Word Notes 6.22.21
Ep 55 | 6.22.21

next generation firewall (noun)


Rick Howard: The word is: next generation firewall.

Rick Howard: Spelled: next as in forthcoming, generation as in version, and firewall as in barrier.

Rick Howard: Definition: A layer seven security orchestration platform deployed at the boundary between internal workload slash data storage and untrusted sources that blocks incoming and outgoing network traffic with rules that tie applications to the authenticated user and provides most of the traditional security stack functions in one device or software application.

Rick Howard: Example sentence: As either hardware devices or as software applications, next generation firewalls allow the security practitioner to logically segment the network and orchestrate the security policy across all data islands: data centers, office space, SaaS applications, and hybrid cloud deployments.

Rick Howard: Origin and context: Who gets credit for inventing the firewall is one of the great internet spats between some of our founding fathers in the security community. As with most technological advancements, though, the origination of the idea hardly ever comes from the work of one person working in the garage by themselves. As Walter Isaacson describes in his book, "The Innovators," published in 2014, most times, these lone geniuses sample the previous work of other researchers, devise the next step, and then work with other collaborators who can do the things they can't do to bring the creation to life. This is also true for the invention and evolution of the firewall.

Rick Howard: As an idea, the firewall began in the 1980s at the Digital Equipment Corporation, or DEC for short, with their Screen D technology. By 1992, Marcus Ranum led the effort at DEC to launch the DEC Seal commercial product based on the Opensource Gauntlet firewall. 

Rick Howard: Soon after, AT&T Bell Labs' Bill Cheswick and Steve Bellovin, in an effort not to prevent bad guys from getting in but to prevent data from getting out, flipped the firewall rule structure from allowing everything in and denying by exception, to denying everything and allowing only by exception. In 1994, Marcus Ranum along with Way Shu and Peter Churchyard released the first proxy firewall, the first firewall to block traffic based on applications.

Rick Howard: But by the mid-1990s, Check Point had become the dominant firewall vendor with their version of a stateful inspection firewall, a relatively easy-to-configure device compared to the competition, that allowed blocking rules based on IP addresses, ports, and protocols. A young Nir Zuk was the lead developer of that new product. In 1999, Zuk left Check Point to start his own company in the United States, OneSecure and to develop a deep packet inspection firewall, the harbinger of the next generation firewall. Juniper bought OneSecure in 2004 and Zuk left the next year in 2005 to found Palo Alto Networks. By 2007, Palo Alto Networks had released the first next generation firewall and their competitors followed their lead soon after. 

Rick Howard: By 2010, firewall vendors started releasing security stack subscription  services, delivered from the firewall, designed to replace the traditional serialized hardware security stack like intrusion prevention and malware analysis. This innovation turned the next-generation firewall into a security orchestration platform and a hybrid SaaS product that could do staple inspection, application layer blocking, and a range of other traditional security stack functionality.

Rick Howard: As of 2020, the Gartner Magic Quadrant lists next generation firewall leaders as Palo Alto Networks, Fortinet and Check Point; challengers as Cisco, Juniper and Huawei; and visionaries as Forcepoint and Sophos. All of them are application firewalls that sell security stack subscriptions 

Rick Howard: Nerd reference: In an interview with Katie Taitlor at TAG Cyber in February 2021. Marcus Ranum, the lead developer of the Gauntlet firewall in 1992 and one of the creative forces behind DEC's proxy firewall in 1994, gave his typical tertiary response to the question of whether or not he should be considered the grandfather of the firewall idea.

Katie Taitlor: Probably everybody who's watching at least knows of you. They should, you're probably most well-known for being an inventor of the firewall. I know you grimace a little bit at being called the grandfather of the firewall, but a lot of people think of you that way.

Marcus Ranum: Well, it had a lot of grandparents. But yeah, I was one of them. 

Rick Howard: Spoken like a man who is totally over one of the early internet spats in our cybersecurity history. 

Rick Howard: Word notes is written by Nyla Gennaoui, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by their ridiculously talented Elliott Peltzman. Thanks for listening.