Enterprise Network Firewall trends

2013 Gartner Magic Quadrant for Enterprise Network Firewalls give a view to current firewall markets:

Gartner states, “Advances in threats have driven mainstream firewall demand for next- generation firewall capabilities. Buyers should focus on the quality, not quantity, of the features and the R&D behind them. This market includes mature vendors and new entrants.” Palo Alto web page 2013 Gartner Magic Quadrant for Enterprise Network Firewalls allows you to view the Garner report when you give your contact information to them.

Virtual Firewalls or Physical? Wrong Question. article tells that people are people getting bogged down in rather meaningless arguments as to whether or not firewalls will be virtualized. They will (and, in fact, are). The bigger trend is the shift from proprietary hardware to software running on commodity hardware (in almost all cases, x86). That’s the big shift.

My comment is that the shift has been on this direction to use commodity x86 hardware has been going on for a long time. Many firewall products have been based long time on pretty normal PC hardware (for example several Nokia IPSO firewalls used x86 CPU) packaged in custom rack mount box.

Virtual Firewalls or Physical? Wrong Question. article says that whether or not a given security control is packaged as a virtual machine is a matter of requirements (and to some extent preference). Some information security people prefer to see a separate box because they like the sense of “strong” separation of duties. The mistake here is equating physical separation with logical separation of duties or an outdated belief that “infrastructure can’t protect infrastructure”.

Keep on mind that many Linux systems have pretty powerful firewall functionality built-in (netfilter/iptables) that can be used to firewall a Linux server without extra hardware or use it as an addition to extra hardware. And those same tools are used also in commercial firewall appliances that run on Linux (with or without manufacturer specific additions). So there are technologies where the firewall functionality is built into the Linux device infrastructure itself. Depending on case the user might rely on that only (for example in many embedded applications) or use it together with external firewall device (corporate server setups behind main firewall).

Modern Windows systems have also some built-in firewall functionality (and there are many third party software for this) to provide some security, but I would not feel safe to rely only on it on Internet connected servers.

2012 Gartner survey showed that there is a preference for virtualized security controls over external security controls run outside the VM environment for virtualization/private cloud projects.

When reading those predictions keep in mind that Gartner, which has a long track record of spectacularly wrong predictions (like 2012 Hype Cycle for Emerging Technologies, PC sales data) get every day more than its fair share of attention in IT industry (and even on this blog). Predicting future is hard, and keep in mind that while some predictions are right, very many predictions given even by big name sources go often wrong.

Pointers to more firewall information:
Comparison of firewalls
Choosing a next-generation firewall: Vendor comparison
Best Enterprise Firewall 2011
How-To: Build your own network firewall


  1. Tomi Engdahl says:

    Report: Standalone security market fades amid growing demand for integrated security

    Infonetics Research has released its 2nd quarter (2Q13) Network Security Appliances and Software market share and forecast report. “There’s never been a time when the world was more tuned-in to broad privacy and security issues, and with the recent revelations about the NSA’s PRISM surveillance program, consumers and businesses around the globe are re-evaluating their security posture, preferred vendors, and deployment strategies,” notes Jeff Wilson, principal analyst for security at Infonetics Research.

    According to the study, worldwide network security appliance and software revenue totaled $1.6 billion in 2Q13, an increase of 4% sequentially.

    In terms of market share, Cisco, Check Point, Fortinet, HP, and Palo Alto Networks all posted strong revenue results in the network security market in 2Q13.

    “While it’s too early to say if the NSA debacle will have an impact on security spending, one trend in the security sector is clear: buyers are looking to consolidate security platforms wherever they can,”

  2. Tomi Engdahl says:

    Linux Kernel News – November 2013


    3.13 release adds a new network packet filtering framework. This new nftables framework is slated to replace IP-tables and provides a backward compatibility layer allows continued use of IP-tables/IP6-tables with no changes to syntax over nftables framework.

    The nftables is designed to leverage the existing Netfilter infrastructure hooks, the connection tracking system, the user space queuing component and the logging subsystem. It consists of a kernel component, a set of libraries, and a user space utility.

    The nftables kernel component runs a pseudo-state machine bytecode compiled from the rule-set provided by the user. The nftables user space utility generates the bytecode and transfers it to the kernel, using the nftables Netlink’s API. With this approach, the user space is the brain that interprets and user specified rule-set and translates them into executable steps for the kernel to run. As a result, it is easier to add support for new protocols without needing to change the kernel to add support for new protocols. Further more, the ability to track connections is very useful in supporting features that depend on taking actions based on flow and connection information.

    It is always desirable to reduce kernel complexity and maintain backwards compatibility with the existing IPtables feature. All and all very nice feature. Unix veterans will see the similarity between the nftables design and Berkeley Packet Filters (BPF).

    nftables is something that will impact and benefit various products and solutions that use IPtables. As an example, DroidWall (Android Firewall) solution is based on IPtables at the moment, both the kernel and user space components. As nftables replaces IPtables, this will change. As I mentioned earlier, nftables kernel implementation is backwards compatible and IPtables syntax can still be used, however overtime IPtables based solutions will evolve to take advantage of nftables.

  3. Tomi Engdahl says:

    Datacenters Drive Switch, ODM Growth

    In the third quarter of 2013, the enterprise firewall market grew just 2% from a year earlier. Application-aware firewalls, a.k.a. next-generation firewalls, drove much of this growth. Before these firewalls, such devices were typically deployed at the perimeter of the network, where they monitored ingress and egress traffic to look for threats. With application-aware firewalls, a device can be placed virtually anywhere within a network.

    The new systems can monitor all traffic, not just ingress and egress, so companies can make security decisions based on parameters such as applications, users, and content, in addition to traffic type. One of the pioneers in next-generation firewalls, Palo Alto Networks, has gained share over the past several quarters in part due to next-gen firewall demand.

    In addition to application-aware firewalls, many network security appliance vendors are introducing unified threat management platforms. These upgraded platforms allow single network elements to perform more security functions than merely firewall threat detection.

    There are numerous advantages to this approach, because the network complexity is reduced. However, there is still pushback from some enterprises. Network administrators may prefer distinct elements for legacy and debugging purposes.

  4. Tomi Engdahl says:

    Firewall-floggers in FLAMING MESS: Where’d our mystery margin go?
    Endpoints: The world has moved on… and become a lot more complex

    If you work in the fields of technology distribution, services and resale, you’ll surely hear about cloud, mobile, social and virtual more than anything else. However, it is the changing patterns in security spending that are perhaps most dramatically re-shaping our businesses.

    Gone are the good old days of pushing traditional endpoint security licences for homogenous Wintel environments – resellers and distributors now need to adapt to a vastly more complex demand from customers if they’re to survive and thrive.

    For distributors especially, the stats aren’t looking particularly good at the moment. Taken as a whole, the enterprise distribution market across Europe declined by 3.5 per cent in the third quarter from Q3 2012.

    Security in particular was badly hit, showing a decline of 18.1 per cent. If we look more closely at this segment, we can see why. Firstly, PC spend is down while mobile device shipments are up. On these new smartphones, tablets and convertibles, users often don’t consider endpoint security – their main assumption being that data is mainly stored in the cloud anyway with little saved to the actual device. Even those who buy security do so through mobile apps or mobile device management solutions.

    Security vendors realised this shift some time ago and have been refocusing their portfolios accordingly

    It’s no surprise then that according to CONTEXT data, total revenue in the UK endpoint security market fell 34 per cent in Q3 year-on-year, while the number of licences dropped 41 per cent. Yet when we look at just endpoint mobile security, revenue went up 237 per cent over the same period. Kaspersky has been one of the most successful vendors in the UK in anticipating these changing buyer patterns.

    Distributors are seeing their traditional endpoint security channel shrinking due to these factors but also because more retail customers are buying directly from vendors online.

    As for the resellers, they too have to arm themselves with skills in this new era in security. They need to offer their customers hosted services and cloud apps with the security piece built in to the deal. This isn’t easy, with the multiplicity of operating systems, device types and form factors, and data access requirements of modern computing environments – not to mention the growing volume and sophistication of threats.

    It’s no easy task and finding the right talent in the industry to support this changing business model could be tricky.

  5. bottle service says:

    Hi there, I check your blog daily. Your humoristic style is awesome, keep up
    the good work!


Leave a Comment

Your email address will not be published. Required fields are marked *