"We are all bloody lucky that something hasn't obliterated IT on earth," said Baumhardt. "Firewalls are like retarded routers. They just look at the ports, sources and destinations they like. If a train comes from Gare du Nord [Paris] to Waterloo [London] via Eurostar you allow it to enter the country because you trust it. That's what firewalls currently do. They don't check to see if al-Quaeda is riding inside."
Ports allow certain types of Internet traffic to travel if they correspond with the correct port number. For example, HTTP runs on port 80 and is often regarded as a trusted port, and left open. In the past firewalls have often worked on this basis, without checking the content of traffic. But Baumhardt called for IT professionals to ensure they had better equipment.
"I don't care which vendor you get it from," he said. "I just want to see [next generation firewall] technology in front of your network."
Baumhardt was demonstrating Microsoft's Internet Security and Acceleration (ISA) Server 2004. He said that traditional firewalls were failing to scan Internet traffic deeply enough to detect malicious traffic.
"We trust traffic on ports that we think it should be on," said Baumhardt. "But when you do that you relay control to the security vendor. You need to understand the traffic you are trying to block."
Baumhardt gave the example of how many hackers use port 80 to enter a network because it is treated as trusted traffic. He added that it was also important to protect the network internally, not just at the perimeter.
"We don't place devices to protect from within the internal network. But if you don't put firewalls on chokepoints [critical areas in the network] you won't defend your internal network."
The latest version of ISA Server has the ability to run 1.9-gigabit throughput, said Baumhardt, and to scan port traffic at the application layer, which could lead to better transparency. He said it also offers VPN and port scanning technology.
But Baumhardt added that it was unwise to use firewalls without the support of other security technology: "Believe it or not, Microsoft is not the be-all and end-all of everything. We could be a platform for other things to run on. You buy ISA so that you can complement it with SurfControl or McAfee."
Talkback
Obliteration of IT? Al-qaeda? Nothing like a bit of scaremongering hyperbole is there?
So firewalls aren't the be-all and end-all of security. Well done, MS, welcome to the world the rest of us have been in for years.
Perhaps if Microsoft locked their products down to start with we'd all be better off.
If Microsoft did produce a "smart firewall" like this, it would just be another excuse for the security of the end applications, like Microsoft IIS server, to suck even more than they do now. Maybe if they wrote decent apps in the first place they wouldn't have to worry so much about malicious traffic.
Use encryption (openssh, https) and his next step is gone. The idea of a firewall is not to provide absolute, but just to make it harder, rather like how even glass windows, and hollow-core dores keep nearly 100% of all theives away.
I saw this presentation - and the quotes are out of context. Microsoft is talking about having intelligence at the network level - not replacing it anywhere else, Fred made a good point when he said that its not about companies anymore - as soon as HTTP filters come online people will switch to encryption - someone will also need a way to inspect outbound encryption to help eliminate these vectors - if you think Microsoft are insecure, wait until Linux takes off (and it will) as soon as hackers see its now worthwile to attack them (cuz now there arent enough to bother with) - we will go through the same process again. Networks make a good place to filter - the body filters viruses in the bloodstream - why cant we as an industry ?