A few years ago, next-generation firewalls (NGFWs) came out of nowhere to become a network security staple. These devices combined traditional L3/L4 packet filtering with deep packet inspection, IPS, and other network security services along with knowledge about users and applications. This broad functionality packaging changed the network security paradigm – everyone needed, or at least wanted, an NGFW at the perimeter or within the internal network.
Fast forward to 2017 and the bloom is coming off the NGFW rose for several reasons:
- Requirements have changed. NGFWs followed in the footsteps of earlier firewalls – physical appliances installed inline to protect private networks from the public Internet. Back then, mobile and remote office workers VPNed into the corporate network and traffic was backhauled for Internet ingress/egress. This model is changing rapidly, however. As cloud computing, SaaS, mobility, and broadband networks evolved, mobile and remote worker connection are often dual homed, offering direct connections to the public Internet. Once this happens, NGFWs lose their usefulness, offering no visibility or control of network traffic.
- Software is eating the world. Remember Marc Andreessen’s famous essay about the rise of software? Ironically, this publication doesn’t dedicate a single word to cybersecurity, but make no mistake, software is eating the cybersecurity world as well. Rather than deploy physical network devices, data center firewalling of east-west traffic is rapidly moving toward software-based micro-segmentation tools (i.e., Cisco ACI, CloudPassage, Illumio, Unisys, vArmour, VMware NSX, etc.). In fact, many large enterprises are not only embracing micro-segmentation to protect cloud, container, and VM workloads, they are also using it to replace, you guessed it, physical data center firewalls. I expect the same type of displacement at network perimeters over the next few years as software-defined perimeter (SDP) technology (i.e., Cryptzone, Google BeyondTrust, Vidder, etc.) becomes a de facto broker between users/devices and network services regardless of location.
- Hybrid “god boxes” are always a compromise. One of the most compelling benefits of NGFWs has always been around consolidation. The thought was that you could replace a bunch of security gateway appliances (i.e., IDS/IPS, web security gateways, SSL decryption gateways, network proxies, etc.) with a single tightly-integrated NGFW, thus eliminating network complexity and operations overhead. Unfortunately, consolidation comes at a price. To cram everything into a single box, NGFWs tend to sacrifice network security service functionality, cutting out features that remain important to large organizations. NGFWs also fail to deliver “line speed” performance when multiple filters are activated. This is a deal breaker in the enterprise market – I’m seeing lots of large organizations going back to fixed-function boxes because their NGFWs had too many limitations.
- NGFWs cross the line between networking and security teams. For the most part, NGFWs are treated as networking devices, owned and maintained by network operations. Since networking teams don’t want security personnel mucking around with their equipment, security teams often find other tools for their needs. This is one reason why many large organizations continue to deploy standalone IDS/IPS devices behind NGFWs, or use IPS boxes for network segmentation within distribution and core network layers.
- Cloud services are spoiling the NGFW party. Let’s face it, just about anything you can do with an NGFW – application controls, access controls, even layer 3 and 4 packet filtering -- can be done by a SaaS provider in the cloud. ZScaler comes to mind but so do Blue Coat (Symantec), Proofpoint, and all the CASB service providers. This trend doesn’t necessarily turn NGFWs into a legacy technology but it does throw a wrench into the firewall appliance market – especially with midmarket and small enterprise customers.
Some of the issues and use cases cited here are fairly limited to advanced organizations (which represent somewhere between 15% and 20% of the overall enterprise market), so there is still a massive opportunity for NGFW players with midmarket organizations and most enterprises who lack the maturity and experience of more advanced cybersecurity firms. Nevertheless, these trends will persist, squeezing the NGFW market overtime.
I’m not suggesting that NGFW vendors like Check Point, Cisco, Forcepoint, Fortinet, or Palo Alto Networks are in any imminent danger. As I mentioned, the market is in an early stage of transition so bountiful opportunities remain. Over time, however, these organizations must alter their portfolio to offer software- and cloud-based network security alternatives to traditional firewall hardware. Many are already doing so today. Cisco, Check Point, and Fortinet have introduced network security architectures where services can live anywhere on the network – sort of a modern-day network operating system (NOS) for network security. And of course, a network security architecture should plug seamlessly into a security operations and analytics platform architecture (SOAPA).
The services that make up NGFWs are still necessary and central management and operations is always worthwhile, but the thought of forcing all these things into some perimeter-based god box is looking more and more like a legacy solution. As Bob Dylan might say, ‘the times, they are a changin.’