Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Web Application “Firewalls” Make My Point

by Neil MacDonald  |  May 19, 2010  |  1 Comment

In my previous post, I talked about how the term “firewall” (and the term next-generation [horseless] firewall) really doesn’t capture the fundamental transformation taking place as these network security platforms become context aware and adaptive. My colleague, Bob Walder, argues that the term is just fine – kinda like tiles for the house.

If everything is called a “firewall” (SOA firewall, application firewall, database firewall, memory firewall, web application firewall and so on) then the term stops being useful.

Take Web Application Firewalls (WAFs) – the danger in calling them “firewalls” and what early adopters found out is that these are quite different than a traditional network firewall. Running at the application layer, they require knowledge of the application and business logic in order to program them correctly. Organizations that put responsibility for WAFs in the network security group (well, they are called ‘firewalls’ aren’t they?) often found that they didn’t have the skillset in that group necessary to program them correctly. Once programmed (and unlike perimeter firewall rules) applications change frequently and the WAF rules needed to be updated to reflect these changes. Without a linkage between the development and the WAF team (something traditional firewall managers didn’t have to worry much about), rules fell out of date creating a good chance of a false positive from a rule that wasn’t kept up to date with the application. Life was not good. Applications broke, finger pointing ensued. WAF rules were loosened and their potential protection weakened. WAFs struggled and several vendors went under until PCI came in and resurrected the market. These weren’t “firewalls” (certainly not in the traditional sense of the word) and they shouldn’t have been treated as such. Names do matter.

Interestingly, what’s taking place in the network is paralleling the evolution of desktop security. On desktops, the core technology used to be called antivirus and personal firewalls, but now it’s something much more. Sure, AV and firewalls are still in there, but these are only twp protection styles of many we use at an endpoint. We could have called it “next-generation AV”, but that didn’t really capture the transformational nature of the change. In 2007, we settled on the term “Endpoint Protection Platform” (EPP) to describe the convergence of antivirus, personal firewall, host intrusion prevention, antispyware, application control, device control, network access control, security configuration management and so on at the endpoint.

Sometimes, the changes are so significant that a new name is needed. Like the transition from the horseless carriage to the automobile.

1 Comment »

Category: Beyond Anti-Virus Endpoint Protection Platform Information Security Next-generation Security Infrastructure     Tags: ,

1 response so far ↓

  • 1 Bob Walder   May 20, 2010 at 12:39 am

    Great point regarding WAF. I still like the term “firewall” for now, but I have updated my post :)