This is not your father's firewall: In fact, most security experts say it shouldn't even be called a firewall anymore, this newest variety of the staple perimeter traffic-control box.
The modern firewall, aka the next-generation firewall, application-layer firewall, or deep-packet inspection firewall, indeed has been evolving dramatically for years. And today, Cisco Systems, which of late arguably had been losing ground in the next-gen firewall realm, today made a big plunge into that space by adding Sourcefire's application control, IPS, and advanced threat detection to its ASA 5500 firewall.
In yet another example of the firewall's changing and expanding role, cloud application control provider Skyhigh Networks announced today that it has teamed up with next-gen firewall vendor Palo Alto Networks to blend Skyhigh's cloud-based application control service with PAN's platform, which basically adds a cloud-based application firewall to the governance and control policy management of SaaS-based applications.
"This integration makes the cloud-aware firewall, [and with] PAN integrated with Skyhigh, more than a firewall because now it is not only enhancing the ability of the firewall to prevent bad stuff from entering the enterprise or the data center, but it is also helping in analyzing and controlling what goes out based on greater cloud intelligence," says Rajiv Gupta, CEO of Skyhigh Networks. "This includes detecting insider threat and infected machines, and preventing confidential data from leaving the enterprise."
Palo Alto's Scott Gainey, who is vice president of product marketing there, says the integration allows better application of controls to SaaS applications such as employee Dropbox accounts or other tools enterprises must support today.
PAN describes the next-gen firewall as one that provides single inspection of all traffic, including encrypted traffic, he says. "Then you build services within that" firewall, he says. Those services can include ones that block known and unknown threats, notorious command and control server traffic, for example, he says.
"There’s definitely been a transition in the firewall market over time, from stateful inspection, to UTM and NGFW, and now products increasingly centered on advanced threat prevention," says John Grady, program manager for security products at IDC. "I think it’s in recognition to the fact that the attack landscape has become incredibly dynamic and detecting advanced attacks is top of mind for a lot of organizations. The firewall market is incredibly competitive, so this type of differentiation is very important to remain relevant. I think we’ll continue to see added functionality in this vein."
Cisco's new ASA firewall helps bring the company back into more direct competition with other next-gen firewalls, security experts say.
Defending networks before, during, and after an attack or attack attempt is the goal of Cisco's new ASA with FirePower Services, with visibility into new threats, says Scott Harrell, vice president of product management at Cisco's Security Business Group. "Next-generation firewalls were focused on applications. That was useful but the real problem is about the threat. The firewall must evolve to take on the next-generation threats," he says.
The goal is to minimize the number of security boxes, he says, and to provide a "single pane of glass" to detect the threats. "In a lot of the breaches we have heard about [lately], they [the victims] got a warning" but had so many security systems running, they didn't know which events to focus on, he says.
But the underlying security dilemma exposed in recent data breaches is that some large organizations such as Target still run traditional, flat networks that leave them exposed to attacks via their third-party suppliers, according to security experts. In Target's case, the weak link was its interconnected HVAC supplier. "Target's network wasn't segmented … It's easier to penetrate if you have a flat network," says John Kindervag, vice president and principal analyst with Forrester. If the mega retailer had segmented the HVAC system access, the attackers may only have been able to make the Target facilities cooler or warmer, but they couldn't have stolen the customer data, he says.
Kindervag calls next-gen firewalls "segmentation gateways."
"Instead of at the edge, you put them at the center where they can be more effective," Kindervag says. "I'm excited to see Cisco jump into the fray with [its new] segmentation gateway."
Kindervag says the PAN-Skyhigh integration is a significant move. "You have the two sides of the security business pulling together -- the on-premises side and the cloud side," he says. "They have figured out a way to have visibility and control across both those vectors with a single pane of management."
End of a legacy?
Meanwhile, PAN's Gainey concurs that the label of "firewall" indeed has become outmoded and is more a function of its familiarity. It's now more of a platform for multiple functions, he says.
"It's a legacy term. No one has really come up with anything more creative."
Look for more next next-gen firewalls -- or segmentation gateways -- to add endpoint security features. "A tremendous amount of knowledge can be gained listening to" endpoint traffic, he says. "Endpoints have the potential to see a lot of the network you won't see otherwise, especially if the endpoint is operating off-network."
Cisco's Harrell says his company's platform already supports endpoint security with "multi-vector correlation." He says the new ASA firewall comes with the same advanced malware protection features as FirePower, and also integrates with endpoint AMP technology.
Bottom line, though, is that none of the new features in today's next-gen firewalls are especially advanced, notes Adrian Sanabria, senior analyst with the Enterprise Security Practice at 451 Research. "The playing field is pretty level with these products nowadays, and if enterprises don’t have products labeled 'next-gen' and ‘advanced' at this point, they might not be able to defend against stuff that has become pretty normal nowadays," Sanabria says.
He sees the cloud app control market -- Skyhigh's sector -- as the next big thing. "This is truly a new market, though it builds on existing technologies. Earlier this year, I wrote that I expected acquisitions to heat up in this area, and pegged Palo Alto Networks and Cisco as potential acquirers," Sanabria says.
So is the firewall as we knew it dead? "I think this is the next evolution. And like all transitions, it can take some time, so [I'm] not ready to say it's dead. Also, different use-cases require different functionality," IDC's Grady says. "I think in the data center, a firewall closer to what we’ve known remains relevant -- at least until SDN really takes hold. Performance, scalability, and virtualization support are all more important in that scenario. At the edge, application visibility and advanced threat capabilities are important."
Says Forrester's Kindervag: "The traditional firewall is dead like the traditional network is dead. The traditional network falls down all the time," so it has to be rebuilt, he says.