Jody Brazil
CEO at FireMon
This is not a primer on firewalls, nor is it meant to represent a comprehensive picture of the history of the firewall. There are plenty of good resources that outline the history of the firewall, for example Wikipedia: https://en.wikipedia.org/wiki/Firewall_(computing). There are also a significant number of people that deserve credit for the invention of the firewall that are not recognized in this series (if interested, here is a good story from Dark Reading: Who Invented the Firewall). My focus is on the commercial firewall and the market dynamics that led to adoption of these technologies.
As a practitioner in the relatively early days of the mass adoption of the Internet (mid to late 90s), I saw the rapid adoption and evolution of firewall technology. I had a limited view, and certainly have an imperfect memory, of this history. As such, over the next few posts, I welcome your comments to help me fill in the missing pieces of this story.
In the mid-90s, Check Point Technologies, released the stateful inspection firewall. The primary competition at the time included router-embedded packet filters (for example ACLs on Cisco IOS) and proxies (for example TIS Gauntlet firewall and Secure Computing Sidewinder firewall). The major battle between stateful inspection and proxies were waged on three fronts: performance, protocol support and security.
On performance, stateful inspection was significantly faster than proxies. Proxies established two TCP connections for each session, one client-side and one server side, that required significantly more processing. Bandwidth consumption and demand was growing at a dramatic pace due to increased Internet usage, as a result, performance became a primary buying criteria for the firewall. While security mattered, bottlenecks that affected access to the internet were unacceptable. On this front, stateful inspection won.
On protocol support, stateful inspection was easily adaptable and often without any source code modifications. Proxies on the other hand, often required protocol-specific stacks to support a new application. And in the late 90s, there was very little standardization. If you wrote a new application, you often created a new service (Protocol / Port combination – eg: tcp/3192). The idea of using HTTP as a common transport for all applications was not acceptable for a lot of reasons, including the performance implications and lack of synchronous communication in the early HTTP specification. This meant that new protocols were being created and deployed at a very rapid pace. As a result, customer demand for support for these new protocols outpaced proxy-based firewalls ability to add support.
In nearly every firewall proof of concept (PoC), some issue would be discovered where the firewall did not handle a customer’s network communication properly. For a proxy, it would mean submitting a ticket to the firewall vendor or implementing some less than idealworkaround. For stateful inspection, it could be as easy as defining a new service or perhaps a simple issue of dealing with a TCP timeout. Stateful inspection firewalls proved easier to handle these unexpected issues resulting in more successful PoC’s and ultimately sales. While security mattered, breaking communication of existing or new applications was an unacceptable limitation of the proxy. Once again, stateful inspection won.
Finally, security. There were heated debates about which firewall provided better security. Today, most would agree that an application-aware firewall can provide better security from protocol enforcement to behavioral control. Unfortunately for proxies, the other limitations were simply too severe for the business and “good security with negative business implications” lost out to “pretty good security with limited business impacts.”
The result was stateful inspection won the battle against the proxy. There have been many advancements of firewall technology through the years and I will discuss these in subsequent posts, but it is important to recognize that stateful inspection won this early battle and remains the industry standard for firewall technology today.