Since the idea behind this post is to look at the evolution of Firewall, from the point of view of Palo Alto, I wish to introduce you to Nir Zuk, the founder & CTO of Palo Alto. How he looked at the issue or need of firewalls at various points in time...
What is a Firewall?
A firewall is a network security device that grants or rejects network access to traffic flows between an untrusted zone and a trusted zone.
Nir Zuk mentions that his entire career in security, has required a constant EVOLUTION to keep up with changes in technology and to secure users, applications and data.
-
The Early Generations
He says--
Nearly 25 years ago, I was the principal developer of the industry’s first stateful inspection firewall. Those were the early days of the internet, and back then the prominent firewall technology was stateless access control lists (ACLs).
Firewalls date back to the early days of the internet as a means of controlling outside access to an enterprise’s internal resources as well as communicating outside the on-premises network. Earliest form of Firewalls was indeed 'Stateless Firewalls.'
What were Stateless Firewalls?
It were early years of 1990s, when first firewalls appeared on the horizon. These firewalls were offering a basic set of simple RULES that were designed to control the outside access to companies' internal resources. For the technology's point of view, these firewalls were only packet-filtering system that could inspect the information contained in the packets, simply by looking at the destination IP Address, its protocol, and port number used.
If the traffic did not match the packet-filter's rules, then the firewall would either drop the packet without any response, or reject the packet with a notification to the sender. That's all that there was...
Nir Nuk notes that--
(Since) ACLs were not able to deal with the emergence of stateful applications, such as internet audio and video applications (or even good old FTP), so a new approach was clearly necessary. An attempt at using proxy technology proved futile, as proxies were too slow and had the tendency to break many of these applications. Stateful inspection proved to be both useful and secure, which is why it has since dominated the network security market.
What were Stateful Firewall?
As you must have noticed that in those times, Internet Radio and Video applications etc emerged and these applications required constant communication or session.
As a response to that, the first-gen firewall quickly evolved to become stateful firewalls and started to use “stateful” filters, which kept track of connections between computers. These firewalls were capable of retaining data packets until enough information was available to make a judgment about their state. They also added a 'Connection state' rule that made filtering easier since they could determine if a packet was part of a new or existing connection. It worked perfectly and it is still working so very well.
These early generations of Firewall are called 'First-Generation' Firewalls.
-
Nir Zuk says that--
Almost 15 years ago, it became apparent that the explosion in the number of internet applications was challenging stateful inspection, so taking a new approach was again necessary. Early attempts at responding to the challenge with proxy technology emerged (for the second time!)...(continued)
The Second Generation: Unified Threat ManagementYou have noticed that there was an explosion in number of internet applications and so much that it challenged even the stateful inspection. Right?
As response to it, so new solution approaches were conceived. Since there was a great to recognize all sorts of 'new applications' in the early years of 2000, many vendors added 'Application Visibility' feature with an enhanced set of security features to their existing 'stateful' firewalls. These products were called UTM devices.
UTM firewalls generally combined stateful firewall, gateway antivirus, and intrusion detection and prevention capabilities into a single platform.
-
Stateful packet inspection allowed inbound and outbound traffic on the network.
-
A web proxy filtered content and scanned with antivirus services.
-
A separate intrusion prevention system (IPS) detected and blocked malicious traffic.
-
Virtual private network (VPN) servers incorporated into the UTM could connect remote offices and allow remote users to access corporate resources.
-
Finally, spam filtering acted on junk emails and phishing attempts.
So many disparate network-security technologies were brought together into a single appliance, for the ease of deployment and lower costs. But there was no in-built (native) integration between these different modules, and that led to many gaps in security. They also resulted in low-performance and complexity of managing the policies.
-
Nir Zuk elaborates further--
.....However, they failed once more due to the proxy’s inherent poor performance and its inability to inspect all types of network traffic. I felt I had to fix the firewall again, which led me to start Palo Alto Networks and build a replacement for stateful inspection – the 'App-ID-based' Next-Generation Firewall – which today is, by far, the leading firewall in the market.
The Third Generation: Next-Generation FirewallsIn 2008, Palo Alto Networks delivered the industry’s first next-generation firewall (NGFW).
These next generation firewalls were radically different for last generation of UTMs. True NGFWs came up with in-built (natively) integrated capabilities. These NGFWs were/are having the great capabilities of being aware of Content/Application/Users, IPS, Web-Security, and more, in addition to fundamental 'Stateful' firewall capabilities.
Most importantly, NGFWs offered user identity awareness and protection. This is still highly significant since, according to the 2020 Verizon Data Breach Investigations Report (DBIR), 80% of hacking breaches involved brute-force or the use of lost or stolen credentials.
Given the current context, modern NGFWs provide deep visibility and control based on application, user, and content. They also offer support for secure, encrypted traffic via SSL/TLS decryption technology, ensuring that sensitive data is readable only between trusted entities.
Plus, NGFWs are able to detect and prevent advanced attacks by identifying evasive techniques and automatically counteracting them. Antivirus and malware protection is updated automatically as new threats are discovered, helping to keep networks safer than ever. Finally, also NGFWs offers deployment flexibility, available in both physical and virtual form factors to fit a variety of deployment scenarios and performance needs.
ML-Powered NGFWs
In 2020, Palo Alto introduced (perhaps, industry's first) ML-powered NGFW. It leverages machine learning to deliver proactive, real-time, and inline zero-day protection.
This NGFW does not take reactive approach to security like earlier generations of firewalls. It takes totally PROACTIVE approach to it. This firewall uses ML learning models to identify variants of known attacks as well as many unknown cyberthreats, so organizations can prevent the majority of zero-day malware inline.
It provides complete device visibility, behavioral anomaly detection, and native enforcement to secure IoT devices without the need for additional sensors or infrastructure. As it collects a wide variety of telemetry information from the network, the ML-Powered NGFW will recommend you appropriate security policies.
For example, your organizations can view and adopt the IoT security policy 'recommendations' for safe device behavior. This would help you save time, reduce the chance of human error, and better secure IoT devices.
In essence, the ML-Powered NGFW uses machine learning and analytics to continuously learn and proactively improve your enterprise’s security posture across multiple fronts.
But I would refrain from calling it a fourth-gen...
-
Is there anything YET TO COME?Nir Zuk notes that--
Today we are witnessing yet another change in applications that is driving yet another change to network security. This time, applications are moving from corporate data centers to the cloud – both SaaS and public cloud. Cloud adoption is challenging firewall architecture again and requires me to respond. And yes, early attempts at solving the challenge are happening with a proxy, which are failing for the same reasons they did before.
It’s time to fix network security. Again.
Over last few years, most companies have assembled a mixture of security-infrastructures. For example,
You have security implementations to secure the data to/from your branch offices. You are doing this by backhauling all traffic from all branches to your corporate datacenter(s) via MPLS, and then all internet data is routed from there THROUGH your company's deployed security-stack (read, all security arrangements).
Then your network security infrastructure is expected for allowing remote access into the corporate data center. Right?
As more, more and more applications are moving to the cloud, your old method of forcing all branch, user and partner TRAFFIC back through your corporate headquarters or data centers no longer makes sense. Don't you think that it would make much more sense, if you could deliver the same network security-stack from the cloud, such that traffic that is already destined for the cloud, does not have to hit your corporate networks? No doubt, you would need less traffic that should go to your corporate datacenters.
Thus the point is that by delivering the same network security from the cloud, you can protect users, applications and data, regardless of where they are.
This model was proposed by Gartner itself in the form of 'SASE' and made perfect sense to security industry. In fact, many good SASE offers already there in the market.
SASE = Secure Access Service Edge
"The secure access service edge is an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS and ZTNA) to support the dynamic secure access needs of digital enterprises....SASE is able to meet the demands of cloud and mobile environments, addressing the challenges with traditional network and security architectures. "
Nir Zuk shares his opinion very frankly:
I agree with this concept, and in my mind, it’s relatively simple. SASE is the convergence of different access and network security methods into one cohesive platform. Perhaps most importantly, however, this cohesive platform must ensure a seamless user experience. It must be built on a high-performance global network, which is beyond the capability of most smaller vendors. SASE demands a level of integration that’s unprecedented in the security industry. It’s unlike other approaches in the fragmented security industry, which has extremely low barriers to entry.
-
Hello guys, I am finishing this post here, without adding any closing remarks from my side. It is up to you to contemplate all this. Thanks.
Kindly write 
your comment on the posts or topics, because when you do that you help me greatly in 
designing new quality article/post on cybersecurity.
your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.You can also share with all of us if the information shared here helps you in some manner.
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
With thanks,
Meena R.
___________
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM