What has happened to network security innovation?
Does anyone out there share my feeling that innovation in network security has become quite scarce? I mean, look at it – the core of network security, the almighty firewall, hasn’t changed in almost 15 years. Not only is it still using the same good old Stateful Inspection to inspect traffic and control it (which means that it can only control port-specific applications, while most applications today do not use an assigned port number). Its functionality hasn’t changed that much either. Now that I think about it, the most recent attempts at innovating with network security functionality have failed as well – virtually all NAC companies are struggling, ILP or DLP, or whatever leakage prevention is called today, hasn’t taken off and point technologies such as IM control, worm mitigation and botnet elimination are not doing any better.
So I am asking myself, how come we are still spending so much money – estimated to be $5B/year – on 15 years old firewalls? What makes us avoid innovative technologies? And why is it that we do not demand innovation from our firewall vendors?
Actually, these questions are somewhat easy to answer. Why are we still buying firewalls? Because everybody knows they need a firewall and there is no better alternative – or is there? Why are we avoiding innovative technologies? Because we are tired of the appliance fatigue caused by the number of appliances we need to buy, install, manage and support to achieve our network security goals. And why aren’t we demanding more innovation from our firewall vendors? Because we know they cannot innovate -they are big and slow and they haven’t read the Innovator Dilemma. Which basically means that they believe that if they pump R&D money into innovating their stock price will be punished…
So what do we do? As we all need firewalls and none of us want to purchase additional security appliances, my conclusion is; network security innovation must be in the firewall. And the Innovator Dilemma leads to me conclude that a new firewall will come from small and innovative companies. Not from our existing firewall vendors…
More on that later…
Nir.
Agreed…
If we saw anything from the innovations at Netscreen (good work by the way, I was a user for many years), it’s that the innovators take the market lead.
Get the features that so many desire at the gateway into one piece of metal, and you will take the market by storm!!
It is my belief that the term firewall needs to be put to rest, and replaced with something to the like of intelligent gateway guardian.
Why people don’t demand innovation is beyond me. But many other market spaces are in the same stagnant state, from Automobile manufacturing, to Zoological gardens. Keep it in the “box” and people will buy – Give them something new and innovative and they will buy in droves!!!
I am with you that we don’t see many new innovations in the network security field, but I don’t think it’s that dull as you mentioned here.
After the stateful firewalls. some minor innovations came to life such as Application or Deep Inspection, and later one the UTM’s.
Ok, people may argue that the UTM isn’t a new technology as it is a mix and match of many legacy technologies. But the point is that it offered solution to many problems that legacy firewalls failed to solve, such as identifying port hopping applications (IM’s and P2P) as well as stopping some application layer attacks such as Virii and Spam.
Back to your point, I don’t think the lack of innovations state will last for long, The point is that computers processors are getting cheaper and more powerful and new open source linux-based firewalls and security softwares are now more mature. And that’s why we are going to see zillions of cheap PC-Based firewalls in the coming few days, so the major network security vendors will be forced to offer new technologies in order not to loose the small to medium size enterprise market.
Also in the service providers market they have to focus more on SaaS where S here stands for Security, as these guys are desperate to find new revenue sources. They shall focus now on how to fulfill their MSSP needs (something beyond the Virtual Systems and VDOM’s). Also they shall start to build tools that can give the ISP’s the ability not just to identify P2P traffic, but also to integrate the network security devices with their billing and quota-management systems.
Interest posting Nir. I agree that there is a lack of innovation and existing vendors are stuck in a rut. I started blogging on it at http://www.napera.com/blog/?p=16
The major innovation IMHO right now is moving a lot of functionality into the cloud in the SaaS model that Tarek mentioned above. Apart from my own company, Perimeter eSecurity is a good example of SaaS solutions for the SME market.
I think the entire UTM space is overdone. Vendors put a lot of effort into piling UTM features on the edge of the network with a big heavy appliance and it turns out a lot of the functionality they thought they were protecting (email, Web apps) is moving into the cloud. The UTM model was a good idea ten years ago, but it seems less customers are actually buying many of the UTM options these days.
Innovation is a result of market demand and personal vision. Firewalls have delivered and continue to deliver today an important first line of defence and last line of defence. What has changed is the question of what else can be done? Protecting users and assets from harm does rely on defence in depth and cannot be centrally protected from a single appliance deployment. Application visibility/control is a good next step for Lan-2-Cloud security. You may end up addressing once concern but at the same time raising another concern. Web2 and real-time communication will continue to dominate and challenge our views on security. The question is how do we create “a ring of steel” around our corporate assets without over burdening the networks/operations team with complex policies and controls?
Excellent site, It was pleasant to me.
Tarek,
Thats true…But I believe SaaS is still a lot much of hype than what is really around. Security, SLAs and Data Protection Agreement around SaaS still need to mature a lot. Every week, you get to hear new data breaches. You can afford press F8 and skip reading the licensing and terms & conditions while getting your biz app installed in-house…But you cant afford to do that while signing for SaaS (both S for Security & Software). One may argue that SaaS gives you same level of security as in an internal data center. But it will never be that a target for attackers when its in the cloud.
Chris,
You have a great point here, which I too have experienced while talking to customers. Its really hard to change the 15 year old perception that ‘todays Firewalls are doing what they are supposed to do’ – though security landscape have taken a 360 degree change. It would be wiser to approach the industry with a different punch line ‘We need something different’ and need to give some better names like what you said ‘intelligent gateway guardian’ or ‘Business Protection Gateway’ etc..!
Even then the moment we say this new product ‘still’ support NAT and Port blocking you are putting them back to square one on the their perception…