Thursday, March 26, 2015

Firewalls, Firewalls and More Firewalls

CIO: Jimmy, I was at a conference last week and the common theme at the conference is that firewalls are a things of the past.  Trends are suggesting that we should start looking at a Next-Gen Firewall to replace what we have.

Engineer: Sir, we just added a UTM solution into our network a month ago???

CIO: I understand Jimmy.  However, the threat landscape is getting serious and I need to make sure that our network is as secure as possible.  I need some recommendations for a Next-Gen Firewall by the end of the week.

The exchange above resonates of a situation that seems all too common in the IT workspace these days.  As IT engineers, we tend to speak our own jargon of acronyms and catchy phrases.  We’ve become so accustom to it that at times we tend to forget our audience and just assume that everyone knows what it is we’re talking about.  It even happens amongst ourselves from time to time.  However, the business side of the house usually has their own set of definitions for things.  Most of them fueled by third party organizations like Gartner.  In this particular case of the misunderstanding pertaining to the firewall discussion between the CIO and Engineer we are presented with an opportunity to clear some of these misunderstandings about the firewall.  Since a vast amount of upper management in organizations tends to lend a significant amount of weight to Gartner’s Magic Quadrant we’ll use their definitions to help compare and contrast what a Firewall, Next-Gen Firewall, and Unified Threat Management really are

“A firewall is an application or an entire computer (e.g., an Internet gateway server) that controls access to the network and monitors the flow of network traffic. A firewall can screen and keep out unwanted network traffic and ward off outside intrusion into a private network. This is particularly important when a local network connects to the Internet. Firewalls have become critical applications as use of the Internet has increased.” -Gartner 2013

According to Gartner a firewall is just an application or an entire computer that controls access to the network.  While technically correct it lacks a good amount of clarity.  When most IT engineers think of a firewall on a network they don’t typically think of a software application or a desktop PC/server as the device that is going to be used to control access in and out of their network.  What comes to mind (at least mine) is a dedicated appliance that has a number of ASIC’s (Application Specific Integrated Circuits) that are designed to process network traffic while comparing it against definitive set of rules at Layer 3 and 4 of the OSI model, stateful sessions, and provide some sort of NAT (Network Address Translation).  Sure, there are other services that seem to be common on a lot of firewalls such as the various types of VPN (Virtual Private Networking) technologies but the truth of the matter is that not every firewall supports VPN technologies.  Similarly, IPS/IDS (Intrusion Prevention/Intrusion Detection Systems) are also common services that are found on a number of firewalls and like VPN there are a number of firewalls that do not support these technologies.  So the question becomes, if these are services that aren’t standard on a firewall and when added they enhance the level of security that a firewall can provide couldn’t that make firewalls that do provides these services a “Next-Generation” firewall?  After all, the definition of the term “Next-Generation” according to is “pertaining to the next generation in a family; also, pertaining to the next stage of development or version of a product, service, or technology (, 2014)one could easily deduce that having VPN and integrated IPS/IDS as part of a firewall would be the next stage of development in the firewall family product line and thereby should be a “Next-Generation Firewall”.  Or so one would think but alas we would be wrong in our assumption because Gartner has coined the Next-Generation Firewall phrase with a different meaning.

Next-Generation Firewall
“Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall. An NGFW should not be confused with a stand-alone network intrusion prevention system (IPS), which includes a commodity or nonenterprise firewall, or a firewall and IPS in the same appliance that are not closely integrated.”  -Gartner 2013

To me, this definition sounds a lot like what was just discussed prior.  However, there are a couple of key requirements in this definition order for a firewall to be coined “Next-Generation”.  Application-level inspection being the first, and bringing intelligence from outside the firewall being the second, are the two additional requirements that Gartner has added to this definition in order for one to coin their box as a “Next-Generation Firewall”.  So what is application-level inspection?  Simply put it’s going to be the firewalls ability to classify traffic such as Facebook, Outlook, Adobe Flash, etc. at the firewall level and write policies based on these classifications.  The next requirement is quite vague because “bringing intelligence from outside the firewall” could technically be any sort of service not originating from inside the firewall.  One could argue that a firewall downloading IPS/IDS signatures could be considered “bringing intelligence from outside the firewall”.  What I find troubling about this is that some time ago there was a situation in which a particular vendor met all of Gartner’s requirements as per the definition but wasn’t allowed to compete in the Magic Quadrant because the product was already a leader in the UTM (Unified Threat Management) category and exceeded the requirements of the Gartner definition (Tam, et al., 2012).  There are, however, a number of other products that exceed the required capabilities as per the definition, but these products still appear in the Magic Quadrant.  For example, in the definition stated above there is no mention about offering VPN services and yet there is a plethora of devices in the quadrant that do.

Unified Threat Management
“Unified threat management (UTM) is a converged platform of point security products, particularly suited to small and midsize businesses (SMBs). Typical feature sets fall into three main subsets, all within the UTM: firewall/intrusion prevention system (IPS)/virtual private network, secure Web gateway security (URL filtering, Web antivirus [AV]) and messaging security (anti-spam, mail AV).” -Gartner 2013

When we look at this definition provided by Gartner for Unified Threat Management, there are a few additional features that a UTM provides.  In addition to the requirements laid out for the Next-Generation Firewall, UTM provides VPN technologies, Web filtering, Web antivirus, anti-spam, and e-mail AV.  Let’s not forget that these services have to be offered from on the same box.  However, you will note that there isn’t any mention made in regards to the UTM having to bring any intelligence into the platform from an outside source. 

The waters have been tremendously muddied thanks to third parties such as Gartner making up their own definitions for these platforms.  At the end of the day, they’re all just firewalls.  Firewalls with enhanced feature sets.  Unfortunately, the reality is that because many key people tend to follow Gartner quite religiously it becomes necessary to understand their definitions as well as knowing how a manufacturer views their product in order to try to ensure that there isn’t that communication breakdown.

References (2014). next-generation. Retrieved from
Gartner. (2013). IT Glossary. Retrieved from
Tam, K., Salvador, M. H., McAlpine, K., Basile, R., Matsugu, B., & More, J. (2012). UTM Security with Fortinet. Waltam, MA: Synergess.