Firewalls and Firewall Management: Here to StayBy Ericka Chickowski | Posted 2012-01-17 Email Print
The death of the corporate firewall has been greatly exaggerated. Contrary to the proclamations of some security experts, the firewall is here to stay, and so is the need for someone to manage it. Here's why.
Contrary to some security experts’ proclamations over the past few years, the demise of the corporate firewall has been seriously oversold. While depending on the firewall and antivirus (AV) alone would be considered foolish in today's time of sophisticated cyberattacks designed to elude these signature- and rule-based blacklist technologies, the truth is that the firewall isn't going away. And neither is the responsibility for managing it.
"We went away from the traditional perimeter firewall for a number of years thinking that we could invest primarily in point solutions such as IPS and data leak protection and other types of systems that were designed as additional security layers and that's all great but then there's also been a huge push to consolidate those services back into the firewall," said Peter Bybee, CEO of hybrid cloud security and compliance solutions provider Security-On-Demand. "So the UTM firewalls and the next generation firewalls--Palo Alto was the first of a whole series, Sourcefire has come out with their next-gen firewall, and Checkpoint's got there's--so we've got all this functionality back into the firewall."
All this has just upped the burden of firewall management, especially continuing the added stress of continuing fragmentation of the workplace through mobile and telecommuting, and the rising tide of web apps and devices that need exclusions for network access.
"It turns out its just made the firewall more complex than it previously was," Bybee said. "There's more confusion around how to manage the firewall. The problem is getting worse rather than better."
Combine that with the ramifications of screwing things up -- permitting a big-time breach by insecurely configuring the firewall or shutting down a mission critical application through some mix-up--and firewall management rises over the horizon as a huge opportunity for channel partners who can bring the right set of tools and skills to the table.
"There's more risk today than ever that someone's going to screw something up. A misconfigured rule, some kind of backdoor that is put in there, or a temporary rule that gets forgotten and stays in place. These are all the classic blunders that allow compromises," Bybee said. "It's interesting that a lot of the compromises that still occur are not really. People think that there's all this sophistication going on with hacking, and to some degree, maybe there is, but there are a lot of open firewalls out there."
In fact according to Gartner, 95 percent of firewall breaches are a result of misconfigured firewalls rather than flaws in the firewall.
"In that case, complexity is still our worst enemy as we make mistakes that hackers exploit and not so much finding some very sophisticated way to hack into our system," said Nimrod Reichenberg, vice president of marketing and business development for firewall management vendor Algosec.
Borne out of this complication, the firewall management market is booming. Security-On-Demand is one of many IT solution providers that is starting to realize the upside of offering firewall management solutions and services around these tools. In his case, Bybee's using Algosec to help customers stabilize security postures and streamline network throughput and operations through better management of firewall rule sets.
And there's still a lot of room for growth, because as Mark Jones, CEO of SOS Security puts it, most companies are lagging with their firewall rule sets.
"I'd say 85 percent of the firewall rules today that most enterprise companies are utilizing are written very poorly. The majority of it stems from writing them haste and not being able to go back and audit or analyze what they've done," Jones said. "What's nice about this space is that we're starting to see not just firewalls but also other devices that are starting to play into this mix of automation and things of that nature."
According to Jones, in 2011 his firm saw growth of 92 percent in net new clients, and increased bottom-line revenue by 70 percent in firewall management.
"It is one of the fastest, rapidly-growing segments within our portfolio," said Jones, who partners with firewall management vendor Tufin Technologies for his technology suite. "I can tell you over the last year the space has really changed. Customers are actually calling us now to come in and do POCs around these kinds of tools."
While it is difficult to track market numbers down for this specialized segment, Tufin for its part has seen wild success in recent years. Growth has exploded by over 6000 percent in the last five years and in 2011 it was named number one in the Deloitte Israel Technology Fast 50. All of that success has come through its channel and the firm brought in 40 more partners last year to top out at 200 by fourth quarter.
According to Jones, much of the success he's seen through his association with the firm comes around understanding the right pain points to highlight and finding ways to show customers that it is not a 'nice to have' product.
"I think in the past where the firewall optimization was looked at as 'a really nice tool and it organizes my rules.' But it's not a rule organizer--it is very much something that companies need to look at to make sure that firewall rules are written properly and it actually is a cost saving tool," Jones said. "Because when we go into clients and their firewall utilization is at 90 percent and they're looking at the next flavor of hardware, we can go in and say, let's first start with the firewall rule optimization and see how many rules are duplicates, how many shadow rules and let's clean this up. And when we do this, we can see almost a 40 to 50 percent reduction in throughput. Which actually helps them. They don't have to upgrade. The ROI built around the tool almost pays for itself."