In a recent article on NETASQ, Richard Stiennon provides a brief history of firewalls and the rise of UTM. I have a couple problems with his conclusions. However, Richard does a good job describing how the firewall market has evolved over the years and gives his analysis of where it is heading. He has had a ringside seat to this history and provides a good 15+ year history in 3 paragraphs bringing us up to today with the recent appearance of Next Generation Firewalls.
My first minor disagreement with Richard’s view and definition of a UTM. I do agree the bad reputation UTM received in the early days was well received. In my view the UTM market was created by a class of firewalls attempting to disrupt the established firewall vendors by throwing more features in the same box. These solutions lacked effective management and did not scale to enterprise needs. Because of this, UTM has become synonymous with SMB firewall in my view. For this reason, I don’t consider a Check Point firewall with an IPS blade a UTM any more than I considered the Check Point firewall with VPN functionality in 1998 a UTM. And I certainly don’t consider a Palo Alto Networks firewall a UTM. The advancement of the NG firewalls was a new way to manage access (users and applications) not another commodity security product consolidated (crammed) onto the same box.
But that critique is pretty petty as it is just a name. Richard’s basic history that the firewalls of today do more than the firewalls of yesterday is true. And it is part of the reason that the demand for FireMon and firewall management solutions in general continues to increase. New security functionality does not necessarily translate into better security. It must be effectively managed.
Here is my major critique: the history of consolidating security functionality into the firewall is not necessarily the path of firewall innovation in the years ahead. The market drivers of data center consolidation, virtualization and cloud computing are changing the role of the firewall. But, unlike Richard, I don’t think this necessarily means stuffing more into the firewall. In fact, it may mean just the opposite: purpose-built firewalls for purpose-demanding situations.
Take for example, the web-hosting DMZ infrastructure. We wrote about this not long ago here. A general-purpose firewall only controlling http access between users and web servers is not doing much but slowing down access and barely tapping the capability of the firewall. However, a firewall with specific knowledge of web access embedded in a load balancer could be very interesting in this scenario (see F5’s recent announcement).
And virtualization is another fast-moving market that will stretch the bounds of firewalls. While embedding switches in firewalls has been around for a while in UTM devices and will remain a key feature of these SMB devices, it is much more likely for security to get integrated into switches in the enterprise. Last week, Nicira made public their recent work to manage virtual switches (great read: http://nicira.com/en/platform-for-innovation). One advantage of creating a software abstraction layer above the physical wires is that it allow rules to move with the virtualized network port. And they are certainly not alone. Juniper has similar visions and commented on Nicira’s work here. And Cisco has similar visions with their Nexus 1000v.
But this dynamic network of controlling access per port (and a port that moves around in the network as VM’s move) is not asking for some new type of security similar to a cramming a new feature into a UTM. The vision of the dynamic network is demanding dynamic management of security technology we already understand: control access based on application, user, port, protocol and networks. It is also demanding high-performance, not frequently associated with bloated UTM features.
In all cases, complexity is increasing. Whether it is the increase in features being added to firewalls or the demand to control access at a more granular level, the complexity of the technology is increasing. And this increase in complexity will demand new management solutions. As great as the new technology is, unless it is properly managed, it won’t provided the intended security.