Some of the first steps in IT technology took place in the 1970s with the creation of the first personal home computer. Functionality and “what we could do with computing power” took centre stage and the next few decades really got the ball rolling for IT technology. Throughout history, we’ve seen a pattern where computing technology advances way ahead of security and by the mid-90s threats began to emerge. To counter these threats, Check Point Technologies released the stateful inspection firewall.
That’s not to say it was the only security platform available. The primary competition at the time included router embedded packet filters and proxies. Although they offered good security, the problem with proxies is that they faced limitations too severe for the business to trust – simply put, they offered “good security with negative business implications” which lost to competition that had “pretty good security with limited business impacts”. This then paved the way for the advancements in firewall technology which has instilled itself as a household name within the security industry.
The Value of Management
The reason many championed stateful inspection firewalls in the 90s was due to its ease of management with technology seeing much change and evolution. Ethernet had become an option, connecting to the internet was not assumed, it was discussed and dial-up was still prominent with AOL dominating that sector. Network technology was moving, fast.
Therefore, the manageability of a firewall could not be overlooked as a key market driver for the eventual winner in this market. User experience and Usability were key components then and still are today and the 3 layers that mattered for customers became: Security, Performance and Usability. At the time, the Check Point GUI dominated overall and the reason for its supremacy was down to some key management capabilities.
The graphical rule editor meant it was no longer necessary to know CLI syntax to create a rule and instead a few clicks with the mouse and the changes were created. What was revolutionary about this was it offered multiple objects per column which made each rule more powerful and allowed the editing of existing rules instead of having to create new ones. Before this, access control lists only supported a single source, single destination and single service in the respective column. Many of the policy editor features were asserted on another advancement, the central object repository.
By creating a central object repository, only the object needed to be updated when a host changed its IP address, the policy would automatically reflect the update since the policy used a reference to the stored object. Additionally, it was now possible to create groups of these objects to enable reuse of common groups of objects throughout the policy. This was a significant step forward for more effective policy management.
Despite the manageability functions, Firewalls were far from perfect and they had their fair share of obstacles to overcome. Blocking the wrong traffic was an extremely common problem, especially if a firewall was placed between two networks that had previously not been segmented. This was the case for almost every new firewall deployed in the 90s. With central logging implemented in all firewall logs, diagnosing policy errors had become simplified. Issues could be reported with the IP source and an administrator could locate the fault. It was common for users to incorrectly report a fault, so easy troubleshooting had become a key addition to modern day firewall platforms.
A new dawn
The turn of the century saw a new approach to firewall implementation with increased Internet speeds and firewall adoption within enterprises, overall performance was now behind the driving force of firewall purchases. This paved the way for Netscreen and its purpose-built firewall “appliance”.
Adopting the Netscreen firewall appliance was a preferred choice for many because of its faster inspection rate, which demanded less latency and high throughput at a lower cost. With performance now high on the list of requirements, Netscreen had a significant advantage over its competitors due to its ease of use despite it did not offering a central management platform during its early stages.
Performance and management had become the focal selling points during the mid-2000s and all firewall vendors thrived as security moved to the mainstream. A string of high-profiled attacks revolutionized the way security was perceived. Security was no longer seen as a separate entity and instead, incorporated within the business model. In fact, approximately 70% of organisations spent between 10% - 50% of their entire security budget on firewalls.
Firewalls acted as a first defence for organisations, limiting the risk to only the access defined. Because of their stand-alone functionality, a security engineer could deploy a firewall without the need for external hardware or operating system support to manage the entire system. The firewall was at the forefront of security technology and became one of the most commercially successful security products on the market. But it wasn’t going to stop there. The “traditional” stateful inspection firewall was the industry standard for over a decade. However, as time progressed, so did the hardware and software performances between vendors and their firewalls, meaning the strategy now changed and a race had begun to see which vendors could push the boundaries beyond the traditional firewall.
Next Gen Firewall
By 2010, the firewall had once again evolved thanks largely to Palo Alto Networks who introduced the “next-generation firewall.” The following firewall capabilities had not been seen before on the market and gained significant market traction:
- Application-aware packet filtering - ability to define policies and control traffic based on layer-7 application identity regardless of port and protocol
- User-based access control regardless of IP address, location or device (through integration with user authentication platforms such as Active Directory)
- Integrated IPS filtering using the same full-stack application awareness
- Ability to accomplish all of the above at similar performance levels of a traditional stateful inspection firewall with single-pass analysis
Palo Alto Networks was able to position itself and its new technology, which could filter applications like Facebook at the perimeter of the network to control outbound user behaviour, as an essential security requirement to already existing systems. It would then spread its footprint before integrating its IPS with the next generation firewall which had become the industry standard. This strategy allowed Palo Alto Networks to take a considerable amount of market share, leaving competitors to play catch up.
The cat and mouse game between vendors escalated firewall development from a packet filter with limited functionality to a robust conglomerate of security functions that has become indispensable to the IT security industry. That is not to say the evolution of the firewall is complete. As networks evolve, the firewall will have to adapt. With the introduction of cloud and SDN environments, the role of the firewall is expanding, adding extra layers of complexity. This has now become the number one concern for today’s organisations, which are now investing further into security management to monitor these faster, more diverse environments. Nevertheless, the firewall is not going anywhere any time soon and will continue to remain critical to organisations and society for years to come.
Jody Brazil, Co-Founder & Chief Product Strategist, FireMon
Image Credit: Andrea Danti / Shutterstock