Firewall revolution or evolution?

by Anthony James
April 19, 2010 at 9:47 am

The following article originally appeared in SC Magazine

Firewalls are again becoming talk of the town. There are an enormous amount of opinions, including claims of a recent firewall revolution that have been proposed to completely change the firewall landscape. I will be the first to admit that the features and capabilities offered in today’s firewall products are not the same as was offered in their original incarnation. But then again, traffic patterns and applications are not the same as they were when firewalls first hit the market.

If we look at the some of the original firewall products (bypassing the whole proxy versus stateful approaches), most products focused on a simple, yet powerful proposition – allow or deny specific protocols (applications) and most often the policy was to deny all, allow few exceptions. The general intent is to insert a barrier at the network border fending off unnecessary and potentially dangerous application traffic. These firewall policies were based on a common way to identify the application – the layer 4 protocol identifier.

Today, applications have taken a dramatically different approach in terms of user interface and communication methods. It should not be a surprise that the majority of applications have moved from a proprietary, client-based executable user interface and unique communication protocol to a web-based interface / communication method. This “webification” of applications is due in part to the innovations in web technology and the ability to deliver rich user experiences that parallel previous “heavy” client-based GUI applications in a web-based environment.

Given this change in application delivery, it is natural for firewalls to evolve and address the new challenge of application security. Obviously the same principles exist as with the original firewall concept – allow / deny applications based on a corporate security policy. However, if every application uses a common web communication method such as HTTP – port 80, how would the traditional firewall implement appropriate controls? If port 80 is “allowed” through the firewall, it would open access to a plethora of applications, some of which could be contrary to the overall security policy.

This is where things get interesting regarding the so-called “firewall revolution” being claimed today, whereby applications are identified based on their content distinguishing, for example, between peer-to-peer (P2P) applications and hosted business applications. While this is a new way to identify applications, I don’t agree it is a “revolution” because other security technologies have been doing this type of detection for quite a while, including intrusion prevention/detection systems (IPS/IDS). With IPS/IDS technologies, the ability to distinguish between multiple applications on a common protocol employs exactly the same principle as the proposed new firewall “revolution”. The new “revolution” isn’t a revolution at all. It is nothing new, just a new way to use existing capabilities.

It seems disingenuous and just plain marketing hype to say that extending the application identification technology as part of a firewall policy is revolutionary. What is really happening is the evolution of the firewalls to meet the application evolution.

If there is anything revolutionary about firewalls today, it is the incorporation of content-based security technologies being integrated into the firewall, something that was previously thought to be impossible. The true revolution is in identifying threats within the application content, irrespective of the application, not just a new way to identify an application and allow or deny it.

A security solution that harnesses the power of application control and content-based security enforcement is the true state of firewall technology innovation – especially if you agree that firewalls should be deployed as defense mechanisms to eliminate threats versus an “allow-or-deny” paradigm for application access.

Author bio: Anthony James is Fortinet's vice president of products.

Does religion blind our technology decisions?

by Anthony James
October 21, 2009 at 11:00 am

It seems that we keep getting caught up in what can be referred to as “religious” discussions when it comes to technology and the choices in front of us.  Consider the UTM debate and the proposition by influencers of the industry that enterprises have no business investing in this technology.  I am not going to focus on the debate between UTM and alternatives available within the market today; instead I want to ask why there needs to be a line drawn in the sand? Is there value in telling enterprises “thou shall not adopt UTM,” or is there more value in giving an impartial opinion on how each approach has their own respective merits for ANYONE, enterprise or not? Never before (at least not that I can recall) has there been such adamant drives to tell customers what technology simply has NO PLACE for them.

This is casting our memories back to a time when firewalls and VPNs were “supposed to be” separated for many reasons (performance, security etc.), but with technology innovation and advances the naysayers were silenced.  Yes, it makes sense to merge these perimeter technologies – the technology exists, it makes sense and it benefits customers.

Can we not draw a parallel between this example with new security products and solutions?  Yes, I don’t doubt that there are some customers that are not ready for the convergence of an integrated security solution (aka UTM), but there are many customers who are ready and a UTM solution is right for them. ”Evangelists” are merely doing the industry a disservice by saying “NO! You might like the idea, heck you might even like the product and can derive significant benefit from it…but you are an ENTERPRISE! Send that box packing on that Unicorn riding Pixie it rode in on.”

We can all quote factual data supporting any side of the story, but at the end of the day what counts is that we are all developing products and technologies to stop the spread of cybercrime and protect customers and their infrastructures.  The packaging is just the wrapping – do yourself a favor, evaluate and purchase the technology that solves your problem, and if you are an enterprise evaluating UTM, don’t fret. We are here to support you.

Author bio: Anthony James is Fortinet's vice president of products.

Enterprise UTM is not a myth

by Anthony James
September 28, 2009 at 8:53 am

In July, Gartner published its Magic Quadrant for SMB Multifunction Firewalls report, which we view positively as it is the firm’s official validation of multifunction security consolidation appliances. Gartner defines multifunction firewalls as all-in-one security appliances, and multifunction firewall is the firm’s term for what has been more widely known as unified threat management, or UTM, coined by IDC in 2004.

Fortinet pioneered and built its business on the vision that unified solutions bring security, cost, and operational benefits to customers of all sizes. While we are pleased to be the best-positioned vendor in Gartner’s report, we disagree with various statements the firm makes — namely that multifunction firewalls (or UTM solutions) only belong in small to medium business environments. We see evidence to the contrary every single day.

It is true that SMBs and larger enterprises use multifunction firewalls differently; SMBs typically deploy more of the integrated security functions than do large enterprises. However, we believe, and the data supports, that numerous enterprises, telecommunication carriers and service providers have adopted UTM solutions for the benefit of being able to turn the functions on one at time as needed without having to deploy additional functions. This is a clear trend among our enterprise customers. But perhaps the strongest evidence for UTM’s rightful place in enterprise environments is quantitative data from IDC.

According to the IDC Worldwide Security Appliance Tracker, more than $500 million was spent on enterprise and high-end UTM appliances in 2008, compared with $280 million in 2006*. So, if UTM is not an enterprise or high-end play, where are all of these units going?

Further supporting IDC’s quantitative data is research from Frost & Sullivan, who reported in its World Unified Threat Management 2008 end-user study that “UTM has started to appear in enterprise and data-center class networks.” We are observing the same trends that IDC and Frost & Sullivan are seeing. Here is some data to support this:

  • Fortinet has shipped more than 450,000 UTM appliances.
  • More than 75,000 global customers, including the majority of the Global 100, have purchased our UTM appliances.
  • Some notable customers include Polycom, CKE Restaurants, Sylvania and many branches of the U.S. Federal Government, including the Marine Corps, Army, Navy, Air Force, civilian agencies and the intelligence community.

Gartner is certainly entitled to its opinion, but there are hard facts to support the notion that UTM appliances are not an SMB only solution. Data from numerous analyst firms, vendors, and end-users themselves give credence to the fact that enterprises are adopting UTM solutions at an accelerating pace. For a firm like Gartner to continue to ignore or refute this market shift is difficult to fully understand and seems a disservice to those who rely on their research and analysis.

* Data based on price bands above $6K

Author bio: Anthony James is Fortinet's vice president of products.