A Practical History of the Firewall - Part 4: The Next Generation
As hardware and software performance improved, the difference in firewall performance between the different vendors became much smaller. While performance requirements didn't lessen, the majority of firewalls could meet those requirements, and it became much less of a decision factor. The next battleground would be in capabilities beyond the traditional firewall.
The Next-Generation Firewall
For over a decade, the "traditional," stateful inspection firewall was the industry standard. While the UTM found a niche in certain environments, the stateful inspection firewall was the dominant technology in the enterprise until Palo Alto Networks defined the "next-generation firewall", which gained significant market traction in 2010 and beyond. There were several key capabilities that defined the next-generation firewall:
- Application-aware packet filtering - ability to define policies and control traffic based on layer-7 application identity regardless of port and protocol
- User-based access control regardless of IP address, location or device (through integration with user authentication platforms such as Active Directory)
- Integrated IPS filtering using the same full-stack application awareness
- Ability to accomplish all of the above at similar performance levels of a traditional stateful inspection firewall with single-pass analysis
It is worth taking a moment to recognize Nir Zuk, the founder of Palo Alto, was also an engineer at Check Point Technologies and the principal engineer on the first stateful inspection firewall as well as the CTO of Netscreen, the innovators of the firewall appliance. A very impressive track record. He gave an interview in 2010 detailing that history that is worth reading.
Market Penetration of the Next-Gen Firewall
The next-generation firewall faced stiff competition from the incumbent vendors. Customers had significant investment in existing infrastructure, and migration from one firewall vendor to another was (and still is) extremely challenging. In response to this challenge, Palo Alto Networks made a smart move to highlight the advantage of their new technology to filter applications like Facebook at the perimeter of the network to control outbound user behavior. By focusing on this new capability, they were able to capture market share and customers without expecting or demanding a full firewall replacement project. As a result, many customers began to implement Palo Alto Networks firewalls in addition to their existing firewalls. After landing a customer with this strategy, Palo Alto Networks would then look to expand their footprint in the customer environment as part of a standard firewall refresh project.
A second successful market strategy was to push the integrated IPS capabilities of the Palo Alto Networks NGFW. Again, without having to displace an existing firewall vendor, Palo Alto Networks could sell their platform as an advanced IPS. After establishing a customer relationship, they could attempt to further penetrate the account with their full platform capabilities.
Palo Alto Networks significantly disrupted the firewall market. Not only did they take market share from the incumbent vendors, they changed the definition of the firewall. Ultimately, the competition had to play catch-up as the NGFW became the standard.
The evolution of the firewall has not stopped. As a network appliance, the firewall sits in a very interesting spot. It inspects traffic between segments of the network offering a convenient location to add detection and response capabilities. IDS and IPS capabilities were introduced with UTM and next-gen firewalls, but that was only the beginning of the added capabilities. Threat response, malware detection and blocking, network-based user verification with multi-factor authentication, dynamic blacklists and more. The firewall has evolved from a packet filter into a security platform. And firewall vendors have evolved from single-solution providers to full-stack security vendors offering: endpoint protection, SIEM capabilities, malware detection, threat profiling and more.
The Future of the Firewall
The evolution of the firewall is not complete. Networking technology is changing rapidly and the firewall will have to adapt. Cloud, SDN and containers threaten the traditional role of the firewall. The traditional network segmentation is being replaced with very flat networks - which removes a lot of network complexity, but introduces a significant challenge to the firewall.
Will the current firewall vendors adapt to this changing network environment? Will native security controls embedded in cloud or SDN suffice? Will new vendors emerge to address the new challenges and threaten the current firewall vendor's? Time will tell.
It has been an interesting couple of decades to watch the evolution of the firewall. And I believe we are on the brink of an even more interesting couple of decades ahead.