You've heard the buzz about next-generation firewalls -- intelligent firewalls that dig deeper than port number and into application visibility. Most vendors have been slow to deliver, but Gartner's Magic Quadrant says market dynamics are changing and wakening a once-sleepy market.
Incumbent firewall vendors are no longer just under increasing pressure from an aggressive startup, Palo Alto Networks, which is focused on the intelligent firewall, according to Greg Young, research vice president at Gartner Inc., who positioned the company as a leading visionary in the 2010 Magic Quadrant for Enterprise Network Firewalls.
Vendors that have rested on their laurels are now seeing their customer base pillaged by secondary market players that specialize in intrusion prevention systems (IPS) and firewall policy management -- technologies and features that network security pros have realized they can't get from their incumbent firewall vendors , Young said.
"User requirements have been outstripping the vendor offerings for a few years now," he said. "There's been a conspiracy of laziness…. Customers have been saying, 'Hurry up! We have needs here!' and firewall vendors have been too focused on each other rather than [innovating]."
The use of Web 2.0 applications and social networking in the enterprise -- and the security threats those applications pose -- has shifted demand away from traditional firewall concepts, according to Chris King, director of product marketing at Palo Alto, which made its first Magic Quadrant appearance this year and was commended for leading a "market disruption [that is] forcing leaders to react."
"The original design behind firewalls was, 'If I controlled ports, I controlled applications,'" King said. "What has happened is any application can use any port, and now ports are basically meaningless. If you shut down port 80, you shut down your business... [so] firewalls really have to get smarter."
Expect more truly next-generation firewalls this year
Networking pros should expect to see more impressive intelligent firewall offerings this year, Young said. That means:
- No standalone IPS -- a true next-generation firewall will have "integrated, quality IPS" in addition to its basic firewall functions, as opposed to selling IPS as a separate device, he said.
- Smart decisions -- an intelligent firewall will work by "pulling information into the firewall to make better decisions," Young said. "For example, if nothing but malware has come from an IP address … why is the firewall still accepting traffic from a location that has only sent attacks?"
- More than port numbers -- firewalls of yore applied policies based on destination address, IP address and port numbers. Next-generation firewalls will analyze individual HTTP and HTTPS requests, Young said.
- Unraveling Layer 7 -- an intelligent firewall assesses traffic at the application layer, he said. "Not just proxying them, but being able to spot the application: Is that webmail? Is that peer-to-peer? Is that Salesforce.com? Policy can be applied to that, and it doesn't just have to be block/allow."
"The firewall market really needed a wakeup," Young said. "When I saw these market dynamics around IPS growing to be a billion-dollar market and when I hear every day from [enterprises] not finding what they need in vendor solutions … things need to change. And now we're finally beginning to see some quality next-generation firewalls emerging."
Some speed bumps on road to intelligent firewalls
Although they can't afford to stay put, changing course may not be so simple for incumbent vendors, which have invested years and dollars in training users, support teams and channel partners. Sure enough, the firewall Magic Quadrant calls out market players of all sizes for their lackluster intelligent firewall offerings for enterprises -- including Check Point Software Technologies, Cisco Systems, Fortinet and phion.
"When you talk about the way a firewall classifies traffic, that's the key. That's the soul of the firewall," King said. "To change that out -- it's akin to doing a brain transplant."
IT shops also need to move forward, Young said. Even if their trusted firewall doesn't yet have an impressive next-generation firewall network, it's safer to go with an incremental improvement rather than wait out the market with "rusty old firewalls," he said.
Expecting to be shopping for a replacement firewall next year, Ed Garcia, IT director at Horn Group, a San Francisco-based public relations agency, has stuck by SonicWALL's "flawless" PRO series for years but looks forward to next-generation firewalls that ease management.
"I will be interested in firewalls with more intelligence built-in, but [they must] still strike a balance [among] cost, performance and usability," Garcia said. "Smaller companies don't have IT experts in every field, so we're usually generalists. We need systems that work and work by [themselves] -- with minimal management.
"This is where more intelligence comes in, and where it can help with the existing security systems that are already in place," he added. "It's really not [about] replacing other systems but getting more value out of the new ones."
Intelligent firewall offerings emerge
Juniper Networks, a longtime leader in the market, began hearing the drumbeat for next-generation firewalls about six years ago and responded with an integrated IPS, according to Don Meyer, senior product marketing manager in Juniper's high-end security systems business unit.
"Now [enterprises] are asking for a little bit more context there. Yes, we can start filtering some of the threats, but really, we want to get more intelligence at the gateway," Meyer said. "The number of applications using common ports and protocols is really skyrocketing."
In September 2008, Juniper introduced its SRX series -- a collection of eight branch office and data center gateways that offer a wide-ranging list of integrated features, running off its Junos operating system. Ditching its legacy platform, ScreenOS, was a big step in the next-generation firewall direction, Young and Magic Quadrant co-author John Pescatore pointed out.
ScreenOS was purpose-built for firewalls and wasn't designed to integrate multiple functions, Meyer said. Junos uses multithreading to toggle different native applications, such as its AppSecure services suite, released late in 2009, to attach dynamic and granular policies to different network applications, user groups, times of day and other parameters, he said.
"Certainly, not everybody needs a racecar to go to work," Young said. "You have to ask, 'How important is IT to my business?' and [the answer] is not the same for everybody. Certainly, an online casino versus a manufacturing company -- you're going to get very different answers there."
Let us know what you think about the story; email: Jessica Scarpati, News Writer