The Perimeter Won’t Be Rebuilt OvernightBy Mike Rothman
It’s easy to believe the hype. You know, that NGFW (Next Generation Firewall) devices will take over the perimeter tomorrow. Get on the bandwagon now before it’s too late. And the anecdotal evidence leads in this direction as well. You see lines around the corners at trade shows to glimpse an NGFW Godbox, and local seminars are standing room only to hear all about application-aware policies which can help you control those pesky users who want to Facebook all day in the office.
Of course reality is usually a bit behind the hype. We do believe NGFW technology (application awareness) will have a disruptive and lasting impact on network security, but it won’t happen overnight. Our pals at 451 Group do a bunch of surveys each year to track vendor momentum and buying plans. These show tremendous growth for NGFW.
The technology, a fusion of application layer firewalls and stateful firewalls, continues a multi-year run of growth that has seen it rise in ‘in use’ percentage from 26% in 2010 to 33% last year.
But are they totally displacing traditional firewalls? Not yet – many organizations start deploying NGFW (and NGIPS for that matter) in a monitoring role right next to the existing firewalls, to provide greater visibility into application usage. This visibility, then control deployment approach has been fairly consistent since the first NGFW devices hit the market a few years ago.
…application-aware firewalls are rising as complementary or companion capabilities alongside a primary network firewall, where enterprises still seem to employ solutions from fairly longstanding firewall providers.
But that is starting to change. We now hear about folks blowing up their perimeters; forklifting their traditional firewalls; and going lock, stock and barrel into NGFW gear. These are not small networks by the way. As the technology matures and the traditional network security players evolve their product lines to include NG capabilities, we will see this more and more often.
That’s a good thing – port and protocol policies don’t provide much protection against current attacks.
Photo credit: “No riding on forklift” originally uploaded by Leo Reynolds
Mike- It’s good to see movement on the perimeter, but these devices do nothing for traffic coming INTO a datacenter. In fact, they are more suspect when it comes to connection limits and loads. Sure it’s great for controling users, but protecting a data center?? I’m not so sure this is what should be advocated.
I would love to see folks stop jumping on bandwagons and start thinking about what they need to protect in which direction and then apply a control (device in this case) to that. Look at NGFW features and you can instantly see it’s focused on your users, not the users who consume your services.