In my research on Adaptive Security Infrastructure and Context Aware Security, I have concluded that future information security policy enforcement points must move security policy enforcement “up the stack”. As we move to virtualize our data centers and adopt cloud-based computing platforms, security policy can no longer be bound solely to physical attributes such as IP address or device.
Firewalls are evolving to become adaptive and adding context awareness beyond their traditional dependency on physical attributes (whitelisting of IP addresses, and port/protocol combinations) and adding application, identity and, in some cases, content awareness. This requires deeper inspection of the incoming network traffic stream to map these to logical identities, applications and understand the content they carry.
So far so good.
At some point, shouldn’t we stop calling them “firewalls”? The term “next-generation firewall” is better, but that’s kind of like calling an automobile a “ a next-generation (or horseless) carriage” – defining something new in terms rooted in the past. At some point, people understood that automobiles were something quite different and warranted a new word to describe them.
Lacking a better word, the term firewall is being applied to anything that implements security policy at any layer. For example, Web Application Firewalls, Application firewalls, XML firewalls, Database firewalls, SOA firewalls, Memory Firewalls (remember Determina?) and so on. I’m not sure that adds clarity either except the word firewall becomes shorthand for pretty much anything that implements a security policy.
At some point, aren’t the capabilities of emerging context-aware and adaptive security policy enforcement points different enough that we use another term that more accurately describes what they are?
Category: Next-generation Security Infrastructure Virtualization Security Tags: Adaptive Security Infrastucture, Next-generation Data Center, Next-generation Security Infrastructure, Virtualization Security