DarkReading has an article up about next generation firewalls including true IPS and application awareness. First, read the article.
Second, the inadequacy of firewalls that only go by ports has been known for what, a decade now? And the trend of applications moving over port 80 is about as old. I just don’t like reading “news” about such ideas. But that’s my only real complaint on this article.
This is all an interesting topic; getting firewalls more in touch with the applications, and as Hoff suggests, getting more in touch with the data. “Even so, giving the firewall an application protocol view still isn’t enough, security experts say. ‘The problem is that applications are merely conduits. Data is the real problem,’ Hoff says.”
Unfortunately, in 20 years from now, will we be saying this new next gen application firewall with its signatures and traffic inspection is yet another colander, where all applications not only tunnel through port 80, use the web browser, and also avoid known bad signatures? Will this be any better than blacklisting traffic/domains/ports and trying to keep up with them? Perhaps, perhaps not. But technology has moved more emphasis on applications (or even just one application: the browser), and thus firewalls (and security) need to keep up.
Regardless of the effectiveness or IPS-like ability of such firewalls, we still cannot begin to replace a human analyst looking at such gathered data. And we can’t begin to properly protect the networks without being able to inspect application traffic. We can’t stop what we don’t know is happening. If nothing else, I welcome the day when firewalls will be able to be their own IDS, with the ability and accuracy of a best-of-breed standalone IDS.