Sunday, April 14, 2013

The Emperor Would Like His Clothes Back Please!


There has been some discussion over on LinkedIn about the difference between NGFW and UTM and whether or not those terms are interchangeable. It seems the opinions vary depending on whether you are a) a confused customer, b) a vendor, or c) an analyst firm with a vested interest in perpetuating a distinction that no longer exists – if indeed it ever did. 
Well you know what they say about opinions… so here is mine: NGFW was always nothing more than UTM for the enterprise.
There, I said it! Yet even that distinction is being muddied as vendors geared up to sell and support SMB customers try to reposition themselves upmarket. The distinguishing factor here is not the technology, but the sales and support channels behind it.
Some vendors that have, historically, been focused on the SMB market, have now produced UTM technology that performs well enough enough to sit in front of a data center. And some of them have actually built effective enterprise sales and support channels to service their new customers. However, just because these things are now powerful enough to protect a data center doesn't mean they should.
Thing is, UTM/NGFW is really only for protecting users, not servers, and that is the main technological distinction. 

Our enterprise clients are firm in their belief that the NGFW/UTM can be deployed at the network perimeter to protect desktops, but in front of their servers in the data center they are still deploying separate boxes for firewall, IPS, SWG, etc.

You can, of course, disable one or more security features in a UTM/NGFW to make it into an IPS, SWG, and so on, and that is how many of these devices are being used.
One thing you cannot do with most of these devices, however, is turn off everything but the firewall and expect to have the equivalent of your legacy firewall - too many of them rely on other security modules to beef up the firewall functionality, and generally they don't have the performance capabilities of a dedicated "legacy" device. We see that time and again in our tests at NSS, and the dependency of the firewall on other security modules is the scariest feature of these devices, and the main reason why they will not (and should not) replace dedicated firewalls in the data center for the foreseeable future. 


Because of these limitations, the “next generation” part of NGFW is not being bought into as much as vendors would have us believe, since many purchasers are actually disabling most of the features. In the networks belonging to most of the clients to whom we speak, even the much-vaunted application awareness capability is typically being used in passive mode to gain visibility, rather than in block mode to prevent attacks. 


Despite the limitations, these devices do have their place in the network, but please can we give the Emperor his clothes back now and call it like it is? NGFW = UTM. Period.
Then maybe we can get on with selecting the most appropriate technology/device to provide the protection we need at different points in our network and stop arguing over marketing terminology.
If you would like to read more about this, NSS subscribers can download the latest research by Andrew Braunberg and myself entitled “Next Generation Firewall: The Enterprise Story”. Follow me on Twitter (@bwalder) to keep informed as new research is released.

Tuesday, March 12, 2013

Artistic Interpretation Discouraged


It seems my recent blog post caused quite a stir. This came as something of a surprise to me, given that our Marketing Police spend a lot of time slapping vendors on the wrist over their various marketing exuberances, and our budget for cease and desist letters from our legal counsel is approaching the size of our testing budget!
Artistic Interpretation
So I was somewhat amused to observe the extent to which it was picked up by the press and the Twittersphere, including the ludicrous comments made by a certain vendor to try and explain away its poor performance in the test. It is always disturbing when a vendor chooses a PR offensive over protecting its customers by fixing security failings discovered in our tests.
After all, there is nothing remotely subjective about the SVM – it is based entirely on the test results. If you fail any of the tests it affects your position on the final graphic – simple as that. The only way to improve your position is to a) improve performance of the device, b) reduce the cost of the device (including management, updates, maintenance, etc.) thus improving the TCO, or c) FIX THE SECURITY PROBLEMS IN YOUR DEVICE!
Anyhow, I digress. Back to the original subject of the blog which, as you undoubtedly all know by now, was Check Point's alteration of the SVM graphic to remove some of its competitors. Was this a dumb thing to do? Undoubtedly. Was it against all of the terms and conditions under which we grant marketing rights? Absolutely. Did it affect the integrity of the underlying research? Categorically not.
Just to clarify. Check Point erased a couple of data points on the final graphic, and states this was due to an error made by an outside contractor in the rush to get things ready for RSA. However, it did not alter the data. It did notalter the position of its device, nor of any of the other devices alongside it. It did not (indeed, it cannot) alter theProduct Analysis Report (PAR) nor any of the Comparative Analysis Reports (CARs) that serve up the data that is used to generate the final SVM.
While creativity and artistic interpretation are often very useful in the creation of a masterpiece of fiction, never forget that the original subject always remains unchanged by the ministrations of the artist :o)
Follow me on Twitter (@bwalder) to keep informed as new research is released or to gain insight into any new important works of fiction I may come across!

Thursday, February 28, 2013

Bending The Rules And The Truth


It is very important to us at NSS to ensure that we are scrupulously fair and impartial when it comes to running our public group tests and presenting the results. We take great pains to ensure that the test data is accurate and is reflected correctly in the finished reports on our Web site - reports that go through countless levels of peer review before they are published.
There are also some very strict guidelines all vendors must follows when reusing our reports and results in their own marketing efforts. For example, they are not allowed to alter our words, put words in our mouth, or change our graphics or the way we present results. And they are not allowed to say things like “NSS Labs says the AwesomeSauce 2000 is way better than the Craptastic 8 when it comes to blocking bad stuff in your network,” or “NSS Labs Ranks The Balloonicorn 8180X3cV1.23 Build 33 Number 1 In The Entire Universe.
Because, when all is said and done, we didn’t! Did we?
Which is why it pains us greatly when vendors take liberties with our stuff. Like, say, reproducing the latest SVM graphic from our NGFW report and…. wait for it… removing the data points of its competitors. Surely no one would do that, would they?
Well, just in case they did, here is what the graphic should look like in all its unadulterated, unmodified glory. Just in case, you know, you should happen to come across another (unauthorized and unapproved!) version out there on the Interwebs.
So here you go….
Follow me on Twitter (@bwalder) to keep informed as new research is released or to see pictures of errant marketing folks getting caught red-handed altering stuff they shouldn’t!