I just finished reading a guest blog post by my friend Richard Stiennon over at NETASQ Community blog. Richard’s blog is called “A brief history of firewalls and the rise of UTM”. If I am reading this correctly Richard believes we are going to see or have already seen the demise of the standalone stateful packet inspection firewall and the mundane switch and routers which power most of our networks. Reading this prophesy I was reminded of that guy from Gartner a while back who proclaimed the death of IDS. Wait a second, that was Richard too!
To be fair, I don’t disagree with Richard as he describes the evolution of combining more and more functionality on one box. It is hard to argue against the rise of both next gen firewalls and UTMs. However, I am not sure that they are one and the same as Richard seems to claim. In Richard’s world view (which hasn’t seemed to change since he was at Fortinet) a UTM is what you make it. You can add anything to your firewall, put it anywhere and just keep piling on features. Eventually you wind up with what I call the GodBox. Richard would call it the ultimate UTM. No matter what you call it, it doesn’t work.
I think if Richard is playing Hawking in his brief history of firewalls, I will play Leonard Susskind and postulate my own theory. Shimel’s theorem is that the more features and functions you add to one box, the more difficult it becomes to manage and actually use all of them. Eventually the GodBox sinks under the weight of its complexity.
Security vendors haven’t even mastered a good firewall management interface, let alone one that handles all that Richard would pile on the box. That is why vendors like Firemon have been so successful. What would wind up happening is people may buy GodBoxes for all that they can offer, but in practice would only use a small fraction of the what is advertised as being possible using the device.
This is much the same as in the move from IDS to IPS. While people were buying boxes labeled IPS, the overwhelming majority were using them primarily as IDS. They might have a rule or two turned on, but by and large they use these boxes as IDS still.
I would also caveat Richard’s view that switching and routing will be added to security devices so that deep packet inspection will take place at every network intersection. While doing so would be great, there is a price to be paid for all of that inspection, as well as a certain amount of redundancy in doing so. Most of all though I think Richard underestimates how hard it is to do switching/routing right.
Rather than security vendors matter-of-factly adding networking, it is more likely that vendors like Cisco, Juniper, Brocade add security to their existing network gear. Again though, Shimel’s Theorem applies; the more you pile on the box, the more complex, difficult it is to manage and the less likely that a meaningful percentage of the features will actually be used.
So while Richard has captured one path that firewalls have taken, I think to paraphrase Carl Sagan when it comes to the flavors and potential ways that firewall technology will be used in our networks, “there are billions and billions” of them. UTM is just one path in the Multiverse.
(PS- I tried to post a comment on Richard’s blog, but I don’t think it is allowing comments. Its been a long time since I wrote a blog post disagreeing with Richard Stiennon. It feels like old times!)
PSS- my comment on Richard’s original post is now posted.