Okay, network security industry – I have a question for you: What does NGFW mean today?
First, a history lesson:
- When Gartner initially coined the “next-generation firewall in 2003/2004, it had a limited view of which features comprised a NGFW. In “Predicts 2005: Security Focuses on Protection” (archived for Gartner subscribers), we made the following strategic planning assumption: “The majority of leading firewall vendors will offer next-generation firewalls (that is, IPS features) in 2006 (0.8 probability).”
- By 2009, Gartner had refined its definition of NGFW to include the following aspects:
- Standard first-generation firewall capabilities
- Integrated rather than merely colocated network intrusion prevention
- Application awareness and full stack visibility
- Extrafirewall intelligence
So, entering 2016, can you name an enterprise firewall which does not have (at least on their data sheets) stateful firewall + intrusion prevention + application and user control + the ability to consume other context/intelligence? And if almost every enterprise firewall vendor can check all these boxes, we must ask ourselves – when does “next-generation” cease to be meaningful to anyone (aside from emotionally-invested vendor firewall marketing teams)?
What new features are required to bolster the relevance of “NGFW”?
- Cloud-based network sandbox? Maybe, but almost all firewall platforms have them. It is an extra security feature for the platform, however, so probably becomes part of the definition as a necessary table stake for perimeter firewall deployments.
- Extensions into the public cloud? Perhaps, but many vendors offer virtual versions for AWS, and some already do for Microsoft Azure. And there is nothing extra in security functionality – form factor just changes.
- East/west microsegmentation in SDN? Again, just a different form factor, not differentiated security.
- Having endpoint agents from the same vendor? Just no.
In the end, I guess, the term of art really doesn’t matter.
Whether we as an industry retire the term or not, it’s important for firewall customers to understand that many vendors can call themselves “next-generation” legitimately. Customers must do the hard work of determining which features of the NGFW are most important to them, and which vendors deliver those capabilities most effectively.
We firewall analysts have started working on the 2016 update of the “Magic Quadrant for Enterprise Network Firewalls“, where we will attempt to help Gartner clients look beyond (and behind) vendor “next-generation” marketing.