Is the firewall dead?

Not according to two of the top four selling vendors in the market. Both Juniper Networks and Palo Alto Networks have presented their vision for the evolution of the Firewall with their partners in early 2016 and their plans share some remarkable similarities!


Lets face it…. Even with the addition of so-called next generation features, firewalls are still only permitter protection devices that play the role of traffic cop between the network and the Internet or between network segments. They are limited to applying security policies against the visible packets that travel through them.

While this limits the firewall to a bit player in the total security of the network and its connected devices, firewalls have one feature that differentiates them from almost every other security appliance or solution: they are designed to block and reject attack traffic, rather than simply reporting on it. It is this unique feature that Juniper Networks and Palo Alto plan to extend both into the network and the cloud.


Lets take a closer look at how Juniper and Palo Alto see the future of firewalling.


Picture your firewall having access to all of your switching ports, routers or end devices, regardless of whether they are physical or virtual, or whether they are located on premise or in the cloud. Imagine them having the ability to isolate devices or applications that show signs of infection in the device or at the edge switching port.

Juniper’s vision leverages JunOS, Juniper’s operating system, which is common to its range of switching, and both their physical and virtual routing and security products. It envisions the SRX firewall extending its roles to include that of a security policy server, collecting data from the switching and routing appliances in the network and then applying policy on these devices.


Similarly, Palo Alto has the PA range of physical and virtual security devices being more closely integrated into their excellent Traps advanced endpoint security product. Again, this extends policy throughout the network.


Historically, firewall vendors have integrated the best of breed point solutions into their gateway appliances – think IDP, Network-based Anti-Virus, Proxy and SSL Decryption. These solutions have traditionally been run on the appliance, competing for resources and generally requiring some very careful resource planning to ensure that throughput targets are met. Additionally, updates to protect the business from new attacks were slow to be delivered, requiring the vendor to recognise that a new threat existed, template the attack and disseminate the appropriate defence to their client’s firewalls. To address these issues, both Juniper and Palo Alto are taking a three-pronged approach:


Firstly, by utilising cloud-based and on-premise VM CPU’s to provide services, load on the appliance is significantly reduced, while smart coding ensures that packets continue to be processed at an acceptable speed.


Secondly, although taking two very different approaches, both Juniper and Palo Alto are giving their appliances the ability to identify an attack and attackers prior to a serious breach by recognising attack vectors and identifying malware that is communicating with command and control servers.


Lastly, they are using the cloud to instantly and anonymously share attack data between client devices. Think of this as a herd-based defence strategy. While a Zero Day attack may successfully breach one appliance, all other devices attached to the cloud will be aware of the attack and block it. This approach has the ability to significantly reduce the impact of any given attack, increasing the bad actors cost vs. return.


ICT Networks is a partner of both Juniper Networks and Palo Alto Networks. If you want to know how these extended capabilities can assist you and protect your business assets, while also reducing operational expense, ask us how.