- Despite talk about the death of the firewall, the technology remains strategic to large security vendors, prompting both significant internal development and big acquisitions.
- However, IBM remains out of that loop, and that could hurt its ability to compete as next-generation firewalls subsume standalone IPS products.
Despite talk of the demise of the firewall in recent years, there have been considerable movement and resources going into that market of late. Last month, HP launched its first firewall, opting to develop its own next-generation firewall using technology borrowed from its TippingPoint IPS and Digital Vaccine modules for application visibility and control. Earlier this year, McAfee plunked down $389 million in cash to acquire Stonesoft, giving McAfee its first stateful firewall to supplement its existing proxy-based firewall. Beyond that, Fortinet most recently raised the bar on firewall performance in the data center, where it sees significant growth opportunities owing to the large-scale data center network refresh going on across the globe.
IBM’s assertion is that customers should keep their existing firewalls, using them as they always have, and concentrate next-generation capabilities such as application visibility and control in a next-generation IPS (NGIPS). IBM shipped its first NGIPS, the IBM Security Network Protection XGS 5000, in the fall of 2012. At this point, all the leading IPS vendors have already integrated next-generation functions into their platforms.
With industry predictions that next-generation firewalls will subsume the standalone IPS market in coming years, will IBM’s strategy work? Early this year, at least one quant house suggested that the standalone IPS market has already begun to shrink. Moreover, in its group testing of IPS functionality within next-generation firewalls versus standalone IPS capabilities, NSS Labs found little difference in the effectiveness of each.
Still, there is another factor that could influence the direction that the market takes, and that’s politics. In many IT shops, the buying centers for firewalls and IPSs are separate entities, with the network operations team responsible for firewall buying decisions and the information security team responsible for the IPS. The question is: which group should or will end up taking on the responsibility for integrated application visibility and control and contextual threat awareness?
Should it prove out that there is no real tradeoff in effectiveness, performance, manageability, stability or resistance to evasion, then I think the economics of the equation could trump politics. Good integration of functions could allow a single view into network threats, eliminating the need for multiple consoles and the infrastructure required to deploy and operate separate products. That has the potential to reduce the cost of protecting the network and streamline security operations to allow quicker response to new and ever-changing threats.
What do you think? Has IBM painted itself into a corner with its strategy?