For too long I have been gagged by my position as head of marketing for a vendor*. My fellow bloggers had a tendency to call “marketing foul!” when I used my blog to propound my beliefs. Now that I am once more a free agent there is some ground to be covered.
Let me reminisce for a minute on the history of the firewall industry through the eyes of well, me.
1994-2000. First generation firewall. With all due respect to the inventors of various proxies I date the beginning of the firewall industry to the invention of stateful inspection by Check Point Software. Check Point dominated the industry with its software only solution.
2000-2004. Second generation firewall. Netscreen gets credit for recognizing that network gear is specialized and that firewalls should be sold as a hardware appliance with specialized chips for network acceleration. They quickly took the lead in performance while taking market share from Check Point.
2004-2008. Third generation firewall. Content inspection firewalls. IDC gets credit for developing the ideas around this. The terminology can be confusing because complete content inspection means that multiple security functions can be performed in one device which is commonly referred to as Unified Threat Management (UTM).
Why is content inspection a paradigm shift? Because it requires that you think differently about it. The debate between “suites” and “best of breed” is valid when you contemplate mashing a bunch of applications onto the same box. But it is wrong thinking to apply those arguments to new technology. In other words, it is reasonable to debate the merits of a combined Cisco Pix firewall with Trendmicro AV running on it versus a Pix with a stand-alone AV solution from Symantec or Sophos. On the one hand you would argue simpler management and simpler vendor relations. On the other hand you would argue for best solutions. But, what if there were new technology? One application that was aware of source and destination IP addresses and ports as well as able to inspect email, HTTP, and IM for viruses? That is a new paradigm and merits its own discussion.
iPolicy, Fortinet, possibly Palo Alto Networks, and a few other start-ups represent the third generation of gateway security appliances. They are a real change. Cisco, Juniper and Check Point will not be able to catch up because their technology was not built to do content inspection. Without change, their firewall products will soon be as obsolete as analog televisions.
Tomorrow: Who is going to lead in third generation security appliances?
*Full disclosure: While I continue to evangelize Fortinet's products at various events in Canada, Australia, and Columbia I am *not* a stake holder in Fortinet in any way. That's right, no stock, no promise of stock, no options, no promise of options. For that matter I own no securities in public security companies at all.
About Stiennon
Richard Stiennon is a security industry innovator. He is currently consulting, speaking and writing on all manner of security topics and has just announced the launch of Seccom Global, a Managed Security Service Provider focused on UTM. He was most recently chief marketing officer for Fortinet. He has served stints at PricewaterhouseCoopers, Gartner, and Netrex, the world's first managed security service provider.
|
|
What is status or
What is status or expectation of Fortinet going public?
I'm not sure what you mean
I'm not sure what you mean by "content inspection." Check Point has had this built into their products for a half decade or so.
Could you expand on your definition, please?
Excellent point... presuming
Excellent point... presuming you mean "content inspection" = application layer inspection, then it is worth noting that WatchGuard and a few others have had this technology for some time, too.
Actually application level
Actually application level filtering, has dominated the security market. Now customer want web security appliance more than a Firewall. Web filtering for protocols like HTTP/HTTPS/ and IM are on the top. With DLP(data leakage protection) will also be as big as IDP feature.
Firewall days are gone...
Where is the obsolescence?
I not sure I understand your arguement about obsolescence of the older companies' offerings? I guess you are saying that since Cisco and others are adding on the application layer technology that it is less "pure" or something? The application layer deep packet inspection is there as well as the layer three. The customer gets what they need by the big guys with a more mature product than the small start ups. This "article" is more like a blog than a truly researched and developed thought process based on facts.
Why bother....
This was almost as helpful as his Open Letter to Gil Schwed. As usual no research to back up his claims, just ramblings from a guy who is obviously out of touch with the industry. RSA is coming up so maybe Rich can stop by some of the vendor booths. I think he will be surprised to find out that companies have been doing degrees of content inspection for quite some time. I mean really, someone tell me what year this is...1998 or 2008? Is this article meant to be a flashback from a decade ago?
Can't imagine why he is no longer the Marketing guy at a firewall company.