There’s no denying the fact that firewalls are a necessary part of modern perimeter security. NAT isn’t a security construct. Attackers have the equivalent of megaton nuclear arsenals with access to so many DDoS networks. Security admins have to do everything they can to prevent these problems from happening. But one look at firewall market tells you something is terribly wrong.
Who’s Protecting First?
Take a look at this recent magic polygon from everyone’s favorite analyst firm:
FW Magic Polygon. Thanks to @EtherealMind.
I won’t deny that Checkpoint is on top. That’s mostly due to the fact that they have the biggest install base in enterprises. But I disagree with the rest of this mystical tesseract. How is Palo Alto a leader in the firewall market? I thought their devices were mostly designed around mitigating internal threats? And how is everyone not named Cisco, Palo Alto, or Fortinet regulated to the Niche Players corral?
The issue comes down to purpose. Most firewalls today aren’t packet filters. They aren’t designed to keep the bad guys out of your networks. They are unified threat management systems. That’s a fancy way of saying they have a whole bunch of software built on top of the packet filter to monitor outbound connections as well.
Insider threats are a huge security issue. People on the inside of your network have access. They sometimes have motive. And their power goes largely unchecked. They do need to be monitored by something, whether it be an IDS/IPS system or a data loss prevention (DLP) system that keeps sensitive data from leaking out. But how did all of those devices get lumped together?
Deploying security monitoring tools is as much art as it is science. IPS sensors can be placed in strategic points of your network to monitor traffic flows and take action on them. If you build it correctly you can secure a huge enterprise with relatively few systems.
But more is better, right? If three IPS units make you secure, six would make you twice as secure, right? No. What you end up with is twice as many notifications. Those start getting ignored quickly. That means the real problems slip through the cracks because no one pays attention any more. So rather than deploying multiple smaller units throughout the network, the new mantra is to put an IPS in the firewall in the front of the whole network.
The firewall is the best place for those sensors, right? All the traffic in the network goes through there after all. Well, except for the user-to-server traffic. Or traffic that is internally routed without traversing the Internet firewall. Crafty insiders can wreak havoc without ever touching an edge IPS sensor.
And that doesn’t even begin to describe the processing burden placed on the edge device by loading it down with more and more CPU-intensive software. Consider the following conversation:
Me: What is the throughput on your firewall?
Them: It’s 1 Gbps!
Me: What’s the throughput with all the features turned on?
Them: Much less than 1 Gbps…
When a selling point of your UTM firewall is that the numbers are “real”, you’ve got a real problem.
What’s Protecting Second?
There’s an answer out there to fix this issue: disaggregation. We now have the capability to break out the various parts of a UTM device and run them all in virtual software constructs thanks to Network Function Virtualization (NFV). And they will run faster and more efficiently. Add in the ability to use SDN service chaining to ensure packet delivery and you have a perfect solution. For almost everyone.
Who’s not going to like it? The big UTM vendors. The people that love selling oversize boxes to customers to meet throughput goals. Vendors that emphasize that their solution is the best because there’s one dashboard to see every alert and issue, even if those alerts don’t have anything to do with each other.
UTM firewalls that can reliably scan traffic at 1 Gbps are rare. Firewalls that can scan 10 Gbps traffic streams are practically non-existant. And what is out there costs a not-so-small fortune. And if you want to protect your data center you’re going to need a few of them. That’s a mighty big check to write.
Tom’s Take
There’s a reason why we call it Network Function Virtualization. The need for the days when you try and cram all the possible features you could think of onto a single piece of hardware are over. We don’t need complicated all-in-one boxes that have insanely large CPUs. We have software constructs that can take care of all of that now.
While the engineers will like this brave new world, there are those that won’t. Vendors of the single box solutions will still tell you that their solution runs better. Analyst firms with a significant interest in the status quo will tell you NFV solutions are too far out or don’t address all the necessary features. It’s up to you to sort out the smoke from the flame.
The Networking Nerd 
I’m actually seeing more and more conversations around “zero trust” networking, as well as microsegmentation in the data center. These designs cause more than just the internet perimeter traffic to be forced to flow through a firewall; either big iron protects the data center (you know, where the important stuff lives), and/or a firewall is incorporated into an overlay technology such as VMWare NSX.
Also, your thoughts on Palo Alto are partially accurate/a bit dated. While PANW did start out as an outbound firewalling play, keeping users from utilizing bad applications, they have grown significantly into the data center space, identifying and protecting traffic such as MSAD, SQL, SMB, etc.
Finally, I think the UTM idea is still well embraced by the market. If it wasn’t, why would a company like Cisco go and buy SourceFire, to integrate FirePOWER technologies into it’s ASA line? As companies continue to tighten the belts when it comes to IT staffing levels, simplicity of management sometimes outweighs the security posture a multi-platform solution could provide.
I feel this could be the start of a lively discussion (over bourbon) in San Diego in June…
Just a question around the sprinkling of security solutions all over the DC. What will happen to these fancy security solutions when the likes of HTTP2 and QUIC with encryption starts rolling out big time. Won’t they essentially go blind and become something you put in a museum?
However, I’m a bit sceptical to whole the idea of virtualizing network services. Wouldn’t it be better to use container technologies (i.e. lxc and docker) than to pay the hypervisor tax of these IO-heavy workloads?