For too long I have been gagged by my position as head of marketing for a vendor*. My fellow bloggers had a tendency to call “marketing foul!” when I used my blog to propound my beliefs. Now that I am once more a free agent there is some ground to be covered.
Let me reminisce for a minute on the history of the firewall industry through the eyes of well, me.
1994-2000. First generation firewall. With all due respect to the inventors of various proxies I date the beginning of the firewall industry to the invention of stateful inspection by Check Point Software. Check Point dominated the industry with its software only solution.
2000-2004. Second generation firewall. Netscreen gets credit for recognizing that network gear is specialized and that firewalls should be sold as a hardware appliance with specialized chips for network acceleration. They quickly took the lead in performance while taking market share from Check Point.
2004-2008. Third generation firewall. Content inspection firewalls. IDC gets credit for developing the ideas around this. The terminology can be confusing because complete content inspection means that multiple security functions can be performed in one device which is commonly referred to as Unified Threat Management (UTM).
Why is content inspection a paradigm shift? Because it requires that you think differently about it. The debate between “suites” and “best of breed” is valid when you contemplate mashing a bunch of applications onto the same box. But it is wrong thinking to apply those arguments to new technology. In other words, it is reasonable to debate the merits of a combined Cisco Pix firewall with Trendmicro AV running on it versus a Pix with a stand-alone AV solution from Symantec or Sophos. On the one hand you would argue simpler management and simpler vendor relations. On the other hand you would argue for best solutions. But, what if there were new technology? One application that was aware of source and destination IP addresses and ports as well as able to inspect email, HTTP, and IM for viruses? That is a new paradigm and merits its own discussion.
iPolicy, Fortinet, possibly Palo Alto Networks, and a few other start-ups represent the third generation of gateway security appliances. They are a real change. Cisco, Juniper and Check Point will not be able to catch up because their technology was not built to do content inspection. Without change, their firewall products will soon be as obsolete as analog televisions.
Tomorrow: Who is going to lead in third generation security appliances?
*Full disclosure: While I continue to evangelize Fortinet's products at various events in Canada, Australia, and Columbia I am *not* a stake holder in Fortinet in any way. That's right, no stock, no promise of stock, no options, no promise of options. For that matter I own no securities in public security companies at all.
Richard Stiennon is a security industry analyst. He is currently consulting, speaking and writing on all manner of security topics for IT-Harvest, the IT research firm he founded to cover the security space. He was most recently chief marketing officer for Fortinet. He has served stints at PricewaterhouseCoopers, Gartner, and Webroot Software.
The Leader in Network Knowledge
What is status or
What is status or expectation of Fortinet going public?
I'm not sure what you mean
I'm not sure what you mean by "content inspection." Check Point has had this built into their products for a half decade or so.
Could you expand on your definition, please?
Excellent point... presuming
Excellent point... presuming you mean "content inspection" = application layer inspection, then it is worth noting that WatchGuard and a few others have had this technology for some time, too.
Actually application level
Actually application level filtering, has dominated the security market. Now customer want web security appliance more than a Firewall. Web filtering for protocols like HTTP/HTTPS/ and IM are on the top. With DLP(data leakage protection) will also be as big as IDP feature.
Firewall days are gone...
Where is the obsolescence?
I not sure I understand your arguement about obsolescence of the older companies' offerings? I guess you are saying that since Cisco and others are adding on the application layer technology that it is less "pure" or something? The application layer deep packet inspection is there as well as the layer three. The customer gets what they need by the big guys with a more mature product than the small start ups. This "article" is more like a blog than a truly researched and developed thought process based on facts.
Why bother....
This was almost as helpful as his Open Letter to Gil Schwed. As usual no research to back up his claims, just ramblings from a guy who is obviously out of touch with the industry. RSA is coming up so maybe Rich can stop by some of the vendor booths. I think he will be surprised to find out that companies have been doing degrees of content inspection for quite some time. I mean really, someone tell me what year this is...1998 or 2008? Is this article meant to be a flashback from a decade ago?
Can't imagine why he is no longer the Marketing guy at a firewall company.
Helpful?
Thanks for the totally random comment. FYI, that column to Gil generated the most emails and responses I have ever received. All took the tone: right on, you are so right, that is why I left Check Point and joined X company, that is why we do not sell Check Point anymore.
So, two years later Check Point buys Nokia. While it was what I advised, they do not appear to have taken the idea of supporting a hardware platform to heart. It sounds like they did it as a defensive move to protect their install base. Stay tuned. CHKP conference call is early on January 27th
Content inspection
1st generation proxy firewalls did "content inspection" (e.g.: Raptor Eagle, Secure Computing Sidewinder) I find it amusing that Richard sees this as huge innovation when it's from the late 1980s!
What's new (or, rather, 10 years old) is that it's all in one box, now. That's just a packaging question and cost for the customer.
I remember Richard got this same thing wrong 10 years ago when he thought "intrusion prevention" was something new above and beyond marrying firewalls + IDS into the same box. It's just data processing. The techniques used to discriminate are _everything_ that is critical. Either it's static rules (firewall style) on IP address groups, or it's content-centric (URL filtering, IDS signature matching, 'IDP' rules) and that's just a question of speeds and feeds when it comes to dealing with layer 7 data.
Like a ghost!
Wow, is that really Marcus Ranum arising from the grave to haunt me?
First off, if you married IDS to a firewall you would have a separate SNORT like engine with administrative access to the firewall applying new rules based on alerts. That is so stupid that no one does it even though Check Point introduced that capability years ago.
You Marcus(or whoever), and everyone else who checked out of the industry should just take a moment to think how you would do "firewalling" today. A user is going to visit CNN.com through a firewall. They happen to encounter a page hosting an iFrames enabled malicious driveby download. How do you capture that downloadable,unpack it, decide it is malicious, and throw it out while still allowing access to the daily sports scores?
That level of content inspection is what is represented by the latest breed of firewalls. iPolicy(sadly not really a viable vendor), Fortinet, PaloAlto Networks. You are not going to get it from CiscoJuniperCheckPoint.