very important aspect is that virtually all modern operating systems has builtin support for at least packet filtering firewall functionality. Linux IP-Tables is a great packet filtering firewall, as is the Windows firewall which even has limited application and identity awareness support. The only reason for deploying a packet filter on your network instead of allowing the local operating system to do the filtering is to stop unwanted traffic further out in your network. This can be done using your router and switches ACL function. With a packet filtering firewall, the security on your host really becomes all the security you can rely on. Say for instance that you have a public website, so your firewall has a rule that allows all external networks to access your web server on port 80. The firewall in this instance do not add to your security posture as it does not check traffic on port 80 bound for your web server as it has no application control nor IPS. In this case, your web server does not gain any help from your firewall to fend of attacks. A NGFW with proper controls add to your web servers security posture by making sure that the traffic to your web server is actually web traffic and nothing else, and it also checks its IPS signatures to see if an attacker tries things like SQL injection.
Another thing is that I see with packet filter firewalls are those long lists of policies that states that this machine can talk to that machine using TCP over port 80, but one thing is often missing, a description that explains the reason for the firewall rule. Over time as rules gets added, the chaos emerges. NGFW can suffer from this as well, but the impact is lower. The application policy is in it self at least a bit self explanatory as you see which application it implies.
Packet firewall may or may not be dead, but if you are in the process of buying a new firewall, you should consider the facts and think about what you really want to protect and how you wish to go about it. Deploying a new fancy packet filtering firewall may not protect you as much you would like.