A recent issue of Network Computing magazine featured an excellent set of firewall reviews. I thought Greg Shipley's Analyzing the Threat-Management Market cover piece to be very insightful. Here are a few excerpts:
"Our testing uncovered overhyped features, signs of innovation, emerging challenges and useful new capabilities. But what struck us most was what isn't being said -- that market demands are shifting the ground under legacy firewall vendors, and some will have a hard time holding on. Network access control is no longer a perimeter-only game, and the need for protection mechanisms is deeper than the address-and-service restrictions we're used to. More important, network security is no longer viewed as a product to be tacked on, but rather a core requirement. This is a fundamental shift in thinking."
Security as a "core requirement" is great news. It's only taken a decade of constant Internet attack to get vendors to understand this point, but at least we're getting there now.
"We know enterprises building a cohesive network-protection strategy need these questions answered: Will next-generation routers and switches come bundled with application-level policy enforcement? Will silicon-based network-access-control devices finally overtake their PC-based rivals? Will today's NIPS (network intrusion-prevention systems) become tomorrow's firewalls, or vice versa? Will network infrastructure heavyweights like Cisco Systems and Juniper Networks finally put the squeeze on companies like Check Point Software Technologies and Internet Security Systems?"
Here are my answers. Yes, yes, NIPS and "firewalls" will be the same device, and Cisco and Juniper will buy their competition.
"There's been much talk about the demise of NIDS (network-based intrusion-detection system) technology. The thinking goes that IDS will perish in favor of the seemingly more proactive IPS. This misses the bigger point: So-called network intrusion prevention is another policy-enforcement capability that's closer in purpose to today's firewalls than it is to detection and monitoring efforts... the enterprise market won't continue to see NIPSs and firewalls as different technology areas, with good reason. Shouldn't our firewalls protect us from the network-based attacks that NIPS claims to deflect? Why buy and maintain two devices for essentially the same task?
NIPS is a feature, not a product; it's just taking the industry some time to figure this out. Assuming we're right, does that convergence end with NIPS and conventional firewalls? Or do advanced network access control and pattern recognition eventually make their way into conventional routers and switches? We think it's inevitable."
Wow, I'm not sure how much of this clear thinking I can take in one day. Richard Clarke's comments were enough, but I surely appreciate Greg Shipley's insights. If you read Cisco IOS Router Firewall Security, you'll see that your Cisco router can already perform classic firewall and now so-called "NIPS" functions. If you consider ACLs a firewalling function, they've been in IOS since 1993, and more advanced features like dynamic ACLs (aka lock-and-key) have been around since IOS 11.1.
The difference between the features of a router and an appliance like TippingPoint is power and number of signatures. Cisco is already building new products that compete with the pure-play NIPS vendors -- check out their Cisco ASA 5500 Series Adaptive Security Appliances. It's only a matter of time before all access control and packet passing at the edge is done on a single box.
In fact, you can visit the IPolicy Networks site to learn about their Intrusion Prevention Firewall. This is ridiculous but it shows where the vendors are heading. If you want to read Gartner's take on this, iPolicy is hosting a recent Magic Quadrant for Network Firewalls (.pdf) report.