Yesterday, we posted our views on the key themes that you’ll see at the upcoming RSA Conference. Now we’ll starting digging into our main coverage areas. Today, we’ll start with network security.
Firewalls are (still) dead! Long live the Perimeter Security Gateway!
Shockingly enough, similar to the past three years at RSAC, you’ll hear a lot about next generation firewalls (NGFW). And you should, as ports and protocol-based firewall rules will soon go the way of the dodo bird. If by soon, we mean 5+ years anyway, but corporate inertia remains a hard game to predict. The reality is you need to start moving towards a deeper inspection of both ingress and egress traffic through your network, and the NGFW is the way to do that.
The good news is that every (and we mean EVERY) vendor in the network security space will be showing a NGFW at the show. Some are less NG than a bolted-on IPS to do the application layer inspection, but at the end of the day they can all claim to meet the NGFW market requirements, as defined by the name-brand analysts anyway. Which basically means these devices are less firewalls and more perimeter security gateways. That means you’ll see two general positioning perspectives from the vendors in the space:
- Firewall-centric vendors: These folks will be pulling a full-frontal assault on the IPS business. They’ll talk about how there is no reason to have a stand-alone IPS anymore and that the NGFW does everything the IPS does and more. The real question for you is whether you are ready for the forklift that moving to a consolidated perimeter security platform entails.
- IPS vendors: IPS vendors have to protect their existing revenue streams, so they will be talking about how the NGFW is the ultimate goal, but it’s more about how you get there. They’ll be talking about migration and co-existence and all of those other good things that make customers feel good about dropping a million bucks on an IPS 18 months ago.
But to be clear, no one will be talking about how the IPS or yesterday’s ports/protocols firewall remain the cornerstone of the perimeter security strategy. That sacred cow is slain, so now it more about how you get there. Which means you’ll be hearing a different tune from many of the UTM vendors. Those same brand-name analysts always dictated that UTM only met small company needs and didn’t have a place in an enterprise network. Of course, that wasn’t exactly true, but the UTM vendors have stopped fighting it.
Now they just magically call their UTM a NGFW. It actually makes sense (from their perspective) as they realized an application-aware FW is just a traditional firewall with an IPS bolted on for application classification. Is that a “NGFW?” No, because it still translates firewall blocking rules using ports and protocols (as opposed to applications), but it’s not like RSA attendees (or most mid-market customers) are going to really know the difference.
Control (or lack thereof)
Another point of hyperbole that you’ll hear at the conference is about control. This actually plays into a deeply seeded desire on the part of all security professionals, who don’t really control much of anything on a daily basis. So you want to buy devices that provide control over your environment. But in reality, this is just a different way of pushing you towards the NGFW, to gain “control” over the applications your dimwit end users run.
The reality is control tends to put the cart ahead of the horse. The greatest impact of the NGFW to you is not in setting application-aware policies. Not at first. The first huge value of a NGFW to you is gaining visibility over what is going on in your environment. Basically, you probably have no idea what apps are being used by whom and when. The NGFW will show you that and then (only then) are you in a position to start trying to control your environment through application-centric policies.
When you are checking out the show floor, keep in mind the process of embracing application-awareness on your perimeter is about more than just controlling the traffic. It all starts with figuring out what is really happening on your network.
Network-based Malware Detection gains momentum
Traditional endpoint AV doesn’t work. That public service message brought to you by your friend Captain Obvious. The reality is that even though black-lists and signatures don’t work anymore, there are certain indicators of malware that can be tracked. But that requires you to actually execute the malware to see what it does. Basically it’s a sandbox. It’s not really efficient to put a sandbox on every endpoint (though the endpoint protection vendors will try), so this capability is moving to the perimeter.
Thus a hot category you’ll see at the RSA show is “network-based malware detection” gear. These devices sit on the perimeter and watch all the files passing through and figure out which of them look bad and either alert or block. They also track command and control traffic on the egress link to see which of the devices have already been compromised and allow your incident response process to kick in. Like everything else, the devices aren’t a panacea to catch all malware entering your network, but you can get the low hanging fruit before it makes it’s way onto your network.
There are two main approaches to NBMD, which are described ad nauseum in our recently published paper, so we won’t get into that here. But suffice it to say, we believe this technology is important and until it gets fully integrated into the perimeter security gateway, it’s a class of device you should be checking out while you are at the show.
Big Security flexes its Muscle
Another major theme related to network security we expect to see at the show is Big Security flexing their muscles. Given the need to have highly specialized chips to do application-aware traffic inspection, and the need to see a ton of traffic to do this network-based malware detection and reputation analysis, network security is no longer really a place for start-ups (and no, Palo Alto is no longer a start-up, per se). You’ll hear the big vendors make that point over and over and over and over at the show. It’s viability FUD, pure and simple. But they’ll be flinging it like toddlers that just learned to remove their diapers.
Consolidation has resulted in only a few players that truly focus only on network security, and most are smaller companies waiting to be acquired by a big security player. Again, this is the natural order of things. It’s not to say we won’t see innovation and we won’t see more start-ups doing very cool things to address issues with the big vendors, who don’t excel at innovation. We will, but this year we think the focus from the big vendors is going to be how they can meet all the needs for your network security.
- Mike Rothman (0) Comments