Sunday, April 14, 2013

The Emperor Would Like His Clothes Back Please!

There has been some discussion over on LinkedIn about the difference between NGFW and UTM and whether or not those terms are interchangeable. It seems the opinions vary depending on whether you are a) a confused customer, b) a vendor, or c) an analyst firm with a vested interest in perpetuating a distinction that no longer exists – if indeed it ever did. 
Well you know what they say about opinions… so here is mine: NGFW was always nothing more than UTM for the enterprise.
There, I said it! Yet even that distinction is being muddied as vendors geared up to sell and support SMB customers try to reposition themselves upmarket. The distinguishing factor here is not the technology, but the sales and support channels behind it.
Some vendors that have, historically, been focused on the SMB market, have now produced UTM technology that performs well enough enough to sit in front of a data center. And some of them have actually built effective enterprise sales and support channels to service their new customers. However, just because these things are now powerful enough to protect a data center doesn't mean they should.
Thing is, UTM/NGFW is really only for protecting users, not servers, and that is the main technological distinction. 

Our enterprise clients are firm in their belief that the NGFW/UTM can be deployed at the network perimeter to protect desktops, but in front of their servers in the data center they are still deploying separate boxes for firewall, IPS, SWG, etc.

You can, of course, disable one or more security features in a UTM/NGFW to make it into an IPS, SWG, and so on, and that is how many of these devices are being used.
One thing you cannot do with most of these devices, however, is turn off everything but the firewall and expect to have the equivalent of your legacy firewall - too many of them rely on other security modules to beef up the firewall functionality, and generally they don't have the performance capabilities of a dedicated "legacy" device. We see that time and again in our tests at NSS, and the dependency of the firewall on other security modules is the scariest feature of these devices, and the main reason why they will not (and should not) replace dedicated firewalls in the data center for the foreseeable future. 

Because of these limitations, the “next generation” part of NGFW is not being bought into as much as vendors would have us believe, since many purchasers are actually disabling most of the features. In the networks belonging to most of the clients to whom we speak, even the much-vaunted application awareness capability is typically being used in passive mode to gain visibility, rather than in block mode to prevent attacks. 

Despite the limitations, these devices do have their place in the network, but please can we give the Emperor his clothes back now and call it like it is? NGFW = UTM. Period.
Then maybe we can get on with selecting the most appropriate technology/device to provide the protection we need at different points in our network and stop arguing over marketing terminology.
If you would like to read more about this, NSS subscribers can download the latest research by Andrew Braunberg and myself entitled “Next Generation Firewall: The Enterprise Story”. Follow me on Twitter (@bwalder) to keep informed as new research is released.