Gartner's John Pescatore blogged about his view on the future of firewalls today. Many pundits have opined about enterprise deperimeterization. Not so says Pescatore, although the functionality of the firewall is changing to respond to the changes in technology and the threat landscape. Gartner calls this new technology, "next-generation firewalls."
It is really just border control – we don’t declare countries “deperimeterized” because airplanes were invented, we extend border control into the airport terminals.
Unfortunately every firewall vendor in the industry has jumped on the term. So in order to help you separate marketing fluff from reality, whenever you are speaking to a firewall vendor, be ready with these questions:
- How have you adapted your stateful inspection engine in your next-generation firewall?
- When in the firewall's packet/session analysis is the application detected?
- Is all packet analysis performed in a single pass?
- How does your appliance hardware support you analysis approach?
- is there a single user interface for all aspects of policy definition?
- What is the degradation in performance as functionality is turned on?
If you like the answers, ask for more thing - show me.