When Jody Brazil and the folks at Firemon asked me if I’d write a post for this ”Future of the Firewall” series my first thought was, “if I had a nickel for every time someone told me the firewall was dead, I ‘d be rich.”
Yes, the good old firewall, the security technology everyone loves to hate, has been on supposed life support for years. But yet it’s a $9 billion market according to Gartner. We should all be that sick.
To be fair, today’s next generation devices bear little resemblance to those old Check Point boxes you may remember. It’s sort of like comparing a Model T Ford to a Tesla.
However, just as both cars can get you from A-B, today’s firewalls are doing the same things those old Check Point or Cisco Pix boxes did. While the speed, bandwidth, scalability and capability has increased, firewalls do the same thing now they did then, controlling ingress and egress.
Going into the future, firewalls will still perform this task.
I don’t want to leave the impression that nothing has or will change, though. Firewalls have evolved and collectively these changes have drastically shifted the model. For me, the biggest change is where the firewall lives; it’s no longer merely the drawbridge over the perimeter moat providing entrance to the castle.
A better analogy for how firewalls have changed might be found in comparing dinosaurs to birds. Just as the dinosaurs evolved into birds and took fight, firewalls have transformed. Initially they flew inside. One significant innovation was use of firewalls deployed inside the network to isolate segments, with highly sensitive data kept behind these internal systems.
Other firewalls evolved into big honking boxes sitting at the core of the network. Instead of perimeter devices, these firewalls performed ingress and egress monitoring/control at a critical choke point for all network traffic.
And just as some firewalls flew inside, other firewalls flew away altogether. Some flew to the cloud, where the servers were going, to protect the web servers and applications that serve as the interface for computing interactions.
Some of these firewalls became specialized for the web. The rise of the WAF has been a major addition to firewall capability. Highly specialized to protect web sites and applications, WAFs added IDS/IPS functionality (and weren’t the only firewalls to do this) as well as dynamic protection capability. I think the evolution of the WAF is far from over. As we continue to move into an app-centric world, protecting the app servers grows both more critical and more complex; WAFs will rise to the mission.
At the same time the number of WAFs will continue to expand, making WAF management as critical and sophisticated as firewall management is today. Future firewall management solutions will treat WAFs as another firewall; rules and policies will flow across both WAFs and traditional firewalls.
Another major evolution occurring up in the cloud is the advent of virtual firewalls. After growing feathers, they shed their bodies! I’ve always thought of virtual firewalls no differently than appliances, though. Box or no box, you still need to set your ingress and egress rules and policies, and I don’t that will change in the future. While virtual firewalls may outnumber physical appliances, management won’t change. Of course virtualization introduces its own challenges; instead of dealing with hardware failures, we need to manage virtual environments.
The biggest change over the last few years has been the rise and dominance of the “next gen” firewall. Call it a UTM if you want, just don’t call it late for dinner. The next gen firewall has rejuvenated the entire space.
No longer “dumb” devices that block ports and IPs, NGFWs feature much “smarter” technology, combining IDS/IPS, anti-spam, DLP and more, offering a full spectrum of defense. They’re also “application aware” and much better suited to today’s app-centric world.
In the future, NGFWs will continue to grow smarter, with “brains” allowing them to be more effective and utilize more techniques to secure, automate and protect. We’re already starting to see the “son of next gen”, and it won’t stop there.
The fact is that this is the future of the firewall. No matter how they evolve or morph, no matter where in the network they live, or what they look like, we’ll add more intelligence and automation. They’ll become more effective.
Two things won’t change: they’ll have to be managed and they’ll continue to control the ingress and egress of bits into, and out of our networks, servers and devices.
We encourage you to share your thoughts, and we look forward to reading your comments. We invite you to subscribe to our blog to keep up with the latest posts of our new series.