Industry Insights with Andrew Ossipov

We Need a 'New Normal' Firewall

Firewall Technology Remains Relevant But Must Continue to Evolve Past Next-Gen
We Need a 'New Normal' Firewall

The firewall has been the cornerstone of enterprise network security since the dawn of the internet age.

See Also: 5 Requirements for Modern DLP

A lot has changed over the decades since hardware firewalls first entered the market. We've seen the rise of application virtualization, the movement to the public cloud, the dissipation of a clearly defined network perimeter, the emergence of pervasive encryption, and the proliferation of cloud-native microservices. In light of all that, some might view the firewall as a legacy technology, but that's not an accurate assessment.

In 2021, the firewall’s capabilities still represent a core element of IT security, and they will remain so for years to come. But they need to continue to evolve.

The Evolution of Firewall

The firewall is the tool you use to protect your application and data.

Twenty years ago, everything was connected to a physical network with big application servers within an organization's on-premises data center. Firewall appliances were inserted at the boundary of those physical networks to thwart threats coming from outside the organization.

With the emergence of lateral threat propagation within data centers, firewalls were increasingly inserted inside the network to provide additional segmentation points. As virtualization took hold, software-based firewalls were used to provide a control point in the virtualized environments.

With the rush toward public cloud and microservice-based applications, there remains a need for an inline control point, though it's different from a traditional physical or even a virtual network perimeter. Cloud-native environments are exposed to the very same lateral threats, but it's tricky to insert inline enforcement points there, and the lack of traffic visibility adds further complexity to the evolving IT landscape.

The Next-Gen Firewall

In the early years of network firewalls, most of the traffic was sent in the clear, with very little encryption. That has changed, and now everything is encrypted. As traditional firewalls rely on deep packet inspection, transit traffic decryption is unavoidable. Physical firewalls might have an inherent advantage here, due to the purpose-build crypto components. The required processing power to gain visibility into encrypted traffic is high, and it would slow a software-based firewall to a crawl. To add insult to injury, many modern application flows can no longer be decrypted, even if this function could somehow be accelerated.

Over the last decade there has been a trend in the industry to refer to the evolved version of the network firewall as a next-generation firewall, or NGFW. The NGFW relies on deep packet inspection to identify applications and block threats, but this capability is no longer universally applicable due to the aforementioned visibility and insertion challenges.

The 'New Normal' Firewall

In 2021, we need a "new normal" firewall. It won't be just one device, physical or virtual, but rather a set of detection and enforcement tools that natively integrates in different environments, from the network to applications. These enforcement points will join forces to implement threat protection and enable compliance under a unified, intent-driven policy. The new normal firewall will fit into the evolving cloud-delivered Secure Access Service Edge, or SASE, model, and it will play an enforcement role for Zero Trust, from posture validation to TLS fingerprinting and behavioral API security.

Most security professionals understand the role of the firewall as an all-in-one visibility and enforcement point. With connected devices everywhere, the visibility function becomes distributed. With a user laptop talking to a SaaS productivity application, the new normal firewall will leverage corresponding endpoint agents or API to understand what's going on with network traffic.

The new normal firewall will be a collection of enforcement points that could be privately hosted, cloud-hosted or even cloud-delivered. They will constantly gather information on whether or not an entity is compliant with the policy. With the complexity of distributed enforcement, there is also a clear need for organizations to have a unified policy layer as part of a modern firewall architecture.

In the New Normal

Firewall will continue to remain a core enforcement point in the network - a way of allowing or blocking flows which are going from point A to point B - and physical and virtual firewall appliances will continue to live on the edge of hybrid data centers. Many organizations will continue to have a network demarcation point, and the expanded feature set inside a firewall in cooperation with endpoint security components is very relevant for that particular point of insertion. Inside cloud-native environments, where applications talk to other applications, workload agents and service meshes will create an insertion point for API security capabilities that extend the reach of the traditional firewall.

The new normal for firewall isn't about abandoning hardware or the firewall itself, but rather about offering the right capabilities, which can be inserted in the right place to enable visibility and control.

About the Author

Andrew Ossipov

Andrew Ossipov

Engineer with Cisco Security Business Group

Andrew Ossipov, CCIE No. 18483 and CISSP No. 344324, is a Distinguished Engineer with Cisco Security Business Group. As an executive-level technical member of the leadership team, he serves in the role of a CTO for the Network and Workload Security product management organization. Andrew owns the technical vision and architecture of Cisco's $1B+ security portfolio, including Secure Firewall ASA and Threat Defense software, multi-service appliances, Secure Workload platform, and their application to cloud native and public cloud environments. Andrew is a well-recognized trusted technical advisor to the largest Cisco Security customers and partners at all levels.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.