John Pescatore

A member of the Gartner Blog Network

John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Coverage Areas:

Back to the Future: The Next Generation Firewall

by John Pescatore  |  September 30, 2009  |  8 Comments

Back in the mid-1990s I worked at Trusted Information Systems in the early days of the firewall industry. TIS Gauntlet, like most of the first commercial firewall products, were proxy-based – they broke the connection from the outside world to the internal trusted network and used protocol-specific proxies to provide very thorough inspection of the traffic passing between two.

Back then, Checkpoint came along with a simpler approach (stateful protocol inspection,) a much better GUI and very smart technology partnership program (OPSEC) and essentially killed the proxy firewall vendors. One key thing: back then, the types of attacks were pretty much just as effectively stopped by stateful firewalls as by proxy firewalls.

Flash forward to recent years, different story. One protocol – HTTP -carries the bulk of the attack traffic because so many applications (both legitimate and malicious) tunnel over HTTP. Just verifying protocol state doesn’t stop vulnerability-seeking or malware-based attacks. This lead stateful firewall vendors to add some prosy-like capability, but it really lead to the rapid growth of the intrusion prevention market: do deep packet inspection of the traffic being allowed through the firewall to detect in-bound attacks. When done right, it worked pretty well – but as usual the world keeps changing.

The most recent problem is the proliferation of HTTP-based applications that the good guys (or the business side of organizations, anyway) want to use, vs. just the bad guys. This includes consumer grade applications like Skype or GoToMyPC or various web conferencing services, but also web services and all kinds of enterprise applications that are tunneling over HTTP. Firewalls say “nice HTTP usage,” ISP says “no attacks looking to exploit missing patches” and bot clients come flying in and sensitive business data goes flying out.

At Gartner we’ve long talked about the need for the “Next Generation Firewall” to deal with the new threats and the new business/IT demands. Greg Young  and I are in the final stages of a note on “Defining the Next Generation Firewall” which should be available to Gartner clients next week. Today Greg opines about UTM, which isn’t NGFW – we go through the differences in the research note coming out.

There is a bit of deja vu all over again – back at TIS in 1995, I thought by now firewalls would have proxies for every application and Moore’s law would have enabled firewalls to do deeper and broader inspection at wire speeds across all of them. As usual, what should happen always takes a back seat to what can happen, which is then further limited by what actually will happen.

8 Comments »

Category: Uncategorized     Tags:

8 responses so far ↓

  • 1 Tweets that mention Back to the Future: The Next Generation Firewall -- Topsy.com   October 1, 2009 at 2:46 pm

    [...] This post was mentioned on Twitter by Greg Young and Jim St. Leger. Jim St. Leger said: RT @Gartnergreg: "Back to the Future: The Next Generation Firewall" Gartner Blog post http://bit.ly/16rWMi HTTP, CheckPoint, UTM, OPSEC NGFW [...]

  • 2 Stiennon   October 3, 2009 at 7:23 pm

    While you are reviewing history take a look at your Research Note on security platforms. An important document!

  • 3 Chris   November 12, 2009 at 10:52 am

    I am wondering. Why now is this a big “Gartner says” deal?

    This is not new technology, its been around for 2 years, and not
    just by PaloAlto. So why has Gartner suddenly grabbed on to this?

    From what I can tell, the other offerings I have read actually look MUCH better than the one offered by PaloAlto, so why them?($)

  • 4 John Pescatore   November 12, 2009 at 11:03 am

    Palo Alto is just one example of NGFW – we specifically didn’t mention any single vendor in the Gartner Research note on NGFW because several have the capabilities. Same thing in the blog post – we didn’t single out Palo Alto here for the same reason – there are others to choose from.

    The reason we came out with the NGFW Research Note now is that it is really part of a lot of Research Notes we’ve been doing on dealing with new threats and the new challenges of the “consumerization of IT” – like I said in the blog post, way more Gartner clients being forced to allow Skype and the like and needing a way to enforce policy vs. just play port-blocking Whack-a-mole.

    Agree the technology has been around for 2 years, actually more – we had nominated Palo Alto as a “Cool Vendor” in early 2008, based on looking at things that were out there in 2H07.

  • 5 Marko   November 15, 2009 at 6:20 pm

    John..can you tell me if Palo Alto is not the only one doing this, why are they the only ones pushing it? From what I can tell, the term NGFW is something they have been harping on since 2007..and only recently the likes of McAfee and others have started to incorporate it into their literature…who else is out there??

    Thanks,

  • 6 John Pescatore   November 16, 2009 at 8:48 am

    Long history here – Gartner has been using the term “Next Generation Firewall” since 2003 – we first defined both in the firewall magic quadrant that year and in a note called “Intrusion Detection Should Be a Function, Not a Product.” We have been consistently saying firewalls need to evolve to protect against new threats vs. think businesses were going to continue daisy chaining new boxes next to their firewalls.

    We differentiate UTM from NGFW – NGFW is the evolution of the enterprise firewall market, where UTM is aimed at SMB/branch office.

    Every firewall vendor back then and since then *hated* the term NGFW, because they all wanted to make up new names, like UTM. (Actually, some hated it early on because Checkpoint had called an update to its firewall line FW-1 NG.) Or, they really did want to keep revenue up by selling IPS and firewalls separately. There was also a feeling that you couldn’t dislodge Cisco/Checkpoint/Juniper if you were selling a firewall – and Wall Street firms didn’t want to hear about something as boring as selling a “firewall.”

    When Palo Alto first came along, even it didn’t want to be called a firewall but a couple of years ago they realized they were seeing what we had predicted in 2003 – there was an opportunity to dislodge firewall vendors with a NGFW that dealt with new threats effectively and old threats efficiently. That’s why they have jumped on the term.

    The key is not using the term, the key is delivering the functionality. I think the firewall market is at a similar point to around 2001, when Checkpoint and Cisco were dominant and Wall Street and many IT trade rags were declaring the firewall market over. Then a little company called Netscreen did things a bit better and captured a lot of market share while the big guys milked their installed base.

  • 7 The Future of the Firewall – Hint: The Perimeter Hasn’t and Isn’t Going Away, But It Has Moved   April 30, 2010 at 8:18 am

    [...] blogged here about what since 2003 Gartner has been calling the Next Generation Firewall, and then Greg Young and I published a Gartner research note “Defining the Next Generation [...]

  • 8 Palo Alto – Next Generation Firewalls | ipExpert   May 21, 2010 at 5:11 pm

    [...] Palo Alto firewall is not a UTM. Gartner calls a device of this design a ‘Next Generation Firewall’. Although it operates as a [...]

Leave a Comment