Neil MacDonaldIn my research on Adaptive Security Infrastructure and Context Aware Security, I have concluded that future information security policy enforcement points must move security policy enforcement “up the stack”. As we move to virtualize our data centers and adopt cloud-based computing platforms, security policy can no longer be bound solely to physical attributes such as IP address or device.
Firewalls are evolving to become adaptive and adding context awareness beyond their traditional dependency on physical attributes (whitelisting of IP addresses, and port/protocol combinations) and adding application, identity and, in some cases, content awareness. This requires deeper inspection of the incoming network traffic stream to map these to logical identities, applications and understand the content they carry.
So far so good.
At some point, shouldn’t we stop calling them “firewalls”? The term “next-generation firewall” is better, but that’s kind of like calling an automobile a “ a next-generation (or horseless) carriage” – defining something new in terms rooted in the past. At some point, people understood that automobiles were something quite different and warranted a new word to describe them.
Lacking a better word, the term firewall is being applied to anything that implements security policy at any layer. For example, Web Application Firewalls, Application firewalls, XML firewalls, Database firewalls, SOA firewalls, Memory Firewalls (remember Determina?) and so on. I’m not sure that adds clarity either except the word firewall becomes shorthand for pretty much anything that implements a security policy.
At some point, aren’t the capabilities of emerging context-aware and adaptive security policy enforcement points different enough that we use another term that more accurately describes what they are?
Category: Next-generation Security Infrastructure Virtualization Security Tags: Adaptive Security Infrastucture, Next-generation Data Center, Next-generation Security Infrastructure, Virtualization Security
1 response so far ↓
1 Andrew Saucci May 21, 2010 at 10:05 pm
The term “firewall” was always a misnomer lifted from construction. In a real firewall, NOTHING is allowed to pass. You can’t even poke a hole in a firewall for a sensible thing such as a fire alarm wire or a sprinkler system pipe. The idea of using the term for something that is more like a customs check at the US/Canadian border has long annoyed me. It also makes it sound much more secure than it usually is configured to be– many so-called “firewalls” are more like traffic agents furiously waving vehicles past just to keep things moving. I am all for a new term.