Natural Selection: The Future of the Firewall




When Jody Brazil and the folks at Firemon asked me if I’d write a post for this ”Future of the Firewall” series my first thought was, “if I had a nickel for every time someone told me the firewall was dead, I ‘d be rich.”

Yes, the good old firewall, the security technology everyone loves to hate, has been on supposed life support for years. But yet it’s a $9 billion market according to Gartner. We should all be that sick.

To be fair, today’s next generation devices bear little resemblance to those old Check Point boxes you may remember. It’s sort of like comparing a Model T Ford to a Tesla.

However, just as both cars can get you from A-B, today’s firewalls are doing the same things those old Check Point or Cisco Pix boxes did. While the speed, bandwidth, scalability and capability has increased, firewalls do the same thing now they did then, controlling ingress and egress.

Going into the future, firewalls will still perform this task.

I don’t want to leave the impression that nothing has or will change, though. Firewalls have evolved and collectively these changes have drastically shifted the model. For me, the biggest change is where the firewall lives; it’s no longer merely the drawbridge over the perimeter moat providing entrance to the castle.

Shrinking Dinosaurs

A better analogy for how firewalls have changed might be found in comparing dinosaurs to birds. Just as the dinosaurs evolved into birds and took fight, firewalls have transformed. Initially they flew inside. One significant innovation was use of firewalls deployed inside the network to isolate segments, with highly sensitive data kept behind these internal systems.

Other firewalls evolved into big honking boxes sitting at the core of the network. Instead of perimeter devices, these firewalls performed ingress and egress monitoring/control at a critical choke point for all network traffic.

And just as some firewalls flew inside, other firewalls flew away altogether. Some flew to the cloud, where the servers were going, to protect the web servers and applications that serve as the interface for computing interactions.

Some of these firewalls became specialized for the web. The rise of the WAF has been a major addition to firewall capability. Highly specialized to protect web sites and applications, WAFs added IDS/IPS functionality (and weren’t the only firewalls to do this) as well as dynamic protection capability. I think the evolution of the WAF is far from over. As we continue to move into an app-centric world, protecting the app servers grows both more critical and more complex; WAFs will rise to the mission.

At the same time the number of WAFs will continue to expand, making WAF management as critical and sophisticated as firewall management is today. Future firewall management solutions will treat WAFs as another firewall; rules and policies will flow across both WAFs and traditional firewalls.

Another major evolution occurring up in the cloud is the advent of virtual firewalls. After growing feathers, they shed their bodies! I’ve always thought of virtual firewalls no differently than appliances, though. Box or no box, you still need to set your ingress and egress rules and policies, and I don’t that will change in the future. While virtual firewalls may outnumber physical appliances, management won’t change. Of course virtualization introduces its own challenges; instead of dealing with hardware failures, we need to manage virtual environments.

The biggest change over the last few years has been the rise and dominance of the “next gen” firewall. Call it a UTM if you want, just don’t call it late for dinner. The next gen firewall has rejuvenated the entire space.

No longer “dumb” devices that block ports and IPs, NGFWs feature much “smarter” technology, combining IDS/IPS, anti-spam, DLP and more, offering a full spectrum of defense. They’re also “application aware” and much better suited to today’s app-centric world.

In the future, NGFWs will continue to grow smarter, with “brains” allowing them to be more effective and utilize more techniques to secure, automate and protect. We’re already starting to see the “son of next gen”, and it won’t stop there.

The fact is that this is the future of the firewall. No matter how they evolve or morph, no matter where in the network they live, or what they look like, we’ll add more intelligence and automation. They’ll become more effective.

Two things won’t change: they’ll have to be managed and they’ll continue to control the ingress and egress of bits into, and out of our networks, servers and devices.

We encourage you to join the conversation and share your thoughts, and we look forward to reading your comments. We invite you to subscribe to our blog to keep up with the latest posts of our new series.

Industry News – Advancing Network Threat Intelligence




When FireMon re-positioned itself around the concept of Proactive Security Intelligence at the beginning of 2014, the effort was undertaken with the notion of highlighting the critical role that data produced by our solutions plays in managing enterprise security and IT risk.

Sure, if you want to start at the most foundational element of the processes we support, as many of our customers do, it can be stated as simply as firewall management – getting a clear understanding of what network security device infrastructure is doing, then improving the performance and efficiency of those defenses, continuously.

cyber.threat.alliance

However, the truth is, “firewall management” is a far too narrow a manner of communicating the overall value of what the FireMon Security Manager Platform and its supporting modules offer in terms of strategic information, thus the new messaging.

With all the intelligence that we produce regarding policy workflow, compliance validation and risk management, along with enablement of related process automation, we felt it was far more appropriate, if not completely defensible, to adopt this broader PSI mantra.

Intelligence, of course, has evolved into a very broad and encompassing industry buzzword, popular among security vendors of all breeds who feel that they provide some form of critical data to inform strategic decision making – which admittedly could be almost any company on the landscape today.

Of all the various uses of intelligence, clearly, the most widely recognized arena (perhaps beyond long-standing ties to the SIEM market) these days is that of “threat intelligence”, or the real-time aggregation and distribution of information regarding emerging attacks to help both products and practitioners respond more adeptly as threat-scape conditions evolve.

So, it’s with keen interest that we at FireMon saw the news this week that industry heavyweights Fortinet, McAfee and Palo Alto Networks, all of whom are close partners of ours, announced a new high-profile effort (along with endpoint experts Symantec) to drive threat intelligence even deeper into the domain of network protection.

Some may roll their eyeballs at the introduction of yet another pan-industry coalition, but this is a pretty influential group in our world, and as such the launch of the involved “Cyber Threat Alliance” is certainly intriguing.

The reason is simple. Of all the uses that a product maker or practitioner could find for the latest and most comprehensive information regarding emerging threats, using that intelligence to assure that network defenses are in place and assets are effectively segmented is certainly one of them – a case echoed in the accompanying research white paper launched by the new coalition.

As highlighted by McAfee EMEA and Canada President Gert-Jan Schenk in the related announcement, the unprecedented rate and severity of recent breach incidents has come at the hand of “complex and multidimensional attacks” that dictate attention far beyond installation of more effective anti-malware systems at the network gateway or on endpoint devices.

Given that we’ve long stumped for the need to use current, in-depth visibility into the real-world alignment of network defenses, in relation to underlying assets and known vulnerabilities, to address risk exposure and mitigate available attack paths, this effort on the part of our partners, industry leaders all, is definitely something FireMon would support, heartily.

As our self-appointed corner of the market – Network Security Intelligence – continues to evolve and we move to help organizations better align their defenses to account for emerging attacks it will be fascinating to see how threat intelligence continues to shape methodologies.

We’ll continue striving to be at the forefront, working with these types of thought leaders to enable more effective defense.

About Matt Hines

Matt Hines leads product marketing efforts at FireMon. Prior to joining FireMon, Hines held similar roles at TaaSERA, RedSeal Networks and Core Security Technologies, and worked for over a decade as a journalist covering the IT security space for publishers including IDG, Ziff-Davis, CNET and Dow Jones & Co.

Black Hat 2014: RSA in the Desert?




I’ve been attending the Black Hat Security Conference in Las Vegas for almost a solid decade now, and if there’s one thing that’s for sure, it’s that the conference continues to evolve.

Given, when I first started attending Black Hat those many years ago, it was not as a marketing rep for a security software vendor, but as a reporter attempting to get my head around the emerging threat/exploit landscape.

black.hat.2014

However, even if my time is no longer spent attending sessions, and trying (with varying degrees of success) to understand what is being presented, a walk across this year’s show floor clearly evidences the continued shift towards a more business-centric audience.

This is nothing new, of course, as hardcore Black Hat attendees have been decrying the show’s evolution into more of an “RSA in the desert” for years. However, it’s clear that with each passing summer this change becomes ever more the reality.

When I was working for pen testing specialists Core Security in 2008, it was clear that ethical hackers, primarily researchers, still made up a huge swath of the Black Hat audience; this no longer would appear to be the case.

Certainly it has a lot to do with spending more time in the vendor exhibition space, but with each year I see more corporations and government agencies listed on attendees’ badges, and fewer humorous attempts to dodge identification (though we do have several “ninjas” and at least one “director of rainbows and unicorns” listed among our 2014 badge scans).

As I was discussing this phenomenon with longtime industry guru Alan Shimel (currently of the CISO Group and Security Bloggers Network) we were debating the potential upsides and downsides.

First off, neither of us would debate that there’s still a wealth of extremely valuable research on the Black Hat schedule, and I can’t even make the claim in recent years of attending many of these sessions.

Another key component to consider is that there are the sister DEF CON and parallel B-Sides Las Vegas shows, which cater directly and almost exclusively to ethical hackers and focusing almost solely on research, allowing Black Hat to grow more… corporate.

You also have the phenomenon of people who started out as Black Hat researchers who are now focused more on the business side of things, having built vital companies out of the expertise they used to share as conference presenters (the guys from White Hat Security are a fitting and high-profile example).

As noted above, one of the other significant changes in Black Hat attendance is the ever-increasing number of government attendees. In years past there may have been a lot of Red Team/Blue Team types – and likely still are – but today, there’s an overwhelming number of state and federal security officials in attendance – with their names and titles displayed openly on their badges (another notable shift).

My impression is that many of the people who first came to Black Hat – and now may spend more time at Def Con or B-Sides – may disparage the show’s change in interests, arguing that the event is now too focused on the business side.

However, for companies like FireMon this shift has obviously made the event even more valuable, providing us with another fantastic opportunity to connect with existing customers and new prospects to tell them more about what our solutions can do.

Is the change good? Is it bad? That’s for each individual to decide on their own, but as Alan and I eventually agreed, it’s really just a natural evolution as hacking and ethical research continue to mature and become an even bigger element of enterprise security.

No matter how you slice it, Black Hat continues to serve as an ideal venue for numerous elements of the security community to connect. No matter what changes come it’s always a pleasure to be there.

About Matt Hines

Matt Hines leads product marketing efforts at FireMon. Prior to joining FireMon, Hines held similar roles at TaaSERA, RedSeal Networks and Core Security Technologies, and worked for over a decade as a journalist covering the IT security space for publishers including IDG, Ziff-Davis, CNET and Dow Jones & Co.

Gartner Guidance: No Farewell to Firewalls




Every so often someone suggests that network firewalls are no longer a strategic asset – typically based on the emergence of some shiny new, “gotta have it” technology, or the notion that this 20+ year old first line of defense – introduced by Marcus Ranum at DEC in 1992 – doesn’t matter as much as it used to.

However, if you listen to the experts – in this case leading industry analyst firm Gartner and their 14,000-plus clients – such claims are clearly misguided.

gaylord1

At the firm’s recent Gartner Security & Risk Management Summit 2014 nearly every relevant session reinforced that firewalls, and more effective management of these inherently complex devices, remains just as critical, if not more so, than ever.

From the summit’s opening keynote – stressing the need for CSOs and other security officials to tie their efforts directly to business initiatives (and bridge IT silos with offerings like FireMon’s recently launched Policy Optimizer) – to breakouts dedicated specifically to corralling firewall policies, the importance of stout firewall defenses was repeatedly emphasized.

Sure, there was the point-counterpoint “Farewell to Firewalls” presentation in which Gartner’s forward-looking thought leader Dr. Joseph Feiman focused on the need for new applications-centric mechanisms, specifically embedded runtime application self-protection [RASP] capabilities.

But, as artfully submitted by Gartner network security guru Greg Young, and ultimately conceded by Feiman himself, the continued development of such emerging technologies, in addition to adoption of cloud services and SDN, will actually require continued, if not greater, reliance on firewalls.

Longtime Gartner risk expert Neil MacDonald’s session on “Continuous Advanced Threat Protection” hammered home the need for more proactive and context-aware management of network security infrastructure; MacDonald’s “Adaptive Security Architecture” posits that strategy must shift from traditional “detection” and “response” methodologies to more “predictive” and “preventative” tactics.

These observations validate FireMon’s vision that adding network security intelligence to existing cyber defenses can significantly automate manual processes and free security teams for other critical risk management efforts.

For further evidence, one needed to look no further than network security analyst Adam Hils’ overview of inquiry calls made by Gartner clients during the first half of 2014.

His hard numbers: a whopping 51 percent of the over 1,500 calls related directly to firewalls were divided between “my rule base is a mess, how can I clean-up and better manage?” and “next gen firewalls – should I migrate and how?”

The second place topic – related IPS issues – only accounted for 22 percent of all calls.

So, there’s hard evidence that any notion that firewalls are either yesterday’s news or increasingly less strategic are… highly overstated; the Gartner numbers simply don’t lie.

We update Gartner analysts regularly on customer wins, real world ROI data and FireMon’s technology roadmap – and listen closely to the “pain points” they hear from clients. These analysts understand precisely how valuable FireMon solutions can be in advancing organizations’ network security posture.

So why take our word for it? Give them a call and find out for yourself.

About Matt Hines

Matt Hines leads product marketing efforts at FireMon. Prior to joining FireMon, Hines held similar roles at TaaSERA, RedSeal Networks and Core Security Technologies, and worked for over a decade as a journalist covering the IT security space for publishers including IDG, Ziff-Davis, CNET and Dow Jones & Co.

FireMon Security Manager 7.0 – Top 5 Additions




With any major product release there’s typically quite a bit to sound off about, but with the launch of FireMon Security Manager 7.0 platform and the introduction of its updated Policy Planner 3.0 module there’s so much to highlight that one could potentially go on for a long time.

So, in the interest of shedding some light on the most exciting and breakthrough additions in these new releases, let’s take a classic “Late Show”-style approach citing the “Top 5 New Capabilities of Security Manager 7.0”:

1. True Continuous Assessment: The Security Manager analysis engine and supporting features are the only solution that truly provide real-time visibility across all network security device infrastructure. With even greater levels of automation including an updated library of proven assessments, proactive “what-if” change modeling, historical trend analysis to chart improving performance and the scalability to analyze enterprise infrastructure in seconds, FireMon has once again upped the ante.

2. Expanded Assessment and Controls: Striking at the lifeblood of how customers benefit from Security Manager’s automated assessment approach, the 7.0 release introduces major advancement including trending, whitelisting and an out-of-the-box library with over 100 pre-built controls and Best Practices assessments. The results? Faster analysis, greater policy and process retention and even greater ease-of-use – all with a high degree of customization – based on FireMon’s years of experience working with customers.

3. Standardized Policy Workflow: Policy Planner 3.0 delivers full support for the BPMN 2.0 workflow standard, allowing even more consistent policy design, evolution and management, and allowing direct integration with existing BPM systems and processes. More fuel to the FireMon flame of providing enterprise ready, time saving and closed-loop methodology; look here to see who else supports BPMN 2.0.

4. Added MSSP capabilities: While other vendors merely pass off their solutions to MSSPs, FireMon continues to add purpose-build capabilities for our many managed service provider customers, including support for organizational domains and LDAP authorization. Instead of handing-off an existing solution and merely saying good luck, FireMon continues to make the investments that drive increased ROI for MSSPs of all kinds.

5. New Device Support: The more network security devices that Security Manager provides direct integration with, the more powerful the results. This time around additions include newly released products from leading providers including Cisco (ASA 9.1), Palo Alto Networks (Panorama) and Qualys (QualysGuard VM) as well as support for device infrastructure popular in APAC (AhnLabs, Hillstone, Huawei, SECUI) and other regions, making the FireMon platform the most truly comprehensive and globally relevant on the market.

So there you have it, and honestly that’s just a quick peek at all of the extraordinary goodness and highly differentiated capabilities delivered in the FireMon Security Manager 7.0 platform. There’s no other product available that spans the full gamut of assessment and reporting needs required by today’s enterprise organizations and large government agencies.

Am I biased? Sure, but I’ve also been around this market long enough to know who is stretching the truth and how FireMon can truly back all its claims.

If you’re unwilling to take my word for it, why not sign up for a demo of FireMon Security Manager 7.0 today and you see how well it works for yourself.

About Matt Hines

Matt Hines leads product marketing efforts at FireMon. Prior to joining FireMon, Hines held similar roles at TaaSERA, RedSeal Networks and Core Security Technologies, and worked for over a decade as a journalist covering the IT security space for publishers including IDG, Ziff-Davis, CNET and Dow Jones & Co.

FireMon Security Manager 7.0 – Top 5 Additions




With any major product release there’s typically quite a bit to sound off about, but with the launch of FireMon Security Manager 7.0 platform and the introduction of its updated Policy Planner 3.0 module there’s so much to highlight that one could potentially go on for a long time.

So, in the interest of shedding some light on the most exciting and breakthrough additions in these new releases, let’s take a classic “Late Show”-style approach citing the “Top 5 New Capabilities of Security Manager 7.0”:

1. True Continuous Assessment: The Security Manager analysis engine and supporting features are the only solution that truly provide real-time visibility across all network security device infrastructure. With even greater levels of automation including an updated library of proven assessments, proactive “what-if” change modeling, historical trend analysis to chart improving performance and the scalability to analyze enterprise infrastructure in seconds, FireMon has once again upped the ante.

2. Expanded Assessment and Controls: Striking at the lifeblood of how customers benefit from Security Manager’s automated assessment approach, the 7.0 release introduces major advancement including trending, whitelisting and an out-of-the-box library with over 100 pre-built controls and Best Practices assessments. The results? Faster analysis, greater policy and process retention and even greater ease-of-use – all with a high degree of customization – based on FireMon’s years of experience working with customers.

3. Standardized Policy Workflow: Policy Planner 3.0 delivers full support for the BPMN 2.0 workflow standard, allowing even more consistent policy design, evolution and management, and allowing direct integration with existing BPM systems and processes. More fuel to the FireMon flame of providing enterprise ready, time saving and closed-loop methodology; look here to see who else supports BPMN 2.0.

4. Added MSSP capabilities: While other vendors merely pass off their solutions to MSSPs, FireMon continues to add purpose-build capabilities for our many managed service provider customers, including support for organizational domains and LDAP authorization. Instead of handing-off an existing solution and merely saying good luck, FireMon continues to make the investments that drive increased ROI for MSSPs of all kinds.

5. New Device Support: The more network security devices that Security Manager provides direct integration with, the more powerful the results. This time around additions include newly released products from leading providers including Cisco (ASA 9.1), Palo Alto Networks (Panorama) and Qualys (QualysGuard VM) as well as support for device infrastructure popular in APAC (AhnLabs, Hillstone, Huawei, SECUI) and other regions, making the FireMon platform the most truly comprehensive and globally relevant on the market.

So there you have it, and honestly that’s just a quick peek at all of the extraordinary goodness and highly differentiated capabilities delivered in the FireMon Security Manager 7.0 platform. There’s no other product available that spans the full gamut of assessment and reporting needs required by today’s enterprise organizations and large government agencies.

Am I biased? Sure, but I’ve also been around this market long enough to know who is stretching the truth and how FireMon can truly back all its claims.

If you’re unwilling to take my word for it, why not sign up for a demo of FireMon Security Manager 7.0 today and you see how well it works for yourself.

About Matt Hines

Matt Hines leads product marketing efforts at FireMon. Prior to joining FireMon, Hines held similar roles at TaaSERA, RedSeal Networks and Core Security Technologies, and worked for over a decade as a journalist covering the IT security space for publishers including IDG, Ziff-Davis, CNET and Dow Jones & Co.