Gartner Blog Network


For 2016, Should We Retire the “Next Generation Firewall”?

by Adam Hils  |  December 29, 2015  |  2 Comments

Okay, network security industry – I have a question for you: What does NGFW mean today?

First, a history lesson:

  • When Gartner initially coined the “next-generation firewall in 2003/2004, it had a limited view of which features comprised a NGFW. In “Predicts 2005: Security Focuses on Protection” (archived for Gartner subscribers), we made the following strategic planning assumption: “The majority of leading firewall vendors will offer next-generation firewalls (that is, IPS features) in 2006 (0.8 probability).”
  • By 2009, Gartner had refined its definition of NGFW to include the following aspects:
      • Standard first-generation firewall capabilities
      • Integrated rather than merely colocated network intrusion prevention
      • Application awareness and full stack visibility
      • Extrafirewall intelligence

So, entering 2016, can you name an enterprise firewall which does not have (at least on their data sheets) stateful firewall + intrusion prevention + application and user control + the ability to consume other context/intelligence? And if almost every enterprise firewall vendor can check all these boxes, we must ask ourselves – when does “next-generation” cease to be meaningful to anyone (aside from emotionally-invested vendor firewall marketing teams)?

What new features are required to bolster the relevance of “NGFW”?

  • Cloud-based network sandbox? Maybe, but almost all firewall platforms have them. It is an extra security feature for the platform, however, so probably becomes part of the definition as a necessary table stake for perimeter firewall deployments.
  • Extensions into the public cloud? Perhaps, but many vendors offer virtual versions for AWS, and some already do for Microsoft Azure. And there is nothing extra in security functionality – form factor just changes.
  • East/west microsegmentation in SDN? Again, just a different form factor, not differentiated security.
  • Having endpoint agents from the same vendor? Just no.

In the end, I guess, the term of art really doesn’t matter.

Whether we as an industry retire the term or not, it’s important for firewall customers to understand that many vendors can call themselves “next-generation” legitimately. Customers must do the hard work of determining which features of the NGFW are most important to them, and which vendors deliver those capabilities most effectively.

We firewall analysts have started working on the 2016 update of the “Magic Quadrant for Enterprise Network Firewalls“, where we will attempt to help Gartner clients look beyond (and behind) vendor “next-generation” marketing.

 

 

Category: information-security  network-security  security  trends-predictions  

Tags: atd  ips  ngfw  

Adam Hils
Research Director
9 years at Gartner
22 years IT Industry

Adam Hils is a Research Director with Gartner Research. He covers network security, including intrusion prevention systems (IPS), enterprise firewalls and UTMs. In addition, Mr. Hils provides advice to budget-constrained midsize enterprises about prioritizing security investments. Read Full Bio


Thoughts on For 2016, Should We Retire the “Next Generation Firewall”?


  1. John says:

    Hi Adam

    I think the term NGFW has served its purpose in making companies add more security at the edge, which was much needed. There are now so many different features and functions that we cannot possibly come up with a name for each. So its time to call it what it is – “Enterprise Firewall” but then guide customers as to the different deployment modes and Associated policy/security functions – Edge Firewall (NGFW), Data Center Firewall (DCFW), Internal Segmentation Firewall (ISFW), Carrier Class Firewall (CCF), Virtual Firewall (VFW). The only area that is confusing – Distributed Enterprise who will use the functionality of a SMB UTM Appliances but require Enterprise Scale Management.

    John Maddison
    SVP Products
    Fortinet

  2. Andrew Plato says:

    NGFW has always been a misleading word. It was just a new way to say UTM when UTM was no longer cool. Firewalls have been evolving and consuming features for 15+ years. So what does a firewall with endpoint control become? A Next Next Generation Firewall II, Electric Boogaloo?

    A BMW and a Kia are both cars, just because a BMW as more features or a better engine does not mean it becomes something other than a car. Its a car. Maybe a better car. But BMW does not get to unilaterally decide “oh, we’re not a caaaaar, we’re a next-generation automotive conveyance machine.” Likewise, firewall vendors do not get to just change the words they use and become a whole new market. They have to actually invent something new.

    The problem here, which we at Anitian have called out for years, is that creating a new word is not the same as creating a new technology. Anybody can invent words. But new technologies are much more hard won.

    I think its time to collapse this market back to what it always was – firewalls.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.