Network firewalls aren't dead yet

After 20-plus years of service, the technology remains a core part of the IT security stack despite its long predicted demise

1 2 Page 2
Page 2 of 2

The products natively integrate firewall, intrusion detection, intrusion prevention and URL filtering functions and enable visibility and control over everything flowing into and out of a corporate network.

"Newer firewalls have more identity and application functionality built in," says Pete Lindstrom, principal at Spire Security.

Along with permit/deny functions for connections on different network ports, the latest firewall technologies also include functions for monitoring applications running on Internet ports 80 and 443, he said. That's a big deal at a time when a lot of Web applications and malware use the same entryways into the corporate network.

"It allows administrators to know what is going in and out the front door," Cummings says. "And because you know what is going on, you can assess the risk and control it."

The key is that next-generation firewalls can enforce contextual access controls based upon users, applications, locations, time-of-day and other factors, said Jon Oltsik, an analyst at Enterprise Security Group. Think of new firewalls as network security services, he says.

"These services won't go away but may morph into different physical and virtual form factors. What enterprise organizations really want is central control and distributed policy enforcement across all network security services -- physical, virtual and cloud-based. Think single pane-of-glass control," Oltsik said.

Several other firewall vendors, including Check Point, Fortinet and Juniper, have taken a cue from Palo Alto and are rushing to market with newfangled firewalls that offer a set of integrated capabilities.

Each of the companies are moving along at a different pace, but they already have the full attention of enterprises and of investors, if their market capitalizations are any indication.

"The modern firewall must be flexible in deployment and serve as a platform for security services," said Michael Callahan, vice president of product marketing at Juniper Networks. In the next few years expect to see firewalls incorporating diverse sets of threat intelligence information from the cloud and within a network. Such data will be used to actively defend against attacks in real-time, he said.

Callahan says pointing to new "intrusion deception" technology built into the Juniper's latest firewalls. The technology, gained from its $80 million acquisition of Mykonos in 2012, is designed to identity and stop malware attacks both early in the process and after a network is penetrated.

"By leveraging visibility into endpoints, internal network traffic and the network edge, the technology can detect malware in places where other [products] cannot," Callahan said.

Over the next few years, new generation firewall technologies are likely to be integrated even further into the enterprises. Even advances like software defined networking are unlikely to diminish the need for firewalls, argues Jody Brazil, founder and CTO of security vendor FireMon.

"Nowhere have I seen anyone say that this increased move toward automation will eliminate the need for firewalls," says Brazil. "In fact, just as we've seen with virtualized networks, there will be an increased demand for firewall technologies to support both existing processes and some of these newly emerging models."

Trends like SDNs will not lead to the demise of the firewall but will reemphasize the need for them, he predicts. "Firewalls may not be sexy but they [are] the underlying backbone of all IT security infrastructure. And that's not changing anytime soon, if ever," Brazil said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is

Copyright © 2014 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Shop Tech Products at Amazon