Software Defined Firewalls

Truly original concepts in cyber security are few and far-between. Instead, our purported advances are usually just incremental improvements on existing solutions. Under normal conditions, this bumpy path to innovation might be tolerable. But with outlaw nation-state and criminal actors developing attack tools that are rotating the tires off enterprise security teams, it's high time for some new ideas in cyber.

I spent a day recently on Fulton Street in deep-dive with the principals from Canadian cyber security firm Corsa. The company's engineers have their collective DNA rooted in software defined networking (SDN), so I was with kindred spirits. Now, I hate to overstate matters, and I constantly try to filter hyperbole from my writing, but I think they might be onto something new, and I think it is something you need to understand. Here is what I learned:

Let’s start with the original concept of a firewall (which I wrote about with Ron Sharp in a book called Firewall Strategies published by Ziff-Davis Press back in 1996): Rules were administered in early packet filtering and application-level firewalls to perform basic policy enforcement at network boundaries. The operation was simple, and pioneers such as Gil Schewd helped us accomplich this with human-readable GUIs.

More modern firewalls expanded this single function to a collection of integrated features, all under one appliance hood. So-called next generation firewalls (NGFW) were powerful devices, and you are probably protected by one today. Experts like Nir Zuk showed us that you could support these functions in a commercially-available solution that would be easy to install, maintain, and manage.

But both early and next-generation firewalls are limited to a set of embedded, pre-defined capabilities. Like conventional TV, they can add more and more . . . and even more to their line-up, but it will always involve manufacturer-defined features, functions, and capabilities. Connectivity to cloud does not change this limitation, nor do dynamic threat feeds. The boundaries of these components are defined by the box.

What I heard from Corsa was an approach that I had not previously considered: Their idea was that with the dynamic power of SDN service-chaining, you could build a firewall that would provision functions virtually. The corresponding features that could be spawned, such as IDS, deep packet inspection (DPI), and the like - would be limited only by the creativity of the administrator, as well as available budget for new security appliances.

The technology that enables such dynamic firewall expansion is SDN, and virtual service chains in cloud operating systems provide the implementation mechanism. The operating system could be hosted publicly, subject to performance and compliance requirements, or it could be enabled to run on generic hardware, either adjacent to, or embedded within the firewall platform. The result is a dynamic SDN-based firewall.

The Corsa team today offers just such a hardware solution that embeds itself in-line with the network wire, and uses SDN to spawn dynamic service chains to create virtual DMZs on-demand. What’s interesting is that the hardware is efficient enough to cover up to 100GB of capacity, which allows this software-defined solution to operate at service carrier capacities. That is quite a concept: A software-defined 100GB firewall.

Now, before you start making ill-advised plans to rip out your NGFW, let me offer some advice. This idea of service chaining has been in SDN for years, and only a few technology companies such as AT&T have figured out how to make it work at scale. Corsa and other solution providers will still need to work the licensing and go-to-market conditions to deliver a full-featured SDN firewall. Today, they tailor niche solutions for 100GB users.

My prediction is that within five years, every new major firewall deployment will include SDN-powered, dynamically-provisioned capabilities – and this makes perfect sense. The approach allows your firewall to grow and shrink on-demand (perhaps beefing up during an attack); it drives your firewall to use more software (rather than hardware); and it lends itself nicely to cloud implementations of an enterprise architecture.

I’ve made some bold statements here. And I suspect that not all of you reading this note will agree – which I hope will drive you to share your views in the comments. Please do let me know – and let Corsa know – what you think of this concept. This on-going progression from conventional to SDN firewalls represents an important evolution in our industry and we need to hear your views – pro and con. (Just be polite, please.)