Gartner Blog Network

The Future of the Firewall – Hint: The Perimeter Hasn’t and Isn’t Going Away, But It Has Moved

by John Pescatore  |  April 30, 2010  |  2 Comments

I blogged here about what since 2003 Gartner has been calling the Next Generation Firewall, and then Greg Young and I published a Gartner research note “Defining the Next Generation Firewall.” Simplifying a bit, the winners in the firewall market will be those who have added application identification and policy enforcement and deep packet inspection intrusion prevention capabilities to their firewall products – as integral features, not separately priced options or bolt-on capabilities. It is all about firewalls evolving to deal with the next generation of threat as a platform.

Then, last month Greg and I published the 2010 “Enterprise Firewall Magic Quadrant” and currently Bob Walder and I are in the process of updating the “Magic Quadrant for SMB Multifunction Firewalls”  while Greg Young and I kick off the update for the “Magic Quadrant for Network Intrusion Prevention System Appliances.”

OK, I think I fulfilled my quota of quoting links to Gartner research notes, but my real point was we are spending a lot of time and energy on perimeter network security products (I won’t even mention the “Magic Quadrant for Web Security Gateway” recently published by Peter Firstbrook and Lawrence Orans – hey, I just exceeded my quota!

Why are we spending all this time if there is no more perimeter? Mainly because there is still a perimeter and there will always be a perimeter. Back in the late 1990s when laptop use and remote access VPNs started the perimeter was declared dead. When SSL VPNs opened it up to non-corporate PCs in the early 2000s, more declarations of death. When smartphones came along, ditto. And now cloud computing, death knells for perimeters. Oh, yeah – back when we called cloud “Application Service Providers” and before that when we call ASPs “Outsourcers”, same death knells.

Of course, it turns out that for some odd reason most businesses still have data centers and some tower PCs and they still don’t send paychecks to customers or deliver products to their employees – there is still an inside and still an outside. Even with the most overhyped predictions of cloud adoption, there still will be an inside and an outside.

The real issue is that as IT changes delivery mechanisms, it always augments vs. completely replaces the previous model (still a few mainframes out there, no?) and security needs to do the same thing. That’s why email security is often delivered as a service, injecting email security policy between the users and their email, regardless of where it is physically performed. Web security is going the same way – web security enforcement at the HQ Internet connection on a server, but web security as a service enforcing the same policy between mobile employees and Internet access.

The Next Generation Firewall  will follow the same pattern – extending to NGFW as a service (or what we used to call “In the Cloud Firewalling” before the cloud term got ripped away from the Internet carriers) to inject the same firewall policy between the users and the Internet and in between the cloud-based services we consume that used to be inside the data center.

It is really just border control – we don’t declare countries “deperimeterized” because airplanes were invented, we extend border control into the airport terminals.


John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Thoughts on The Future of the Firewall – Hint: The Perimeter Hasn’t and Isn’t Going Away, But It Has Moved

  1. Naithan says:

    Very interesting post John. With the increased reliance on web services, on demand, cloud, and other shared service environments we are seeing the threats move accordingly. IMO I think we are seeing a shift from a point and click based security model to a more competency based model.

    This model relies heavily on shifting the goal posts of security and compliance from the security team and moved them to two places

    1. The app development team and their ability to maintain secure process throughout the SDLC and document and enforce accountability. Which would seem to be a three prong mix of well configured tools (WAF’s, collaboration platforms for remediation, scanners, and third party manual testing services) a well oiled development risk culture, and a development community that owns security with pride and policy.

    2. Vendor management for outsourced code or outsourced services being consumed, with this management being staked by Security, PMO, outsourcing and business side stake holders.

    Even in this new era there will always be a perimeter, it just isn’t as 2 dimensional as it once was.

    Great post John.

  2. Tim Zonca says:

    Thanks for the post, John. The references to previous research is useful, but in particular, I like the simplicity of the summary, “It is really just border control – we don’t declare countries “deperimeterized” because airplanes were invented, we extend border control into the airport terminals.” Good stuff.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.