Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

It’s Time to Retire the Term Firewalls

by Neil MacDonald  |  May 18, 2010  |  1 Comment

In my research on Adaptive Security Infrastructure and Context Aware Security, I have concluded that future information security policy enforcement points must move security policy enforcement “up the stack”. As we move to virtualize our data centers and adopt cloud-based computing platforms, security policy can no longer be bound solely to physical attributes such as IP address or device.

Firewalls are evolving to become adaptive and adding context awareness beyond their traditional dependency on physical attributes (whitelisting of IP addresses, and port/protocol combinations) and adding application, identity and, in some cases, content awareness. This requires deeper inspection of the incoming network traffic stream to map these to logical identities, applications and understand the content they carry.

So far so good.

At some point, shouldn’t we stop calling them “firewalls”? The term “next-generation firewall” is better, but that’s kind of like calling an automobile a “ a next-generation (or horseless) carriage” – defining something new in terms rooted in the past. At some point, people understood that automobiles were something quite different and warranted a new word to describe them.

Lacking a better word, the term firewall is being applied to anything that implements security policy at any layer. For example, Web Application Firewalls, Application firewalls, XML firewalls, Database firewalls, SOA firewalls, Memory Firewalls (remember Determina?) and so on. I’m not sure that adds clarity either except the word firewall becomes shorthand for pretty much anything that implements a security policy.

At some point, aren’t the capabilities of emerging context-aware and adaptive security policy enforcement points different enough that we use another term that more accurately describes what they are?

1 Comment »

Category: Next-generation Security Infrastructure Virtualization Security     Tags: , , ,

1 response so far ↓

  • 1 Andrew Saucci   May 21, 2010 at 10:05 pm

    The term “firewall” was always a misnomer lifted from construction. In a real firewall, NOTHING is allowed to pass. You can’t even poke a hole in a firewall for a sensible thing such as a fire alarm wire or a sprinkler system pipe. The idea of using the term for something that is more like a customs check at the US/Canadian border has long annoyed me. It also makes it sound much more secure than it usually is configured to be– many so-called “firewalls” are more like traffic agents furiously waving vehicles past just to keep things moving. I am all for a new term.