The Firewall: Questions abound about its future role in cloud, mobile and SDN environments
- 14 July, 2014 22:59
It's been 20 years since Check Point Software Technologies shipped its first enterprise network firewall, marking the beginning of a mass market for firewalls that has protected millions of networks across the world.
Check Point's FireWall-1, unveiled at NetWorld+Interop in 1994, wasn't the first network firewall, of course. The firewall had begun taking shape with the rise of the Internet. Companies and universities throughout the 1980s and 90s saw the need to block unwanted IP traffic by creating a perimeter gateway barrier however they could. In that era, they sometimes "rolled their own" based on routers or other gear until vendors eventually came to their rescue with firewall products that spared them this unwanted labor.
Marcus Ranum, now chief security officer at Tenable Network Security, is considered the most prominent of the early commercial firewall innovators because he designed the DEC SEAL firewall in 1990, and worked on the Gauntlet firewall and TIS toolkit at Trusted Information Systems. TIS, founded in 1983 by a former NSA employee Steve Walker, focused on high-security government customers; the company was sold to Network Associates (which later became McAfee) in 1998. Other early efforts, such as the Raptor firewall, also existed. But it was the launch of Check Point's FireWall-1 that ended up creating the kind of mass market soon joined not just by the big network providers such as Cisco and Juniper, but a host of other players, such as WatchGuard.
It was Check Point that gained steam while TIS didn't. Ranum mulls why that may have been so: "The proxy firewalls that ruled the technology at the time required some analysis of the application protocol, and the design of a gateway system to parse, process and filter the layer-7 traffic going through the," Ranum points out. "This took time -- development time to produce a proxy, and processor time in the firewall's CPU to do the analysis. When the Internet bubble began, Check Point really took off because they didn't do any layer-7 analysis and it was easy to write a rule to let traffic through. New applications were popping up all over the place and Check Point's ability to respond (and their performance story -- it's easy to be fast if you don't do much!) made them a much easier sell. They also had Sun and the Sun reseller channel behind them -- so they crushed everyone with a combination of being in the right spot and having technology that was fast and offered basic, adequate security."
"Stateful inspection was fast and easy," says Scott Montgomery, CTO at Intel Security, who remembers those days, saying the Gauntlet firewall was relegated to only the most high-security networks.
The early years with the TIS Toolkit as the proxy firewall didn't gain widespread adoption because "it was so hard to maintain a proxy firewall," says Matt Howard, now at Norwest Venture Partners, who helped develop Network Translation's PIX firewall later acquired by Cisco.
Back then, "everyone thought the firewall would be killed -- the router would subsume the firewall," says Howard. But that didn't happen. Infrastructure providers Cisco and Juniper certainly sell firewalls in routers and switches.
But Gartner reckons that enterprises tend not to depend on that approach for their core firewall purchases. Though it faces tough competitors, Check Point continues to hold the top spot at 22% of the market for firewall equipment, by Gartner's reckoning. By consultancy IDC's account, Cisco may be slightly ahead with 24.3% share.
Check Point is "one of the stalwarts of the firewall group" and the two have been rivals for a long time, says Scott Harrell, vice president of product management for security at Cisco. "They're a formidable competitor and we see them in many accounts."
Gil Shwed is co-founder and CEO of Check Point, with which began with help from Israeli tech investor Shlomo Kramer and vice chair Marius Nacht. Shwed says he agrees with many of Ranum's points about that era. Shwed notes that Check Point's strong suit was its stateful inspection engine and simple graphical interface. Check Point FireWall-1 ushered in a "turning point" that turned a "niche" into "a mainstream," he notes. He adds he holds Ranum, a recognized pioneer in the field, in high regard.
Shwed said his own ideas for the firewall began coming together long before the founding of Check Point while he served in the Israeli military and was busy connecting networks.
Corey Nachreiner, director of research and strategy at WatchGuard, agrees that Check Point's FireWall-1 can be considered the "first real commercial run" at a firewall. He notes that Check Point early on was software-based while WatchGuard differentiated its early Firebox as a hardware appliance. (In a back to the future kind of way, WatchGuard is reviving the Firebox brand name it had earlier dropped.)
Today what's called the firewall typically does far more than simple port-based filtering and control. It might also include an intrusion detection and protection system (IPS), antivirus or URL filtering, act as data-loss prevention device, and much more, including sandbox-style zero-day threat detection. Security analysts at tech consultancies have left their mark by criticizing whatever the security vendors were doing over the years, and urging them to reach for more, such as higher throughput speeds or better management.
At research firm IDC, security products research director Charles Kolodgy coined the term "unified threat management" for a class of firewall-capable devices, often seen as suitable for small to mid-sized businesses. And at Gartner, analysts Greg Young and Neil MacDonald in recent years began urging network-firewall providers to produce the kind of "application-aware" gear that would be able to establish access and user identity controls through granular knowledge of the applications, plus capabilities such as IPS.
Palo Alto Networks, founded in 2005 by its CTO Nir Zuk, set the pace with its Next Generation Firewall (NGFW) that shipped in 2007. This compelled vendors that include Cisco, Check Point, Intel Security division McAfee, Barracuda Networks, and recently HP, to join the charge to NGFW.
Along the way, Zuk, who had been at Check Point developing the early firewalls, has stepped upon the stage as a clear -- but controversial -- leader and innovator. After a falling out early on with Check Point management, he started OneSecure in 1999, which was acquired by NetScreen in 2002, later acquired by Juniper for $4 billion in 2004.
After Zuk left Juniper to establish Palo Alto, Juniper launched firewall-related patent-infringement lawsuits. The two sides dueled over firewall patent lawsuits until finally in May of this year they settled it with a cross-licensing arrangement that included Palo Alto agreeing to pay $175 million in cash and equity.
While some of his former employers tend to wince at his name, Zuk nonetheless gets the nod from others.
"Nir's the brains," comments Ranum. "He did the design of a lot of Check Point, Netscreen (now Juniper) and Palo Alto -- he takes a team of programmers around with him, who -- by now -- can code firewalls in their sleep."
The world has moved far beyond what was possible in the early '90s, Ranum adds. "Now that you can buy programmable 'switch on a chip' processors like the Cavium Octeon, it's possible to do the layer-7 analysis at packet speed, which we could never do in 1991. I see the trend as a sort of vindication of the idea the game was always at layer-7 to begin with and 'stateful inspection' was a 15-year-long digression."
In all this time, the firewall market has mushroomed into what Gartner thinks will be more than a $9 billion market this year. Firewalls have long since been used not just at the perimeter but also inside of enterprise networks to cordon off segments. But despite all this, the irony is that the role of the network firewall is more in doubt than ever before because of the rise of the use of cloud-based services and mobile devices.
IT and security managers have always had their doubts about firewalls, especially when web traffic had to be let through. Those doubts reached a crescendo in the 2005 timeframe and on when a group of security professional from several large global enterprises gathered together under the banner of the "Jericho Forum" to voice their displeasure with firewalls.
Their complaints centered around the idea that the growth of cloud services, e-commerce and mobile were all acting to eliminate any discernible "perimeter" in their networks they had once enjoyed. The Jericho Forum, led by security pros such as Paul Simmonds, who worked at paint and chemicals firm ICI and later AstraZeneca, spoke out passionately about the perceived limits of firewalls and a deep desire for new approaches that were data-centric.
Under the auspices of the Open Group, the Jericho Forum began issuing position papers, notably the Jericho Forum's "Commandments" for good security to "deliver a de-perimeterized vision." It fired more than a few shots at the firewall. "Whereas boundary firewalls may continue to provide basic network protection, individual systems and data will need to be capable of protecting themselves," the group stated. Other guidelines were, "In general, it is easier to protect an asset the closer protection is provided."
In the ongoing debate, which enlivened many tech conferences, Gartner, among others, tended to push back on the notion the perimeter firewall should go away. Companies kept buying more firewalls. But the Jericho Forum's basic concepts about how use of cloud services and mobile devices, especially employee-owned "Bring Your Own Device" situations, were causing difficulties for perimeter firewalls, hit home for many companies. And the rise of virtualized networks and the looming terrain of future Software-Defined Networks for switching, is challenging firewall vendors to adapt.
Some vendors, including Check Point, have designed software-based firewalls to work in the Amazon Web Services EC2 cloud service, for example, though Amazon itself offers a firewall service. Cisco doesn't yet, but Harrell says that's in the works along with other cloud services. He acknowledges one issue is that each one represents a platform needing a specific firewall build and a way to charge for a firewall in the "pay as you go" model of cloud services. He adds Cisco also has firewall hosting services for the enterprise that are going to be expanded in the future.
Adoption of virtual firewalls has been fairly slow, Gartner believes, predicting that fewer than 5% of enterprises will deploy all-virtualized firewalls in their data centers by 2016. Check Point's Shwed acknowledges that from what he sees, adoption of virtual firewalls hasn't seemed to take off.
But firewalls are hardly dead as Gartner analyst Greg Young pointed out in his recent presentation at the Gartner Security and Risk Management Summit. He noted that the enterprise firewall market at $8.7 billion remains the single largest segment of the overall IT security market. And that's expected to rise to $9.4 billion by year-end. But there are discontents around specific things.
Web A/V filtering, in particular, causes a significant performance hit on a firewall, he pointed out, and this functionality is likely better deployed on a secure gateway. The firewall contenders out there have yet to leave their marks in virtualization, the data center and SDN, "the next battle to be fought," Young said.
Cisco's Harrell contends Cisco is positioning itself to engage in that battle effectively with its application-centric infrastructure and controller with a way to configure firewalls and load balancers in simple English-language rules. However, it all remains very new.
Some Gartner analysts are looking other than the network firewall for help in the future. One Gartner analyst, Joseph Feiman, even argues that a 2-year-old technology called "Runtime Application Self-Protection" (RASP) could take over most of the duties of the network firewall.
In a debate between Young and Feiman at the conference, Feiman argued ardently that that RASP -- described as an instrumentation of runtime in servers or clients to protect applications against a variety of attacks -- is basically a better approach than traditional firewalls because the perimeter is dissolving due to cloud services and mobile. "We're failing with our perimeter security," he said, "I'm asking us to change our view."
Feiman said vendors with RASP products include HP, Prevoty, Shape Security, Waratek, Bluebox and Lacoon Mobile Security. Young, however, scoffed at the notion RASP would be the next big thing to edge out perimeter firewalls, noting RASP products need to be added to each OS or handset it might want to protect.
And how does Check Point's Shwed feel about RASP? He acknowledges he's really not familiar with it, and it's not something that troubles him. What does concern him is how the modern firewall needs to evolve to gain information about ever-more stealthy threats to block them. He thinks information-sharing among security vendors of many kinds is the way forward, and that's what Check Point is pursuing.