In my previous post, I talked about how the term “firewall” (and the term next-generation [horseless] firewall) really doesn’t capture the fundamental transformation taking place as these network security platforms become context aware and adaptive. My colleague, Bob Walder, argues that the term is just fine – kinda like tiles for the house.
If everything is called a “firewall” (SOA firewall, application firewall, database firewall, memory firewall, web application firewall and so on) then the term stops being useful.
Take Web Application Firewalls (WAFs) – the danger in calling them “firewalls” and what early adopters found out is that these are quite different than a traditional network firewall. Running at the application layer, they require knowledge of the application and business logic in order to program them correctly. Organizations that put responsibility for WAFs in the network security group (well, they are called ‘firewalls’ aren’t they?) often found that they didn’t have the skillset in that group necessary to program them correctly. Once programmed (and unlike perimeter firewall rules) applications change frequently and the WAF rules needed to be updated to reflect these changes. Without a linkage between the development and the WAF team (something traditional firewall managers didn’t have to worry much about), rules fell out of date creating a good chance of a false positive from a rule that wasn’t kept up to date with the application. Life was not good. Applications broke, finger pointing ensued. WAF rules were loosened and their potential protection weakened. WAFs struggled and several vendors went under until PCI came in and resurrected the market. These weren’t “firewalls” (certainly not in the traditional sense of the word) and they shouldn’t have been treated as such. Names do matter.
Interestingly, what’s taking place in the network is paralleling the evolution of desktop security. On desktops, the core technology used to be called antivirus and personal firewalls, but now it’s something much more. Sure, AV and firewalls are still in there, but these are only twp protection styles of many we use at an endpoint. We could have called it “next-generation AV”, but that didn’t really capture the transformational nature of the change. In 2007, we settled on the term “Endpoint Protection Platform” (EPP) to describe the convergence of antivirus, personal firewall, host intrusion prevention, antispyware, application control, device control, network access control, security configuration management and so on at the endpoint.
Sometimes, the changes are so significant that a new name is needed. Like the transition from the horseless carriage to the automobile.