The Home of the Security Bloggers Network
Home » Security Boulevard (Original) »
When enterprise firewalls were introduced in the mid-1990s, they served a critical function. By enforcing network connection policies, they made it possible for organizations to connect their still-evolving corporate networks to the internet. As threats expanded, more and more functionality was added to those devices. Encrypted connections were one of the first advanced capabilities to be incorporated in the firewall. IPSec was introduced to allow gateways, and eventually end users, to connect via VPNs.
Eventually, firewalls also incorporated IPS and web content filtering. Firewalls became multipurpose devices often bolstered with hardware acceleration to make all of those functions work effectively at higher throughputs.
When I published Secure Cloud Transformation in 2019, it was evident that the cloud was having a dramatic impact on network architectures. I interviewed fifteen IT security leaders who moved their application hosting to the cloud while also extending protection to end users by moving to a secure access service edge (SASE) model. In effect, the cloud displaced the data center as the internet displaced the corporate network.
I started watching the revenue numbers for the major firewall appliance vendors. If this new architecture were to become a global trend, then the SASE vendors would start to displace the hardware appliance vendors, and that would be reflected in disappointing revenue reports.
Palo Alto Networks and Fortinet are the two major pure-play appliance vendors that are easiest to track as they report revenue each quarter. Their revenue gains have remained healthy at around 24% a year. But the other giant hardware appliance vendor, Cisco, may be showing the first signs of weakness in their hardware sales.
Reporting from SDxCentral indicates that Cisco’s security business has fallen off a cliff.
“[T]he rate of revenue growth in Cisco’s security business has shrunk over the past few years while its competitors continue growing by double digits. That revenue dropped from 12% growth in 2020 to 7% growth in 2021, and now Cisco’s security business is at a 4% growth rate.”
Palo Alto Networks and Fortinet see what is happening and are rushing to introduce products that can fill the gap for SASE in their portfolios. Acquisition is one way to do that. Making your firewalls available as software-only running on a VM is definitely not the way to go.
Hardware appliance vendors have massive install bases they still support. The majority of those are going to be late adopters. Instead of rearchitecting for cloud transformation, these customers will continue to buy upgraded appliances. But cracks are starting to show in the security of those devices.
In early November, researchers at Randori, an attack surface management vendor, disclosed a vulnerability in PAN firewalls using the GlobalProtect Portal VPN. They claimed they found 70,000 such devices exposed on the internet using Shodan, but Palo Alto said that number is “only” 10,000.
The vulnerability allowed remote code execution, which Randori demonstrated; pretty much game over for a defender if an attacker can establish a beachhead on your firewall.
Hardware appliances are a single point of failure in older hub-and-spoke architectures. Vulnerabilities in VPN services are serious because the VPN choke point is what controls outside access to the corporate network.
Earlier in 2021, Pulse Secure, the spinoff of Juniper’s VPN business, experienced its own vulnerability that allowed remote code execution.
The Pulse Secure vulnerabilities caused CISA to issue warnings to government agencies and defense contractors:.
“CISA is aware of at least five federal civilian agencies who have run the Pulse Secure Integrity Tool and have identified indications of potential unauthorized access.”
The CEO of Colonial Pipeline attributed their disruptive ransomware attack to compromised credentials in a “legacy VPN account” which highlighted the fact that even without an exploit, VPNs are subject to attack with stolen credentials. Once a user (or attacker) is granted access via VPN, they are generally trusted.
There are solutions to these problems with VPNs. They require a new way of thinking. Zero-trust is the term applied to this new architecture. Instead of a single VPN gateway that grants trust as soon as a user complies with a policy, zero-trust takes the network out of the equation. It applies policies to users and applications. Watch the demos of zero-trust solutions at The Demo Forum here (register for free). It is no surprise that the Executive Order on Improving the Nation’s Cybersecurity from the Biden administration called on federal agencies to adopt zero-trust.
The other side of the cloud transformation coin is providing next-gen protections for end users that hardware gateways used to provide. That is SASE. Think of SASE as a distributed (edge) secure web gateway where content filtering and access controls are applied.
Even though a new network architecture holds promise for a more secure future, it will be decades before the hardware appliance industry goes the way of the antivirus industry. In the meantime, look for continued high growth rates for zero-trust and SASE vendors while traditional network security suffers.
Richard Stiennon is the author of Security Yearbook 2021: A History and Directory of the IT Security Industry. He has held leadership roles at PwC, Webroot Software, Fortinet, and Blancco Technology Group. He was a Research VP at Gartner. He researches and reports on 2,615 IT security vendors. His clients are vendors, investment firms, and CISOs at large enterprises.
richard-stiennon has 10 posts and counting.See all posts by richard-stiennon
The Home of the Security Bloggers Network