One of the buzzwords that became quite popular during the last few years is “next-generation firewall”. Some startup vendors position themselves in that market segment and established firewall vendors are trying to catch up. But when looking at what next generation firewalls are, I doubt that this term really applies, for two reasons:
One is the question of which role firewalls will play in the future. There is no doubt that we will need some sort of firewalls as part of a multi-layered security concept. However, the firewall as the leading security device at the perimeter isn’t the future. Decentralized firewalls are a logical consequence of the fact that there isn’t a single perimeter anymore. There are perimeters you can define around some network segments or devices, but not for the enterprise. So the role of firewalls is changing and there most likely won’t be that many generations for classical firewalls anymore, but there will be firewall functionality as an integrated feature in other types of devices – and only one of much functionality. By the way: UTM (Unified Threat Management), which frequently is used to describe such devices, is inadequate as well, because they always tackle only some threats. But that’s another topic.
The second and more important reason is another one: The most prominent features like “enhancing the 5-tuple”, adding support for user identities, integration capabilities with other context information, and application awareness, are not what should describe a next-generation firewall. These features should have been there at least ten years ago. Calling something which just adds features that are overdue is not a next-generation thing. I tend to call these last-generation firewalls because they are not innovative at all, compared to the target. They are only innovative compared to ancient technology.
By the way: Enhancing the 5-tuple means that these firewalls have more complex policies, going beyond Source IP, Target IP, Source Port, Target Port, and Protocol. It’s about adding things like application, “user identity” (which commonly is only an Active Directory group or something like that – my understanding of a user identity is somewhat broader), and maybe other attributes.
Back to the topic: I remember having talked about that many years ago. My complaint against classical “1st generation firewalls” (by the way: was there that little innovation in the firewall market that there hasn’t been a second generation before the “next-generation firewalls”?) always has been that it is not about deciding whether a packet is allowed to pass or not but about deciding which packet in the context of which business process and which user is allowed to pass. Notably, even next-generation firewalls only think about applications and are process-agnostic.
So doing that makes sense, given that firewalls are still an important element in security and will remain important, even while they most likely will become more distributed. But this is not about “next-generation”. It is about adding missing features, nothing else. And there are still a lot of things missing even in the next-generation firewalls: knowledge about business processes, integration with risk analytics (understanding the risks of a specific network communication and taking this into account when deciding), optimized and centralized management of hundreds, thousands, or tens of thousands of distributed systems, optimizing the rule sets (that’s where specialized vendors like Tufin come into play), hardware and software solutions to support the needs of distributed next-gen firewall environments, and many more.
So before jumping on technology which claims to be next-generation - and isn’t really - it is time to rethink the approaches on security you are following. And if the argument is that “the network security organization has neither the responsibility nor the authority for enforcing that or that or that” (which I found as a statement in a next-generation firewall report of another analyst company with respect to more advanced user-based access control policies) the answer is not that next-generation firewalls are so good because you wouldn’t be able to manage anything better. The answer is that you should rethink your information security strategy and organization so that you can deal with security the way you need. If the organization doesn’t fit your security needs, change the organization.
This topic shows once again that it is not mainly about technology. It is about understanding security risks, it is about the security organization. Then you can decide about the tools you really need. And then you will be easily able to identify whether something is really next-generation for you, i.e. enabling you to reach the next level in security. If doesn’t help you if something is next-generation for the vendors, but far too late for your needs.