Industry Trends

The Next Step in Enterprise Firewall Evolution

By Bill McGee | May 02, 2016

Networks are evolving rapidly. The proliferation of devices, users, applications, and services has made the network edge more porous, while at the same time expanding the attack surface. And these remote devices and applications are now commonly accessing data center resources in a way unimaginable just a few years ago. Add IoT and Cloud to a highly mobile and distributed network, and you have created the perfect storm for disaster.

Security has evolved organically as well. But not in a way that complements the evolution of the network. Instead, it is not uncommon for organizations to have security solutions from dozens of different vendors installed inside their distributed infrastructure. These siloed security devices use different management tools, different sources for threat intelligence, and have no ability to share critical information. It’s something often referred to as the accidental security architecture. And when combined with the growing security skills shortage, it’s a complex and expensive recipe for human error and unseen security gaps where advanced threats often pass unnoticed.

Unfortunately, the attack technology used by cybercriminals is organized, responsive, and designed to share information, while the security installed in most networks is not. It is designed to circumvent and exploit the weaknesses inherent in your accidental security architecture.

What’s needed is a way to integrate your security technologies together to close the security gaps. They need to share threat intelligence, management, and orchestration. They need to intelligently collaborate to respond to threats. And they need to operate using open standards for enhanced interoperability with your existing and future security investments. And central to a cohesive, integrated security strategy is the Enterprise Firewall.

The Evolution of Firewalls

Firewalls have undergone significant change since Digital Equipment Corporation engineers wrote the first paper on packet filtering in 1988. Here is a brief breakdown on the evolution:

Packet Filters and Network Address Translation

Packet filtering and NAT are used to monitor and control packets moving across a network interface, apply predetermined security rules, and obscure the internal network from the public Internet


Proxy Firewalling

A proxy firewall is an intermediary device that terminates connection requests on one side of the proxy and builds a new network connection on the other. Because no packets actually pass through the proxy firewall, it is able to filter out unauthorized or infected traffic, and completely obscure the internal network by removing any identifiable source information. This level of security comes with significant performance challenges.

Stateful Inspection

Stateful firewalling, also known as dynamic packet filtering, monitors the state of connections and makes determinations on what sorts of data packets belonging to a known active connection are allowed to pass through the firewall.


Unified Threat Management (or UTMs)

As security solutions began to multiply, many organizations did not have the IT staff necessary to install, manage, and monitor the growing array of specialized security technologies. UTM devices combined many of the most critical security functions – firewall, IPS, VPN, gateway antivirus, content filtering, load balancing, etc. – into a single device, usually with a unified management console. While this is still a powerful solution for many smaller organizations, the challenges for growing enterprises include limited performance, a single point of failure, and deploying security across an increasingly distributed network environment.

Next-Generation Firewall (NGFW)

This term was coined by Gartner in late 2000 to describe a new sort of all-in-one security appliance based on the UTM model, but combined with enterprise-class scalability and performance, and a focus on granular inspection of Layer 7 application traffic.


The Next Firewall Evolution – The Fortinet Security Fabric

In spite of these advances in firewall technology, they are still isolated security devices inspecting traffic passing through a single network chokepoint. This model is increasingly ineffective as networks become increasingly distributed and borderless. Firewalls are still the basic building block of any security strategy, but now they need to be part of a tightly integrated, highly collaborative, and widely distributed security fabric.

  • Firewalls need to be deployed everywhere: At the Internet edge, in remote and branch offices, in the enterprise core for infrastructure segmentation and to secure the convergence of distributed networks, at the data center edge, inside the data center core (including traditional, virtual and SDN environments), and out in the cloud.
  • They need to leverage common global and local intelligence, share centralized management and orchestration, and consistently enforce policy anywhere across highly mobile, distributed, and virtualized network environments.
  • Because they can be deployed in a variety of architectures, Enterprise Firewalls need to be able to provide coordinated and seamless monitoring and response to threats from the network access layer up to the application layer.
  • They need to collaborate intelligently with other security technologies, such as web and email security, web application firewalls, sandboxes, anti-malware solutions, IPS and IDS, encryption and VPN, access control, DDoS, endpoint security, whether they are an integral part of the firewall, or specialized security devices, applications, or services distributed across the network.
  • And they need to interoperate with critical network technologies, such as switches, routers, load balancers, wireless access points, and server controllers, to collect and coordinate distributed network intelligence, broadly assess the scope and scale of any detected threat, and enforce policy as close to the detected problem as possible.

These new Enterprise Firewalls become the foundation on which organizations can build an intelligent and highly interactive security architecture. Fortinet has just announced such an architecture, called the Fortinet Security Fabric. It is a tightly integrated set of security technologies that can be woven into the network, and designed share threat intelligence, collaborate to provide coordinated threat response, and adapt dynamically to the changing threat landscape.
The Fortinet Enterprise Firewall plays a pivotal role in this new Security Fabric. Utilizing FortiGate’s common management, and unified operating system available in wide variety of form factors, organizations can distribute consistent firewall security across the network. And its flexible API design allows it to interoperate across Fortinet’s entire portfolio of security solutions as well as its rich ecosystem of third-party alliance partners - without ever sacrificing performance or business functionality.

The answer to an increasingly complex network environment and sophisticated threat landscape cannot be compounding the accidental security architecture we already have in place. The best answer to complexity is simplicity. Which is exactly what the new Fortinet Security Fabric is designed to deliver. Evolved security designed for the next generation of digital business networks.

For more information on the Fortinet Security Fabric and the next generation of intelligent and collaborative Enterprise Firewalls, download Fortinet’s new white paper here.