The role of next-gen firewalls in an evolving security architecture

Understanding the current state of enterprise firewall technology requires first debunking two broadly held misconceptions:

• First, many believe the firewall has become less relevant in contemporary enterprise network security architectures, for a variety of reasons: the ubiquitous use of mobile devices and cloud computing have expanded the traditional network perimeter; trendy concepts like “zero trust” networking have deemphasized the firewall in favor of access control and data protection mechanisms; and the increasing virtualization of networking has abstracted firewall functions like segmentation and packet filtering.
• Second, because of its origins as a packet-filtering device, many perceive the firewall as a limited-purpose construct, with little relevance beyond enterprise security. While close consultation with network and application operations teams have long been commonplace, firewall architecture planning, purchasing decisions, and often deployment and management have typically been overseen or at least directed by an enterprise’s chief information security officer (CISO) and those on his or her team. In turn, it didn’t matter much whether a buyer selected a firewall from Vendor A or Vendor B; they weren’t that different.

The reality is that the firewall is rapidly evolving, not only in what it can do, but also in its business value to the enterprise. It is becoming the cornerstone of hybrid cloud network security, offering integration enablement, consistent controls and comprehensive monitoring and alerting across multiple cloud and on-premises environments. Simultaneously, the firewall’s feature set is expanding beyond the realm of traditional network security to include a fascinating variety of features not necessarily limited to security. Looking forward, key technological developments, including encryption, artificial intelligence/machine learning (AI/ML) and the internet of things (IoT), will arguably make the enterprise firewall more important than it has ever been.

While many of the common features long associated with enterprise firewalls have become commoditized and should have decreasing impact on purchasing decisions, major enterprise firewall vendors now seek to differentiate with a surprisingly wide variety of emerging capabilities, many of which highlight the strategic direction of their product portfolios. This report will discuss the specifics the “new” next-generation firewall for the enterprise, how it is evolving, where it is going next, and what decision makers must know when approaching the product-selection process.

 [ Related IDG article: What are next generation firewalls? How the cloud and complexity affect them ] 

Enterprise firewalls: Yesterday to today

As the commercial enterprise firewall approaches its 30^th birthday, it is hard to overstate how dramatically the product has evolved. Following its humble beginnings as a packet-filtering mechanism to interrupt unwanted inbound network traffic, the firewall quickly evolved to add capabilities such as stateful inspection (awareness of open connections), network address translation, VPN and many others.

A major shift in the market occurred with the debut of application-aware firewalls, which added the ability to identify and control TCP/IP network traffic between certain types of internet-enabled applications such as web browsers and email clients that enterprises needed control over. The addition of security-driven capabilities beginning in the late-2000s such as intrusion prevention, port/protocol-independent inspection and increased throughput and reliability soon led vendors to redefine these multifunction, application-aware firewalls as “next-generation firewalls.”

The segment shifted again with the popularization of server virtualization a decade ago. The need to identify and control “east-west” network traffic traversing between virtual servers – often residing on the same physical server – led to the creation of virtual firewalls, software-based firewall instances that get inserted as needed to inspect traffic, segment virtual local area networks (VLANs), and bridge physical and virtual networks, among other functions. Demand skyrocketed as virtual servers found their way into hosted and emerging cloud computing environments, and enterprises demanded firewall solution sets offering integrated physical-virtual firewalling.

Today, despite vendor claims to the contrary, many traditional firewall features have become commoditized; in other words, there is little meaningful differentiation among top-tier competitors in regard to these longstanding features. This is the result of a maturing market segment – many vendors’ core firewall technology has been in use for well over a decade – and robust competition among at least five top-tier enterprise-caliber competitors.

[ Related IDG article: What you should know about Next Generation Firewalls ]

For organizations beginning their enterprise firewall purchasing cycles, the effect of this feature commoditization should be to reconsider the importance of overvaluing what have become commoditized features during the product-evaluation process. Below are some specific examples:

• Metrics such as throughput, new and concurrent sessions, and port capacity are no longer as important as they once were. Among leading vendors, the average new security appliance is capable of multi-gigabit throughput; basic UDP-based firewall throughput among 2 rack unit (2RU) firewall models now commonly ranges between 40-80 Gbps, reaching as high as 160 Gbps. Considering many enterprise firewall deployments are clustered for availability or are intended to serve specific network branches or segments with lesser requirements, “speeds and feeds” requirements, for most enterprises, should be deprioritized to varying degrees.
• VPNs, similarly, are now a standard feature on nearly all enterprise-caliber firewalls. IPsec VPNs are universal, with connection speeds typically well in excess of 10 Gbps with support for hundreds of thousands of simultaneous connections. Again, what was once a top-tier consideration, typically only special VPN needs require prioritization during product evaluation.
• Application support, once a hit-or-miss prospect with even leading enterprise firewalls, is now widespread. It is common for most firewalls to support traffic detection and application control for hundreds if not thousands of unique applications, including both enterprise and consumer-oriented as well as social media apps. Custom application support remains challenging, but basing purchasing requirements on application support should no longer be a priority.

Next, organizations should understand features and functions that are both relatively new and of increasing importance. See the following examples.

• Cloud network security support, specifically synchronicity with cloud-specific security capabilities as well as cloud network traffic visibility, has become critically important. Firewalls must be able to understand data from and enact policy-based enforcement on findings provided by cloud infrastructure security tools, cloud workload security solutions, dynamic malware analysis solutions, cloud application security brokers, and others. Similarly, the pending emergence of cloud network security monitoring technology, which employs cloud-native network metadata standardization and analysis identify suspicious network events in the cloud, will become a standard capability in the coming years, and firewall deployments must be able to interoperate with these solutions.
• In the increasingly multicloud-driven IT landscape, the network security perimeter may no longer actually be provided by the network. Instead, it will be driven by identity. For years, network access control (NAC) systems have governed the process of identifying, assessing and authenticating enterprise network users and devices. However, with the emergence of cloud computing, traditional NAC solutions are not capable of supporting identity services provisioning to cloud-based network devices and resources. A new breed of cloud-based multifactor authentication and authorization solutions are emerging, and enterprise firewalls must offer compatibility if not native integration with these offerings.
• In the clearest sign to date that the enterprise firewall will become increasingly important beyond the context of security, a number of top-tier enterprise firewall vendors have integrated software-defined networking (SD-WAN) capabilities into their solutions. As enterprises consolidate their network infrastructure, particularly in branch offices, firewall vendors have sought to avoid being displaced by a growing breed of security-centric SD-WAN products. Firewall vendors may ultimately have an advantage because of their expertise in security and hardware acceleration, both of which compliment SD-WAN well. Enterprises should be prepared to evaluate whether SD-WAN-enabled firewalls can outperform network switches and provide superior native security capabilities.

Every organization’s requirements are unique, and exceptions to general product-selection guidelines are common. That said, organizations must be actively adjusting the weighting of their firewall-selection criteria to reflect the firewall market’s changing dynamics.

Understanding firewall vendor strengths and weaknesses

As noted, the commoditization of many enterprise firewall features has created a fiercely competitive vendor landscape. Conversely, each of the five top-tier enterprise firewall vendors has a unique set of strengths and weaknesses that should be considered when preparing for a product-selection process.

Competitive snapshots of the five leading enterprise firewall vendors

Check Point: The Israel-based vendor has long been known for excellent firewall scalability and reliability. Its firewall management features are remarkably fine-grained, its support for public cloud platforms is unsurpassed, and its expertise in enterprise network perimeter security is well-established. However, the vendor has been slow to evolve with the market; its hardware performance hasn’t kept pace with rivals, it has done little to invest in emerging technologies such as cloud network traffic analysis, and its move to subscription-based pricing across its portfolio has obfuscated component cost.

Perhaps what’s most telling about its fortunes is that Check Point once boasted more than 180,000 security appliance customers, but due largely to the above-mentioned issues, it has lost nearly half of those customers in the past several years.

Cisco: The networking equipment giant has created a multibillion-dollar security business, and few rivals can match the breadth, integration options and efficacy of Cisco’s network security solution set. Its Firepower next-generation firewall combines IP from its venerable ASA firewall and Sourcefire IPS in a single code base. Growing integration with its Stealthwatch advanced threat detection and Encrypted Traffic Analytics solutions position Cisco with a sizable advantage in detecting advanced threats and identifying malicious packets in encrypted flows. However, customer feedback on Cisco’s unified Firepower Threat Defense firewall management system has been dicey, and its eventual transition from on-premises NAC to cloud-based NAC is expected to be complex and disruptive to customers.   

Forcepoint next-gen firewalls: A relatively new brand representing elements of the former Websense and Raytheon, Forcepoint has rebranded the Stonesoft firewall it acquired from McAfee. The renamed Forcepoint NGFW offers optional IPS functionality, lauded high-availability clustering and the industry’s most established built-in SD-WAN capabilities. Its vision involves using the firewall as the centerpiece of an adaptive network security paradigm that involves constantly reassessing network risk and enabling automation-driven threat response.

The vendor’s greatest challenges are a lack of brand awareness, a fair number of integration and technical debt following numerous acquisitions and complimentary solutions  ̶  malware sandboxing (OEM via Lastline), endpoint visibility and threat intelligence – that fall short of best-of-breed. 

Fortinet: Synonymous with speed and performance, Fortinet’s flagship FortiGate next-generation firewall appliances employ custom-built security processors to accelerate traffic decryption and flow inspection. Most of its appliances offer across-the-board throughput numbers that easily beat other top-tier vendors, often at highly competitive price points.

While Fortinet has been working to bolster its network security ecosystem and now also offers built-in hardware-accelerated SD-WAN support, it is perceived to lack some of the bells and whistles of competing solutions, and its integrated management vision falls short of the “single pane of glass” buyers increasingly demand.

Palo Alto Networks next-gen firewalls: Its PA-Series next-generation firewalls aren’t the fastest, or the cheapest, or the most advanced. But its simple deployment, configuration and management along with intuitive application-aware traffic management has created a large and growing customer base that raves over its ease of use. Its tightly integrated WildFire cloud-based dynamic file-analysis technology has proved to be nearly as popular. It aims to compliment these offerings with best-of-breed endpoint, CASB, threat intelligence and third-party integration enablement. However, Palo Alto Networks is perceived to be increasingly expensive, and its growth and acquisitions have come so fast that its ability to execute has been increasingly strained.

These snapshots only scratch the surface on the strategic and technical strengths and weaknesses of leading firewall vendors and their solution sets. That said, it is necessary to understand that despite a standard set of largely commoditized firewall features, enterprises must understand not only each solution’s unique capabilities, but also its vendor’s strategic priorities, in order to ensure alignment with both the vendor’s product(s) and its future direction.

[ Related IDG article: Are next-generation firewalls legacy technology? ]

Looking forward: Additional firewall considerations

While a firewall evaluation process should prioritize an organization’s current network security needs, it is necessary to also look forward to consider the changes and new concerns likely to emerge during a firewall’s lifespan, which is often in excess of 5 years. Specifically, enterprises must also consider three issues that will grow in significance over time.

Encrypted traffic: Widespread use of encrypted data transmission – now as much as 70 percent or more of inbound network traffic for the average enterprise – for all its benefits has created a number of network security challenges. First and foremost, firewalls cannot inspect encrypted traffic; it must first be decrypted, either using a firewall’s onboard decryption capabilities (which slow throughput as much as 90 percent) or using separate encrypted traffic inspection solutions (which add cost and complexity). But ignoring encrypted traffic means being unable to identify and mitigate threats in the majority of inbound traffic, as well as risking that an attacker already inside the network may be able to use encryption exfiltrate stolen data without being detected.

Encryption-related threats facing enterprise networks are expected to grow. Given that most enterprises aren’t prepared to address the security ramifications related to encryption, it is believed that attackers will not only increasingly use encryption to obfuscate malcode and data theft, but also to conduct other adversarial operations such network entry through flawed encryption protocols and SSL-specific denial-of-service attacks.

For these reasons, when evaluating firewalls organizations must consider their current inbound and outbound encrypted traffic volumes, the types of traffic being encrypted and the likely threat that traffic poses, as well as how encrypted traffic is projected to grow in the years to follow. Vendors must be able to explain how their firewalls fit into an organization’s larger approach for reducing encrypted traffic risk.

IoT: Forecasts project that the number of internet-connected devices may exceed 20 billion by the end of the decade, with much of that rapid growth occurring in the enterprise. A wide variety of new devices constantly make their way onto enterprise networks, posing an unclear level of risk, and the impending arrival of 5G mobile networks will further accelerate IoT deployments. The capability to identify, categorize, assess, and if necessary, mitigate the risk of IoT devices will in the coming years be as important as securing traditional network devices like end-user clients and servers. However, the wide variety of firmware, operating systems and network protocols used make traditional client-level security nearly impossible for non-Android-based IoT devices.

As part of the firewall evaluation process, organizations should assess the IoT-specific controls firewalls offer today, including protocol support, device detection and identification and the specific means of doing so, and the various controls used to implement IoT device security and mitigate risks, such as authentication, microsegmentation and bandwidth management. Enterprises should also understand how a firewall integrates with other security solutions needed to address IoT security, including NAC, vulnerability assessment and data protection.

AI/ML: Cybersecurity-related data science technology has developed somewhat unevenly in recent years; a few vendors have made notable progress advancing ML on the path toward developing AI-like capabilities, but frankly most vendors have simply adopted these terms for marketing purposes.

That said, these capabilities will continue to advance in the coming years and will have a major impact on enterprise security, particularly networking security as it related to security operations and incident management. What this means for potential firewall buyers is understanding the ramifications of AI/ML on firewall technology. For instance, vendors should be well underway in evolving their detection methods beyond signatures toward broader classes of anomalies based on sets of characteristics defined by AI/ML algorithms, and they should be able to articulate how their network security appliances are evolving to support these emerging capabilities.

Similarly, from an operational standpoint, vendors should be able to explain how they are applying AI/ML to automate some of the repetitive, time-consuming multistep tasks necessary for day-to-day configuration, management and incident-handling involving enterprise firewalls.  

Without question, the evolution of the enterprise firewall should be more aptly described as a transformation, evolving from its packet-filtering origins to the Swiss Army Knife of enterprise network security that it is today. But that transformation may pale in comparison to what’s to come, as the firewall evolves further to support new business use cases driven by hybrid cloud, virtual and containerized environments, as well as emerging technologies like IoT and AI/ML. Organizations cannot ignore the importance of adjusting their firewall-evaluation criteria to account for where the firewall has come, and laying the groundwork for where the firewall is going in the years ahead.