A firewall is a network security device placed between networks to logically separate and protect the privacy and integrity of business communications across these networks, and to safeguard against malicious use. Firewalls are positioned between a corporate private network (trusted network) and other public networks, and monitor and enforce corporate policies on all the communication flowing in and out of the corporate network.
Conventional firewalls performed the basic function of controlling access to communication occurring between an enterprise network and the outside world. However, next generation firewalls have significantly increased security capabilities. One very essential function is of preventing Denial-of-service (DoS) and Distributed DoS attacks. Denial-of-service is when a hacker or malicious user programmatically probes the Intranet to gain access to a private network, and then proceeds to use this information to further repeatedly scan and install disruptive tools. This leads to the network being compromised and steals considerable processing capabilities of the network, resulting in disrupting service and rendering the network unavailable to customers for large lengths of time.
A simple firewall configuration consists of a box with 3 ports—one port connecting to the network that requires the firewall, another to the Internet, and the third port to DMZ networks providing useful public utilities such as HTTP and FTP.
Firewalls can be standalone or installed as an integrated gateway solution. Standalone firewalls require significant administration effort and are a less-preferred solution, keeping in mind the increasing network complexity and rising security needs. Enterprises and small businesses increasingly prefer routers and gateways with built-in firewalls with widely acceptable technologies like Stateful Packet Inspection (SPI). Stateful Packet Inspection provides the highest level of security by extracting the state-related information required for security decisions from all application layers and maintaining this information in dynamic state tables. This information is then used for evaluating further action on packets of the same session.
Multi Tenant Units (MTUs) or commercial office buildings, campuses, hotels and multi-family apartment buildings, present a large market opportunity for service providers to gain new customers through the provision of secure connections. Existing local exchange carriers currently underserve the MTU/MDU customer base. Small businesses and home offices need cost-effective and reliable networking solutions. Moreover, the solutions need to be easy to install and use, and scalable to accommodate changes as the business grows. Effective firewalls with advanced security are essential to protect confidential information and to maintain quality of service.
Next generation firewalls will need to actively support extension of security support and collaboration for selective user communities within an enterprise. An enterprise consists of a collection of individuals with separate functions and responsibilities, requiring disparate access control. Different divisions of an enterprise may need to maintain separate networks, requiring some collaboration but limiting the access privileges across the entire enterprise.
The increasing need for enterprises and businesses to scale—to add users and user communities and separate network entities with their own governing security policies—will require the management of firewall security by duplicating indefinite numbers of firewall boxes, one for each additional network. Technology solutions that can provide an aggregation of firewalls in one box would be more practical and easy to maintain.
A Virtual Firewall System (VFS) provides multiple logical firewalls for multiple networks, on one system. That is, a service provider with numerous subscribers can provide firewalls separating and securing all the subscribers and yet, is able to manage it from one system. This is accomplished by establishing “security domains” controlled by Virtual Firewalls, with each firewall having its own defined security policy. Security domains are exclusive in that they are external to any other security domain in a given system.
Virtual Firewalls are functionally similar to a simple firewall, and are configured with their own outbound and inbound policies, and network objects. However, Virtual Firewalls enable easy management of a collection of firewalls through policies at a defined security domain. In addition, VFS (Virtual Firewall System) allows additions and removal of security domains, providing scalability with the growth of subscriber networks.