Gartner Blog Network

Web Application “Firewalls” Make My Point

by Neil MacDonald  |  May 19, 2010  |  1 Comment

In my previous post, I talked about how the term “firewall” (and the term next-generation [horseless] firewall) really doesn’t capture the fundamental transformation taking place as these network security platforms become context aware and adaptive. My colleague, Bob Walder, argues that the term is just fine – kinda like tiles for the house.

If everything is called a “firewall” (SOA firewall, application firewall, database firewall, memory firewall, web application firewall and so on) then the term stops being useful.

Take Web Application Firewalls (WAFs) – the danger in calling them “firewalls” and what early adopters found out is that these are quite different than a traditional network firewall. Running at the application layer, they require knowledge of the application and business logic in order to program them correctly. Organizations that put responsibility for WAFs in the network security group (well, they are called ‘firewalls’ aren’t they?) often found that they didn’t have the skillset in that group necessary to program them correctly. Once programmed (and unlike perimeter firewall rules) applications change frequently and the WAF rules needed to be updated to reflect these changes. Without a linkage between the development and the WAF team (something traditional firewall managers didn’t have to worry much about), rules fell out of date creating a good chance of a false positive from a rule that wasn’t kept up to date with the application. Life was not good. Applications broke, finger pointing ensued. WAF rules were loosened and their potential protection weakened. WAFs struggled and several vendors went under until PCI came in and resurrected the market. These weren’t “firewalls” (certainly not in the traditional sense of the word) and they shouldn’t have been treated as such. Names do matter.

Interestingly, what’s taking place in the network is paralleling the evolution of desktop security. On desktops, the core technology used to be called antivirus and personal firewalls, but now it’s something much more. Sure, AV and firewalls are still in there, but these are only twp protection styles of many we use at an endpoint. We could have called it “next-generation AV”, but that didn’t really capture the transformational nature of the change. In 2007, we settled on the term “Endpoint Protection Platform” (EPP) to describe the convergence of antivirus, personal firewall, host intrusion prevention, antispyware, application control, device control, network access control, security configuration management and so on at the endpoint.

Sometimes, the changes are so significant that a new name is needed. Like the transition from the horseless carriage to the automobile.

Additional Resources

Evaluating the Security Risks to Blockchain Ecosystems

Blockchain is early in its development, and long-term investments can be risky. Security and risk management leaders must temper the hype with effective risk-mitigation techniques.

Read Free Gartner Research

Category: beyond-anti-virus  endpoint-protection-platform  next-generation-security-infrastructure  security-of-applications-and-data  

Tags: adaptive-security-infrastucture  next-generation-security-infrastructure  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Web Application “Firewalls” Make My Point

  1. Bob Walder says:

    Great point regarding WAF. I still like the term “firewall” for now, but I have updated my post 🙂

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.