Putting the Fire Back in Firewall

In The Year of VirtSec I talked about the firewall eventually sucking in critical IPS functionality and becoming a next generation firewall. Former Gartner VP Richard Stiennon predicted this five years ago, just before McAfee absorbed my former employer, IntruVert.

When Stiennon discussed the coming consolidation at the perimeter he created a firestorm of vendor resentment; in addition to inside acknowledgement by well-connected experts that he was right, just early; perhaps 2-3 years early at best.

The IDS/IPS category crossed the billion revenue mark last year, hardly resembling an endangered species; and analyst consensus is continued growth. To Stiennon’s point, however, the firewall business still dwarf’s the IPS/IDS business at more than $2 billion. But IPS is growing at a faster rate.

Maybe the real point underlying such a bold prediction was the realization that too many perimeter appliances are not a good thing. Perhaps Stiennon saw how slow and messy perimeters were getting and recognized the wisdom of more unified, multifunctional approaches.

Two recent trends again speak to the underlying insight buried below the bombast: We’ve seen the rise of UTM (universal threat management) in the midmarket and the emergence of enterprise next generation firewalls that absorb application-layer IPS functionality.

From what I’ve seen thus far of UTMs, they’re cobbled systems that have very little multifunctional enforcement synergy, other than their ability to roll up reporting within a single-vendor ecosystem of AV, firewall and intrusion prevention, etc. The slowest element (usually AV or IPS) becomes the top speed. That is a similar dynamic to the IPS with the all-inclusive smorgasbord of features that don’t work well all at the same time. The UTM therefore doesn’t strike me as innovation, but rather a shallow midmarket response to the innovation posed by next generation firewalls.

We saw a similar dynamic take place a few years ago in the server load balancing space when vendors cobbled capabilities into various “load balancing plus” solutions. Eventually those kluge works gave way to consolidated and synergistic application front ends and/or application delivery controllers. I think the perimeter is undergoing the same kind of market transformation cycle: fragmentation, kluge, and then synergy.

This chain of logic takes me to a few comments I heard at Interop 2008 in Las Vegas following Palo Alto Networks' Best of Interop Grand Prize win. Over a drink one evening one of the CMP editors told me why they won: “They’re the classic case of genuine technology disruption in a huge, mature category.”

I’ve mentioned Palo Alto Networks before, in a grouping of netsec vendors I thought were demonstrating how increasing complexity at the perimeter (mutating exploits and new types of enterprise applications, for example) were forcing the same types of upstack innovation we’ve seen in other networking categories. The application layer becomes increasingly strategic as networks become more fluid and complex, applications proliferate and flows become more congested.

The public companies in the enterprise firewall space have either missed the boat or cobbled acquisitions into UTMs with feature fantasy checklists. That has opened up the door for the likes of Palo Alto Networks and other innovators who architect application layer detection into their products.

The lack of true application layer innovation at the perimeter is why I think the traditional standalone firewall and IPS vendors deserve a “blogslap” from time to time. A couple weeks ago I took a pot shot at Sourcefire thanks to the fishy bid from Barracuda. It was all a part of my months of rant about those caught in the crosshairs of innovation by themes like new applications, new innovative attacks and virtualization.

I think many of the established firewall and IPS vendors have focused too much attention on incremental add-ons and upgrades versus true innovation. In their defense, maybe there isn’t a business case for innovation when you get to a certain size, and status quo interests weigh more heavily on day-to-day decisions. That could be one driver behind the high level of cynicism and low level of innovation when it comes to network security.  

Look out Cisco (CSCO), Juniper (JNPR), Checkpoint (CKP) and others; while you work on UTM and slow path decoding of subsets of protocols and services, Palo Alto Networks may be disrupting your plans with unprecedented speed, accuracy and protection. I think they’re dead serious about fulfilling Stiennon’s prediction, just a few years late.