Firewall obsolescence

For too long I have been gagged by my position as head of marketing for a vendor*.  My fellow bloggers had a tendency to call “marketing foul!” when I used my blog to propound my beliefs.  Now that I am once more a free agent there is some ground to be covered.  

Let me reminisce for a minute on the history of the firewall industry through the eyes of well, me.

1994-2000. First generation firewall.   With all due respect to the inventors of various proxies I date the beginning of the firewall industry to the invention of stateful inspection by Check Point Software.  Check Point dominated the industry with its software only solution.

2000-2004. Second generation firewall.  Netscreen gets credit for recognizing that network gear is specialized and that firewalls should be sold as a hardware appliance with specialized chips for network acceleration.  They quickly took the lead in performance while taking market share from Check Point.

2004-2008. Third generation firewall.  Content inspection firewalls.  IDC gets credit for developing the ideas around this.  The terminology can be confusing because complete content inspection means that multiple security functions can be performed in one device which is commonly referred to as Unified Threat Management (UTM).

Why is content inspection a paradigm shift?   Because it requires that you think differently about it.  The debate between “suites” and “best of breed”  is valid when you contemplate mashing a bunch of applications onto the same box. But it is wrong thinking to apply those arguments to new technology.  In other words,  it is reasonable to debate the merits of a combined Cisco Pix firewall with Trendmicro AV running on it versus a Pix with a stand-alone AV solution from Symantec or Sophos.  On the one hand you would argue simpler management and simpler vendor relations. On the other hand you would argue for best solutions.   But, what if there were new technology? One application that was aware of source and destination IP addresses and ports as well as able to inspect email, HTTP, and IM for viruses?  That is a new paradigm and merits its own discussion. 

iPolicy, Fortinet, possibly Palo Alto Networks, and a few other start-ups represent the third  generation of gateway security appliances.  They are a real change. Cisco, Juniper and Check Point will not be able to catch up because their technology was not built to do content inspection.   Without change, their firewall products  will soon be as obsolete as analog televisions.  

Tomorrow: Who is going to lead in third generation security appliances?

 *Full disclosure:  While I continue to evangelize Fortinet's products at various events in Canada, Australia, and Columbia I am *not* a stake holder in Fortinet in any way. That's right, no stock, no promise of stock, no options, no promise of options.  For that matter I own no securities in public security companies at all.  

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10