Skip Links

How will cloud, virtualization and SDN complicate future firewall security?

The firewall is the IT security gold standard but will the traffic of the future going to go through it?

By , Network World
June 27, 2013 11:30 AM ET

Page 2 of 5

Finding such a broad mix of vendor firewalls in one organization may be the exception, not the rule. Gartner analyst Greg Young, speaking at the Gartner Security and Risk Management Summit in June, said Gartner sees most organizations stay with a single vendor. And when it comes to next-generation firewalls (NGFW), for which Gartner has been a strong advocate, it’s estimated that less than 8% of organizations use NGFW today, though that number is expected to climb well above 30% within five years.

Young also noted that it’s apparent that SSL VPN is moving completely into the firewall and is fading out as separate standalone SSL VPN boxes.

Firewalls and IPS, in fact, seem to be able to live almost anywhere. One example is the Fortinet Secure Wireless LAN, which is basically a wireless-access point and switch integrated into a unified threat management device supporting firewall and IPS capability. According to Fortinet Vice President of Marketing John Maddison, it’s popular in retailing in store chains where it’s a cost-effective way to get wireless coverage and security combined.

Restaurant chain Jack-in-the-Box recently deployed 650 of the FortiWiFi-60CS devices that combine wireless access and firewall/IPS in hundreds of its restaurant chain locations. Jim Antoshak, director of IT there, says the older wireless points in the Jack-in-the-Box restaurants can now be retired, and the Fortinet gear will be a compact combination of wireless and security.

An argument?

One debate centers around two main questions: Is a multi-purpose firewall/IPS as effective as a standalone appliance? What about a security module in a switch or router?

HP, like Cisco and Juniper, offer security modules for firewalling and intrusion-prevention that can work in the vendor’s switches and routers. But Rob Greer, vice president and general manager for enterprise security products at HP TippingPoint, says when it comes to intrusion-prevention, the main deployments HP sees are as dedicated, standalone appliances. And this is generally considered the best approach for the HP next-generation application-aware IPS in terms of performance and granular controls, he notes.

Mike Nielsen, senior director, network security and product marketing at Cisco, says the vast majority of what Cisco sells in firewalls and IPS are “dedicated security appliances.” The ASA 5585-X Series in its Adaptive Security Appliance line is described as having 40Gbps firewall throughput which Nielsen says can be pushed to 80Gbps for IPS, which includes an application-controls feature. This is the main element that lets it be called a “next-generation firewall,” according to the Gartner definition.

Jason Brvenik, vice president of security strategy in the technology research group, at Sourcefire, argues that “dedicated devices give you freedom as an organization to respond to the latest evolving threat.”

Fred Kost, Check Point’s head of product marketing, says customers that require high throughput and low latency typically decide on dedicated functionality. But he points out that the small-to-midsized business customers often find multi-purpose firewall gateways and the unified threat management devices adequate. Check Point, also jockeying for the “next-generation” title, recently added a “threat emulation blade” as a firewall module. It can safely “explode” files in a sandbox to try and uncover zero-day attacks. It tackles a similar problem that Palo Alto takes on with its Wildfire threat-detection in its next-generation firewall.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News