Information Technology Reference
In-Depth Information
3.1 Volume
A paradigm shift is taking place; the volume of data being exchanged for modern
corporations has grown exponentially in the recent years and shows no sign of
slowing down. Bandwidth has also increased dramatically and is on the verge of
another leap of technology with the next generation of Internet speed.
Faster Networks
NGI, ATM, etc.
Huge Traffic Increase
e.g. Corporate WWW
servers
Fig. 1.
High traffic volume coupled with fast networks challenges firewall audit CPU
performance problem
For example, Internet-II and NGI (Next Generation Internet) call for bandwidth
requirements beyond OC-48. Such firewall protection architecture depends heavily on
the technology of examining each packet — header and content, for destination. The
destination table look up determines if the policy allows for delivery. Sometimes,
specific filtering mechanisms are devised to further looking into the content of the
packet to prevent attacks such as email spamming or virus propagation. With this
approach, as the communication volume grows the accounts of processor cycles must
be increased on the perimeter to match up. High speed software and hardware device
solutions are assisting firewalls and routers with traditional means of monitoring but
there will soon come to a limit. Current situation is just that of a delaying tactic. It is
unlikely that this packet examination technology can be scaled to handle the new
broad-band communication. In essence, the volume of transmitted data is increasing
faster then the firewall architecture can handle it.
3.2 Variety
Beyond the traditional email, ftp and remote accesses such as telnet, today's network
has added a plethora of new channels of communication. Devices like firewalls and
NAT (Network Address Translation) must recognize which protocol is appropriate for
which source or destination address. The protocol information is usually part of one
of the network packet header of to be deduced by the TCP port number. Although
each protocol has its benefits and weaknesses, some protocols present much greater
risks than others do. Recognizing this, firewalls and routers are often designed to
implement limited protocols based on the interpretation of company security policy.
This implementation limitation is largely based on information in the packet header,
port number and destination/source addresses. For example, while the corporation's
public web server would emit HTTP packets, the presence of similar packets from
machines not designated as corporate web server could cause alarm and could be
