No One is Pulling the Plug on Firewalls Anytime Soon

Tim Woods

The firewall is dead.

Long live the firewall!

Research firms and tech pundits have predicted the demise of the firewall for years now, chiefly because it doesn’t protect against modern day threats and is often so mismanaged it causes more problems than it solves. However, FireMon’s 2019 State of the Firewall report shows most organizations see the firewall as being just as critical as ever or even more so.

And given that this year’s report had more respondents than ever, whether it’s at the C-level executive or someone in the trenches at the operations level, it’s a good bet the firewall isn’t going away anytime soon. Of the nearly 600 respondents surveyed, 95 percent indicated firewalls are as critical as always or more critical than ever, while 65 percent of respondents spend between 10 and 49 percent of their security budget on firewall technology, which is up from 56 percent in last year’s report. Only 11 percent of respondents have already deployed Firewall-as-a-Service (FWaaS) or other alternative infrastructure-as-code solutions, confirming that the firewall is here to stay.

The predicted death of the firewall was spurred by technology trends that saw traditional network perimeters disappearing. But even though those lines are blurring more than ever thanks to the emergence of multi-cloud environments, it’s still hard to argue with the value of the firewall today.

The Value of the Firewall has Changed

The firewall’s so-called demise was to be at the hands of the Bring-Your-Own-Device (BYOD) movement.

While most organizations were initially reluctant to let non-corporate devices on the network, the rise of teleworkers combined with the rapid evolution of the cellphone into a handheld computing device meant the old paradigm of digging a moat around the castle to keep the enemy out no longer worked. The traditional perimeter was gone—the people inside the castle had dispersed across a larger kingdom, but we still had to keep them secure.

Because everyone was starting to use their own devices that may not be governed by the IT department or the security team, the idea the firewall no longer had value began getting traction. Border lines became completely blurred because of all the remote workers and devices. What was the real value of the firewall if there’s no longer one way in and one way out?

The answer ended up being more firewalls in more places. It’s not just protecting a single border—firewalls are out in the streets, so to speak, and on the doors, windows and the houses. We now have firewalls deployed everywhere, including the cloud, the data center and on the desktop. The firewall didn’t die, it just got micro-segmented into additional zones of control, while more value was added into the firewall, and even the technologies developed to supplant it are augmentations rather than replacements.

Firewall Features Have Evolved

There are technology vendors out there today that will tell you the new perimeter is not the firewall, it’s access management.

Rather than being mandated by the firewall, the perimeter is mandated by access control, according to proponents, and there’s many people on that bandwagon. Their argument is that by permitting HTTP through Port 443, you’re creating a highway into your environment for hackers via a service you’re allowing into your environment, and only access management can stop them.

But while there’s no doubt access management is valuable technology, it doesn’t negate the need for the firewall. The two technologies complement each other in part because additional value has been driven into the firewall—it has more embedded functionality because of its own evolution. We’ve moved from legacy firewalls to firewalls that now include malware, adware, and virus support, as well as web application firewall functionality.

None of these technologies used to live inside the firewall—a legacy firewall rule only considered source, destination and service. You were managing where your traffic was going to, where it was coming from, and what service was being used and through which port, but that was it. In today’s firewall, now you also have application ID, content ID and user ID. Not only can you apply parameters around what you allow from a source and where it can go over a specific service, you can also stipulate application and user identification.

The reason the value of the firewall persists is because the bar has been raised. Rather than just managing three key types of information, it’s now managing six. The appeal of today’s firewall to a C-level executive is that it’s no longer necessary to spend money on yet another separate subscription and vendor because multiple functionalities can now be combined.

Today’s Firewall Reduces Complexity and Contributes to Compliance Efforts

While it’s true some firewall vendors are diversifying to offer more value, such as secure access to the cloud and robust logging by leveraging data lakes to provide better intelligence for incident response, the firewall isn’t going away anytime soon. However, if organizations want to get the most value from their firewall deployments, they must apply the security management hygiene necessary for challenging complexity while improving visibility.

Today’s firewalls offer a great deal more than just network traffic direction. Automating repeatable tasks such as firewall rules and application of global security controls will enable security teams to fully realize their benefits while giving the C-suite executives the compliance peace of mind they seek.