Author Topic: Are next-generation firewalls legacy technology?  (Read 17 times)

0 Members and 1 Guest are viewing this topic.

Offline Chubb

  • Freebies and Good Deals Mod
  • Administrator
  • *
  • Posts: 66724
  • .: Freebie King
Are next-generation firewalls legacy technology?
« Reply #1 on: May 05, 2017, 11:16:06 PM »
Are next-generation firewalls legacy technology?
5 May 2017, 9:13 pm



A few years ago, next-generation firewalls (NGFWs) came out of nowhere to become a network security staple. These devices combined traditional L3/L4 packet filtering with deep packet inspection, IPS, and other network security services along with knowledge about users and applications. This broad functionality packaging changed the network security paradigm—everyone needed, or at least wanted a NGFW at the perimeter or within the internal network.

Fast forward to 2017, and the bloom is coming off the NGFW rose for several reasons:

Requirements have changed. NGFWs followed in the footsteps of earlier firewalls—physical appliances installed inline to protect private networks from the public Internet. Back then, mobile and remote office workers VPNed into the corporate network and traffic was backhauled for Internet ingress/egress. This model is changing rapidly, however. As cloud computing, SaaS, mobility and broadband networks evolved, mobile and remote worker connection are often dual homed, offering direct connections to the public internet. Once this happens, NGFWs lose their usefulness, offering no visibility or control of network traffic.

Software is eating the world. Remember Marc Andreessen’s famous essay about the rise of software? Ironically, his publication doesn’t dedicate a single word to cybersecurity, but make no mistake, software is eating the cybersecurity world as well. Rather than deploy physical network devices, data center firewalling of east-west traffic is rapidly moving toward software-based micro-segmentation tools (i.e. Cisco ACI, CloudPassage, Illumio, Unisys, vArmour, VMware NSX, etc.). In fact, many large enterprises are not only embracing micro-segmentation to protect cloud, container and VM workloads, but they are also using it to replace, you guessed it, physical data center firewalls. I expect the same type of displacement at network perimeters over the next few years as software-defined perimeter (SDP) technology (i.e. Cryptzone, Google BeyondTrust, Vidder, etc.) becomes de facto brokers between users/devices and network services regardless of location.

Hybrid “god boxes” are always a compromise. One of the most compelling benefits of NGFWs has always been around consolidation. The thought was that you could replace a bunch of security gateway appliances (i.e. IDS/IPS, web security gateways, SSL decryption gateways, network proxies, etc.) with a single tightly integrated NGFW, thus eliminating network complexity and operations overhead. Unfortunately, consolidation comes at a price. To cram everything into a single box, NGFWs tend to sacrifice network security service functionality, cutting out features that remain important to large organizations. NGFWs also fail to deliver “line speed” performance when multiple filters are activated. This is a deal breaker in the enterprise market—I’m seeing lots of large organizations going back to fixed-function boxes because their NGFWs had too many limitations. 

NGFWs cross the line between networking and security teams. For the most part, NGFWs are treated as a networking devices, owned and maintained by network operations. Since networking teams don’t want security personnel mucking around with their equipment, security teams often find other tools for their needs. This is one reason why many large organizations continue to deploy standalone IDS/IPS devices behind NGFWs or use IPS boxes for network segmentation within distribution and core network layers. 

Cloud services are spoiling the NGFW party. Let’s face it, just about anything you can do with a NGFW—application controls, access controls, even layer 3 and 4 packet filtering—can be done by a SaaS provider in the cloud. ZScaler comes to mind, but so do Blue Coat (Symantec), Proofpoint and all the CASB service providers. This trend doesn’t necessarily turn NGFWs into a legacy technology, but it does throw a wrench into the firewall appliance market—especially with mid-market and small enterprise customers.     

Some of the issues and use cases cited here are fairly limited to advanced organizations (which represent somewhere between 15 and 20 percent of the overall enterprise market), so there is still a massive opportunity for NGFW players with mid-market organizations and most enterprises who lack the maturity and experience of more advanced cybersecurity firms. Nevertheless, these trends will persist, squeezing the NGFW market overtime. 

To read this article in full or to leave a comment, please click here



Source: Network World Security

>> To obtain the full NetworkWorld Security article, click the link in the first post line <<

 


Except where otherwise stated, all content, graphics, banners and images included © 2006 - 2018 Smokey Services™ -- All rights reserved
Design board graphics, banners and images by DSTM & PseFrank

This site does not store profiling-, tracking-, third-party and/or any other non-essential cookie(s) on client computers and is fully compliant with the EU ePrivacy Directive
Smokey's does not use any Web Analytics/Analysis Service, and also does not use any browser fingerprinting techniques



Smokey's also provides free fully qualified Log / Malware Analysis & Removal Help and System Health Checks