News Stay informed about the latest enterprise technology news and product updates.

The firewall remains the network traffic cop, but its role is changing

Even as mobile workers connect to the network from a wide variety of devices, the network firewall remains the bedrock of network security. But the role of the firewall is evolving from perimeter defender to gatekeeper.

On a fundamental level, the firewall continues to serve as an old-fashioned "traffic cop" on enterprise networks. The firewall's role as a perimeter defender has given way to more of a gate-keeping role, however, as more and more enterprises begin to use the firewall as a central point of connectivity for mobile and remote workers.

The topology of the enterprise network has changed dramatically over the past few years. The line between personal and professional devices continues to blur even as more people become part-time teleworkers.

The firewall's role in network security has adapted to the changes, and the technology is here to stay, according to Mike Chapple, an information security professional at the University of Notre Dame. In an email interview, Chapple said that firewalls continue to play a critical role in securing network perimeters, but mobile workers are forcing that role to evolve.

"Mobile users do change the role of the firewall, mostly by requiring administrators to shift their thinking about the role of the firewall in an enterprise security policy," he said. "Before the explosion of mobile computing, administrators were able to think of firewalls as a way to build a strong perimeter that blocked most, if not all, outside access. Now, our mindset must shift toward thinking of them as a point of connectivity, using their VPN capabilities to securely connect mobile users to the enterprise network."

Industry analysts agreed with Chapple's view.

"[Network lines] will blur a little bit, and you'll see a little bit of that with hotspots and the home network," said Brian Burke, an analyst with IDC. "But I think the concept [of the firewall], more so for the overall protection of the network, that's going to continue to be viable."

The security domain of the firewall is expanding at a rapid clip, however.

Forrester Research has predicted that 25% of information workers will be at least part-time teleworkers by 2011, and even more workers are also logging into corporate applications through smartphones, both personal and corporate devices.

As a result, sensitive enterprise traffic is traversing the Internet without being analyzed or protected by the corporate network. Enterprises are responding by pushing that sensitive data back to the corporate network and through the firewall for proper vetting.

The protection helps on a variety of fronts. It allows enterprises to get a better grip on what data is being transferred. Without pulling that traffic back through the enterprise firewall, via a VPN connection or through other means, the network administrator has no visibility into what data is being passed by user devices. With that re-routing and some basic data analysis, network managers can ensure that even teleworkers and mobile workers are not infected by a virus, violating corporate policy, or improperly sending sensitive corporate data.

Routing all that traffic through a firewall also ensures that even well-meaning employees do not accidentally propagate malware on the network.

Forrester analyst John Kindervag recalled the case of a Microsoft employee who, working from home, accidentally unleashed a trojan from his laptop after the network authenticated him as safe.

"[A firewall] is helping protect your corporation from you," Kindervag said. "A firewall is a way of maintaining a really good database of what packets are doing in your network, and so that's why it's a basic technology no matter what you're doing."

Though the technology remains fundamentally the same as it's been for years, he said, firewall manufacturers ranging from giants like Cisco to pluckier players like Palo Alto Networks are racing to make firewalls smarter and more functional. In some cases, new firewall technologies complement or co-opt the roles of other security technologies.

"Every firewall vendor -- Juniper, Cisco -- is looking at various ways to augment the firewall, which some people call unified threat management. But it's a little hard to tell the direction that that's going to go right now," Kindervag said. "As machines get faster, you'll find more and more features built into the average firewall."

Cisco has built a bladed firewall that sits in the core router, while Palo Alto has developed a bridge mode that sits more centrally in the network, he said.

These devices are also peering deeper into packets, ensuring that, among other things, traffic on port 80 really is legitimate HTTP traffic and not some hacker probing for vulnerabilities.

Ambika Gadre, director of product marketing at Cisco, said her company was particularly focused on helping secure traffic for Software as a Service (SaaS) applications, no matter which device is used to connect to them.

"The secure mobility issue is very topical right now among customers," Gadre said. "If someone were using the iPhone at Starbucks and were to browse to, they are able to access their account and there isn't any corporate security on that data, they're bypassing the firewall and other IT security completely."

If firewall technology and security techniques are adapted to route all that traffic through secured channels, however, security becomes a more manageable problem.

Despite network security advances and changing traffic patterns, Kindervag said, things are fundamentally the same.

"Firewalls are today, and will always remain, a key component in network security," he said. "They're the first line of defense and the traffic cop."

Dig Deeper on Network Security Monitoring and Analysis

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.