Information Security
Tiero/stock.adobe.com
Weighing the future of firewalls in a zero-trust world
Cybersecurity pros have been predicting the firewall's demise for years, yet the device is still with us. But does it have a place in zero-trust networks? One analyst says yes.
In a classic, darkly comedic scene from Monty Python and the Holy Grail, a cart passes through a small medieval village collecting plague victims for burial. "I'm not dead," insists an elderly gentleman in a nightshirt, as a younger man loads him on the cart. "I feel fine! I'm getting better!"
The moment has arguably become less funny in light of the COVID-19 pandemic, but it neatly illustrates the longstanding plight of the firewall. Cybersecurity experts have been announcing its imminent demise for at least a decade, but the device is still with us. And according to John Burke, CIO and principal analyst at Nemertes Research, based in Mokena, Ill., the firewall actually will keep "getting better" in its role as a key player within zero-trust networks.
Information Security magazine spoke with Burke to discuss how he imagines the future of firewalls unfolding in tomorrow's zero-trust, software-defined world.
Editor's note: This interview has been lightly edited for length and clarity.
How do you view the future of firewalls as more and more organizations abandon the perimeter-oriented security model? Are firewalls and zero trust mutually exclusive?
John Burke: In a software-defined perimeter or zero-trust infrastructure, the firewall becomes a policy enforcement point. It's just another place in the network where traffic can be filtered, but the decisions about what gets filtered are all made in the context of zero trust.
So, are we actually talking about more firewalls throughout the network rather than just at the perimeter?
Burke: I think of firewalls in zero-trust environments as having tiered filtration, with coarse-grained filters that vastly reduce the amount of traffic the next layer in has to deal with and make decisions about. I don't get my raw drinking water from the reservoir outside of town. It goes through filtration at the water plant. When I bought my house, I found out it has a whole-house filter in place on the connection from the street, and I also have a filter in my refrigerator. So when I get water out of the fridge, it's been filtered at least three times since it left the reservoir. Network security is going to be more like that, whether you want to call those filters network-embedded policy enforcement points, firewalls or something else.
Many experts say the rise of zero trust means the death of firewalls. But you argue that in zero-trust environments, their role will evolve. Does the difference come down to semantics?
Burke: I think it does. In zero trust, is the firewall gone, or have you just distributed the firewall's functions? And if you've distributed its functions, is it really gone? People will say, 'There's no firewall in the network anymore,' but they're not relying on the naked endpoints in their data center or in their cloud infrastructure to filter every packet the internet might possibly send them.
John BurkeCIO and analyst, Nemertes Research
So, do you think the future of firewalls includes the term firewalls?
I think linguistically we'll hold onto the word firewall, even as our understanding of what it does and is changes. It's a handy two-syllable term to describe a traffic-filtering device. Our understanding of the firewall's context will change enormously, but it's much [easier to say] than policy-enforcement point, traffic-filtering device, microsegmentation appliance or anything else.
Do you anticipate organizations will buy firewalls as part of broader security architectures or as standalone products?
I think it's going to go through waves, and in the first wave, organizations will buy firewalls in an integrated context. One vendor will provide lots of the pieces; Palo Alto Networks is probably a good example. But over time, you'll see standards development and cross-vendor integration. In that scenario, Palo Alto might be at the center of your security infrastructure, but Dell or another vendor could make the firewall hardware or software that you're sticking at different pinch points in the network.
How does the future of firewall vendors look?
I think any vendor who just focuses on firewalls is going to be in trouble. We're seeing the leaders, such as Fortinet and Palo Alto, leave behind pure-play firewall thinking and expand their focus to include things like SD-WAN and the secure cloud access layer. I think anyone who doesn't broaden their range of functions is going to fall off the map.