This week Sourcefire became the latest company to enter the emerging sector of the next-generation firewall.
Like many others, the sector really came alive with the introduction of Palo Alto Networks to the European market in 2009, followed by the likes of SonicWall, Barracuda Networks and, now, Sourcefire.
According to Palo Alto Networks, the next-generation firewall redefines how network traffic is controlled – rather than classifying traffic based on port number or IP address, it classifies traffic at the application and user level.
Palo Alto Networks' Lee Klarich told SC Magazine in 2009 that modern applications go through another port, such as with Google, where the firewall doesn't understand what it is looking at and therefore doesn't work.
He said: “Every firewall is based on stateful inspection where each application fits into a port. Now we are using the firewall as a secure device, the challenge of it is different to the challenge facing the firewall. Any other company will cover it with new products, creating a patchwork of products to what one can do when designed and used properly.”
Nir Zuk, CTO and founder of Palo Alto Networks, later told SC Magazine that "the traditional firewall does not do anything and it does not fix but create a problem and you will not find a UTM that stays active more than five per cent of the time when you upload software such as anti-virus".
Leon Ward, field marketing manager EMEA at Sourcefire, said: “The next-generation firewall offers the ability to make decisions in a different way. It determines what you can access and offers more granular controls with an application and what has got access to it.
“It is the ability to say ‘I allow users to use all limited capabilities in an application' – that is better than restricting access altogether."
So the concept of the next-generation firewall is primarily about application control. Greg Young, research vice-president at Gartner, said network security defences must evolve to become effective against advanced targeted threats.
“Enterprises should require vendors to add next-generation intrusion prevention features to network security products. Mainstream enterprises over time will refresh existing next-generation firewall deployments with future versions with next-generation network IPS capabilities,” he said.
Bob Tarzey, analyst at Quocirca, claimed that with so much data outside of the firewall, companies need to understand why they require a firewall and how it will benefit them, as the network is changing.
Jason Lamar, director of product management at Sourcefire, said the priority is knowing what you have to defend, where the data is, and acceptance that you can never be 100 per cent secure.
A report from earlier this year by TechNavio predicted that the next-generation firewall market will grow at a compound annual growth rate of 24 per cent from 2010-2014.
A statement by Palo Alto Networks said that forecast was "unsurprising". It said: “Network administrators are now coming around to the idea that their legacy security systems are inadequate for current purposes.
“How networks are used has changed dramatically and it is consumerisation that is driving this change. This is not just staff bringing personal electronic devices to the workplace, but staff using web-based applications for things like social networking and file sharing while at work.”
I turned to the original firewall creator Check Point for its perspective on the future of the appliance. Gil Shwed, founder and CEO of Check Point, told SC Magazine that the company's future growth will be in areas such as the endpoint and developments with PC software, but its priority is the core platform for the security of the network and customers.
Shwed said: “We have been here for 18 years and seen many things, and it is as strong as ever. We have a great platform with software blades and some companies have brought some nice ideas and we are all good players in the marketplace.
“It is a very competitive marketplace and I think we went through four generations of competitors so the new platform, software blades, is a much more comprehensive thing than just a firewall.”
With the next-generation firewall sector growing so fast, I asked Peter Lunk, director of product marketing of the security business unit at Juniper Networks, if this is the future of intrusion prevention.
He said: “Combining firewall functions with application level visibility and IPS in the same system is an important trend for the future of IPS. Most leading security firms now offer IPS in addition to firewalls; the differences are in how it is implemented.
“For Juniper, the key is to offer customers options for implementing this imperative but resource intensive functionality. Juniper Networks finds that the three pieces (firewall, application control and IPS) work best when they are co-ordinated and the security policies can be managed in a single place.”
As a developer of networking tools, I asked Lunk if Juniper was receiving customer requests for modern versions of technology such as the firewall. He said: “Customers are indeed recognising that firewall technology is now a mainstay of every internet connected device and network. We see the need for this from SMEs, branch offices, campus networks, in the virtualised data centre and in service provider networks.
“It will be increasingly important to address all of these places in the network with flexible deployment options including integrated firewall, application security and intrusion prevention devices as well as virtual machine options.”
F5's Nathan Pearce said: “Other vendors have realised what we have done for years – we have got a firewall and are adding network security to that, but now it is all about the application. You need to differentiate between your users as you cannot have a 'one size fits all' security policy any more, you have got to protect at different layers.
“You need to have multi-faceted security as having one firewall at the perimeter is not enough. You can have a network firewall and a web application firewall, but if you do web application blacklisting you only block known attacks – with a heuristic engine you can differentiate between traffic. It needs to be more intelligent.”
Chris King, director of product marketing at Palo Alto Networks, said: “We have seen momentum building in the space and we are gratified that the problem is being solved and they see us and say that they want to do what Palo Alto Networks does.
“The industry used to be bipolar with a security model and most products built on two types of traffic – business applications and threats. Now we are talking about safe enablement, not blocking.”
If this is the first wave of technology for 2012, then it comes a few years since it was first introduced. What is likely to happen is that users will upgrade over time as firewalls become redundant and users choose something more up to date. How prepared the industry is for a lengthy sea-change remains to be seen.