Network firewalls aren't dead yet

After 20-plus years of service, the technology remains a core part of the IT security stack despite its long predicted demise

Phil Cummings says network firewalls will continue to be a critical piece of Health Information Technology Services -- Nova Scotia security portfolio for one simple reason: nothing's come along to replace them.

For the past 15 years, Cummings, a security administrator at HITS-NS, has been responsible for managing the enterprise firewalls that are used to protect the 20,000-user network the company manages for the Nova Scotia government.

Over that time, Cummings has seen firewalls evolve from relatively rudimentary tools for blocking threats at the network edge to sophisticated, policy-based, traffic filtering and intrusion prevention systems.

"We see firewalls becoming more than just a block" on the network, Cummings says. "We see a lot of perimeter firewalls taking more of an enforcement role in protecting the desktop" and mobile devices.

Networks firewalls are seen by some observers as an anachronism in an industry obsessed with the latest and shiniest security tools. Networks firewalls aren't sexy. They've been around for more than 20 years, plugging away as the threat landscape changes beyond recognition.

But rather than fading away like respectable mature technologies should, firewalls have stubbornly remained a vital part of enterprise security stacks.

For one thing, they still offer a reasonably strong first line of defense against an array of threats. Despite talk by some experts that perimeter technologies have become useless against modern malware, firewalls do block a lot of junk that would otherwise inundate enterprise networks. The technology continues to be critical in enabling network segmentation and in ensuring critical business and corporate systems are separated.

For most companies, a firewall is the only device that is designed and deployed inline as part of the network infrastructure. It remains in the best position to filter and regulate traffic flowing into the corporate network.

Firewalls have also evolved over the years to become a 'Swiss-army knife' of security technologies. A growing number of firewalls now integrate capabilities previously found in separate, standalone security devices.

Gartner says such emerging firewall technologies will eventually "subsume" mainstream deployments of new intrusion prevention system (IPS) appliance technology over time.

Not bad for a technology that some had predicted would have faded away by now.

Vendors such as Palo Alto Technologies -- whose products are used at HITS-NS -- embody next generation firewall technology.

Founded in 2005 by a former Check Point Software Technologies engineer, Palo Alto is now one of the hottest security companies. Palo Alto is bankrolled by some of Silicon Valley's most influential venture capitalists and has 65 of the Fortune 100 companies on its list of 16,000 customers.

Palo Alto's firewall products are considerably different from the stateful inspection firewalls of the past that basically gave companies a choice of blocking something entirely at the perimeter, or letting it all through.

Palo Alto firewalls are application aware, said Lee Klarich, senior vice president of product management.

Instead of blocking Skype or Facebook entirely, companies can use Palo Alto's firewall products to control what users can do with these applications. Want to enable Webex, but only for a select set of users? Palo Alto has an app for that, Klarich says.

"What we would say first and foremost is our platform is designed to safely enable applications" instead of blocking them due to security concerns," Klarich said. "We go way beyond a traditional firewall."

The products natively integrate firewall, intrusion detection, intrusion prevention and URL filtering functions and enable visibility and control over everything flowing into and out of a corporate network.

"Newer firewalls have more identity and application functionality built in," says Pete Lindstrom, principal at Spire Security.

Along with permit/deny functions for connections on different network ports, the latest firewall technologies also include functions for monitoring applications running on Internet ports 80 and 443, he said. That's a big deal at a time when a lot of Web applications and malware use the same entryways into the corporate network.

"It allows administrators to know what is going in and out the front door," Cummings says. "And because you know what is going on, you can assess the risk and control it."

The key is that next-generation firewalls can enforce contextual access controls based upon users, applications, locations, time-of-day and other factors, said Jon Oltsik, an analyst at Enterprise Security Group. Think of new firewalls as network security services, he says.

"These services won't go away but may morph into different physical and virtual form factors. What enterprise organizations really want is central control and distributed policy enforcement across all network security services -- physical, virtual and cloud-based. Think single pane-of-glass control," Oltsik said.

Several other firewall vendors, including Check Point, Fortinet and Juniper, have taken a cue from Palo Alto and are rushing to market with newfangled firewalls that offer a set of integrated capabilities.

Each of the companies are moving along at a different pace, but they already have the full attention of enterprises and of investors, if their market capitalizations are any indication.

"The modern firewall must be flexible in deployment and serve as a platform for security services," said Michael Callahan, vice president of product marketing at Juniper Networks. In the next few years expect to see firewalls incorporating diverse sets of threat intelligence information from the cloud and within a network. Such data will be used to actively defend against attacks in real-time, he said.

Callahan says pointing to new "intrusion deception" technology built into the Juniper's latest firewalls. The technology, gained from its $80 million acquisition of Mykonos in 2012, is designed to identity and stop malware attacks both early in the process and after a network is penetrated.

"By leveraging visibility into endpoints, internal network traffic and the network edge, the technology can detect malware in places where other [products] cannot," Callahan said.

Over the next few years, new generation firewall technologies are likely to be integrated even further into the enterprises. Even advances like software defined networking are unlikely to diminish the need for firewalls, argues Jody Brazil, founder and CTO of security vendor FireMon.

"Nowhere have I seen anyone say that this increased move toward automation will eliminate the need for firewalls," says Brazil. "In fact, just as we've seen with virtualized networks, there will be an increased demand for firewall technologies to support both existing processes and some of these newly emerging models."

Trends like SDNs will not lead to the demise of the firewall but will reemphasize the need for them, he predicts. "Firewalls may not be sexy but they [are] the underlying backbone of all IT security infrastructure. And that's not changing anytime soon, if ever," Brazil said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is

Read more about endpoint security in Computerworld's Endpoint Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags network securityConfiguration / maintenancesecurityhardware systemsendpoint securityData Center

More about Check Point Software TechnologiesCheck Point Software TechnologiesCheck Point Software TechnologiesFacebookFortinetGartnerHPIPSJuniperJuniperPoint Software TechnologiesSkypeSoftware TechnologiesSpireSpireTechnologyTopicWebex

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts