The Firewall of the Future
The “classic” stateful inspection firewall was the industry norm for nearly a decade. While the UTM found a niche in some situations, until Palo Alto Networks defined the “next-generation firewall,” which acquired considerable market traction in 2010 and beyond, the stateful inspection firewall was the dominating technology in the enterprise. The next-generation firewall was defined by a number of key capabilities:
Application-aware packet filtering — the ability to establish policies and regulate traffic based on the identity of layer-7 applications, regardless of port or protocol.
Access control based on users, regardless of IP address, location, or device (through integration with user authentication platforms such as Active Directory)
IPS filtering integrated with full-stack application awareness
Ability to achieve all of the above at the same speed as a standard stateful inspection firewall with single-pass analysis.
Nir Zuk, the creator of Palo Alto Networks, was previously an engineer at Check Point Technologies and the primary engineer on the first stateful inspection firewall, as well as the CTO of Netscreen, the firewall appliance’s developers. A long and illustrious track record. In 2010, he gave an interview in which he detailed that background, which is well worth reading.
The Next-Generation Firewall’s Market Penetration
The existing firewall companies faced tough competition from the next-generation firewall. Customers had made considerable investments in their existing infrastructure, making migration from one firewall vendor to another difficult (and still is). Palo Alto Networks took a wise move in response to this difficulty by emphasising the benefit of their new technology for filtering applications like Facebook at the network’s perimeter to manage outbound user behaviour. They were able to gain market share and clients by focusing on this new capability rather than expecting or demanding a comprehensive firewall replacement effort. As a result, several customers started using Palo Alto Networks firewalls alongside their existing firewalls. Palo Alto Networks would then look to expand their footprint in the customer environment as part of a typical firewall renewal effort after landing a customer with this technique.
A second effective market tactic was to promote Palo Alto Networks’ NGFW’s integrated IPS capabilities. Palo Alto Networks may market its platform as an advanced IPS without having to replace an existing firewall vendor. They could try to further infiltrate the account with their complete platform capabilities after building a customer connection.
Palo Alto Networks has wreaked havoc on the firewall business. They not only took market share from traditional vendors, but they also redefined the firewall. As the NGFW became the standard, the competition had to play catch-up.
The Framework
The firewall’s progress hasn’t slowed down. The firewall occupies an intriguing position as a network appliance. It examines traffic between network segments and provides a handy location for adding detection and response capabilities. With UTM and next-gen firewalls, IDS and IPS capabilities were introduced, but it was only the beginning of the enhanced capabilities. Threat detection and blocking, network-based user verification with multi-factor authentication, dynamic blacklists, and more are all available. From a packet filter to a security platform, the firewall has progressed. And firewall companies have progressed from single-solution suppliers to full-stack security providers with endpoint protection, SIEM capabilities, malware detection, threat profiling, and other features.
Firewalls in the Future
The firewall’s progress isn’t complete. Networking technology is continually evolving, and the firewall will need to adapt as well. Cloud, SDN, and containers all pose a threat to the firewall’s conventional role. Traditional network segmentation is being phased out in favour of highly flat networks, which reduces network complexity but presents a huge firewall difficulty.
Will incumbent firewall suppliers be able to adapt to the evolving network landscape? Will native cloud or SDN security controls be sufficient? Will new firewall providers arise to meet the new difficulties, posing a threat to the incumbent ones? We’ll have to wait and see.
The evolution of the firewall has been fascinating over the last two decades. And I believe we are on the verge of a couple of decades that will be even more intriguing.
Source: ngfw , next gen firewall
Add Comment