我t’s been 20 years since Check Point Software Technologies shipped its first enterprise network firewall, marking the beginning of a mass market for firewalls that has protected millions of networks across the world.
Check Point的FireWall-1的,1994年在NETWORLD +互操作亮相,是不是第一个网络防火墙,当然。防火墙已经开始初具雏形随着互联网的兴起。公司和大学在整个80年代和90年代,认为有必要通过但他们可以创建周边网关屏障阻止不需要的IP流量。在那个时代,他们有时会“推出自己的”基于路由器或其它齿轮,直到最终的供应商来到他们与他们幸免这种不必要的劳动防火墙产品抢救。
+更多关于网络世界有个足球雷竞技app:HP rolls out next gen firewall line |最差的数据泄露2014年......到目前为止,+
马库斯Ranum,在能成立网络安全现在的首席安全官,被认为是最突出的早期商业防火墙的创新者,因为他在1990年防火墙设计的DEC SEAL,并在笞刑在可信的信息系统的防火墙和TIS工具包工作。TIS,由前国家安全局员工史蒂夫·沃克,专注于高安全性的政府客户成立于1983年;该公司在1998年其他早期的努力,如猛禽防火墙,也存在出售给Network Associates公司(即后来的McAfee)。但它的推出Check Point的FireWall-1的是结束了创建不久不仅仅是由大网络供应商,如思科和Juniper加入了一种大众市场的,但是其他球员,比如WatchGuard的主机。
我t was Check Point that gained steam while TIS didn’t. Ranum mulls why that may have been so: “The proxy firewalls that ruled the technology at the time required some analysis of the application protocol, and the design of a gateway system to parse, process and filter the layer-7 traffic going through the,” Ranum points out. “This took time — development time to produce a proxy, and processor time in the firewall’s CPU to do the analysis. When the Internet bubble began, Check Point really took off because they didn’t do any layer-7 analysis and it was easy to write a rule to let traffic through. New applications were popping up all over the place and Check Point’s ability to respond (and their performance story — it’s easy to be fast if you don’t do much!) made them a much easier sell. They also had Sun and the Sun reseller channel behind them — so they crushed everyone with a combination of being in the right spot and having technology that was fast and offered basic, adequate security.”
“Stateful inspection was fast and easy,” says Scott Montgomery, CTO at Intel Security, who remembers those days, saying the Gauntlet firewall was relegated to only the most high-security networks.
The early years with the TIS Toolkit as the proxy firewall didn’t gain widespread adoption because “it was so hard to maintain a proxy firewall,” says Matt Howard, now at Norwest Venture Partners, who helped develop Network Translation’s PIX firewall later acquired by Cisco.
Back then, “everyone thought the firewall would be killed — the router would subsume the firewall,” says Howard. But that didn’t happen. Infrastructure providers Cisco and Juniper certainly sell firewalls in routers and switches.
但是Gartner的估计,企业往往不依赖于这种做法对他们的核心防火墙购买。虽然面临着艰难的竞争对手,Check Point的继续在市场上的防火墙设备的22%,占据榜首,由Gartner的估算。通过咨询机构IDC的说法,思科可能会略高于21%的市场份额。
Check Point is “one of the stalwarts of the firewall group” and the two have been rivals for a long time, says Scott Harrell, vice president of product management for security at Cisco. “They’re a formidable competitor and we see them in many accounts.”
Gil Shwed is co-founder and CEO of Check Point, with which began with help from Israeli tech investor Shlomo Kramer and vice chair Marius Nacht. Shwed says he agrees with many of Ranum’s points about that era. Shwed notes that Check Point’s strong suit was its stateful inspection engine and simple graphical interface. Check Point FireWall-1 ushered in a “turning point” that turned a “niche” into “a mainstream,” he notes. He adds he holds Ranum, a recognized pioneer in the field, in high regard.
Check Point's FireWall-1 firewall management console back in 1994 when it was introduced.
Shwed表示,他自己的防火墙的想法早就开始走到一起Check Point公司成立前,而他在以色列军队服役,是繁忙的连接网络。
Corey Nachreiner, director of research and strategy at WatchGuard, agrees that Check Point’s FireWall-1 can be considered the “first real commercial run” at a firewall. He notes that Check Point early on was software-based while WatchGuard differentiated its early Firebox as a hardware appliance. (In a back to the future kind of way, WatchGuard is reviving the Firebox brand name it had earlier dropped.)
Today what’s called the firewall typically does far more than simple port-based filtering and control. It might also include an intrusion detection and protection system (IPS), antivirus or URL filtering, act as data-loss prevention device, and much more, including sandbox-style zero-day threat detection. Security analysts at tech consultancies have left their mark by criticizing whatever the security vendors were doing over the years, and urging them to reach for more, such as higher throughput speeds or better management.
At research firm IDC, security products research director Charles Kolodgy coined the term “unified threat management” for a class of firewall-capable devices, often seen as suitable for small to mid-sized businesses. And at Gartner, analysts Greg Young and Neil MacDonald in recent years began urging network-firewall providers to produce the kind of “application-aware” gear that would be able to establish access and user identity controls through granular knowledge of the applications, plus capabilities such as IPS.
帕洛阿尔托网络,通过其首席技术官尼尔·祖克成立于2005年,集速度与它的下一代防火墙(NGFW),在2007年出货这迫使厂商包括思科,Check Point的,英特安防事业部迈克菲,博威特网络,最近惠普,加入电荷NGFW。
一路上,ZUK,谁曾在Check Point的发展早期的防火墙,已经在舞台上踩一个明确的 - 但争议 - 领导者和创新者。上掉下来早与Check Point的管理后,他于1999年开始OneSecure,这是由在的NetScreen 2002年收购,后来由瞻博网络在2004年收购了$ 4十亿。
After Zuk left Juniper to establish Palo Alto, Juniper launched firewall-related patent-infringement lawsuits. The two sides dueled over firewall patent lawsuits until finally in May of this year they settled it with a cross-licensing arrangement that included Palo Alto agreeing to pay $175 million in cash and equity.
While some of his former employers tend to wince at his name, Zuk nonetheless gets the nod from others.
“Nir’s the brains,” comments Ranum. “He did the design of a lot of Check Point, Netscreen (now Juniper) and Palo Alto — he takes a team of programmers around with him, who — by now — can code firewalls in their sleep.”
世界已经改变远远超出了90年代初,什么是可能的,Ranum补充道。“Now that you can buy programmable ‘switch on a chip’ processors like the Cavium Octeon, it’s possible to do the layer-7 analysis at packet speed, which we could never do in 1991. I see the trend as a sort of vindication of the idea the game was always at layer-7 to begin with and ‘stateful inspection’ was a 15-year-long digression.”
+ ALSO ON NETWORK WORLDCisco impresses with first crack at next-gen firewall+
我n all this time, the firewall market has mushroomed into what Gartner thinks will be more than a $9 billion market this year. Firewalls have long since been used not just at the perimeter but also inside of enterprise networks to cordon off segments. But despite all this, the irony is that the role of the network firewall is more in doubt than ever before because of the rise of the use of cloud-based services and mobile devices.
它和安全经理一直斗bts about firewalls, especially when web traffic had to be let through. Those doubts reached a crescendo in the 2005 timeframe and on when a group of security professional from several large global enterprises gathered together under the banner of the “Jericho Forum” to voice their displeasure with firewalls.
投诉中心的理念是云服务,电子商务和移动的增长都采取行动,消除任何明显的“雷池”,在他们的网络,他们曾经享受。Jericho论坛,由安全专家,如保罗·西蒙兹,谁在油漆和化工企业ICI后来阿斯利康工作领导,动情地说出了有关防火墙的感知极限和那名以数据为中心的新方法深切渴望。
Under the auspices of the Open Group, the Jericho Forum began issuing position papers, notably the Jericho Forum’s “Commandments” for good security to “deliver a de-perimeterized vision.” It fired more than a few shots at the firewall. “Whereas boundary firewalls may continue to provide basic network protection, individual systems and data will need to be capable of protecting themselves,” the group stated. Other guidelines were, “In general, it is easier to protect an asset the closer protection is provided.”
我n the ongoing debate, which enlivened many tech conferences, Gartner, among others, tended to push back on the notion the perimeter firewall should go away. Companies kept buying more firewalls. But the Jericho Forum’s basic concepts about how use of cloud services and mobile devices, especially employee-owned “Bring Your Own Device” situations, were causing difficulties for perimeter firewalls, hit home for many companies. And the rise of virtualized networks and the looming terrain of future Software-Defined Networks for switching, is challenging firewall vendors to adapt.
一些厂商,包括Check Point公司,设计了基于软件的防火墙工作在亚马逊网络服务EC2云服务,例如,虽然亚马逊本身提供了防火墙服务。思科不还,但哈勒尔说,在作品是与其他云服务一起。他承认的一个问题是,每一个代表一个平台,需要一个特定的防火墙的构建和方式来收费在安装了防火墙“现收现付”的云服务模式。他对于那些打算在未来扩大企业增加了思科还具有防火墙托管服务。
Adoption of virtual firewalls has been fairly slow, Gartner believes, predicting that fewer than 5% of enterprises will deploy all-virtualized firewalls in their data centers by 2016. Check Point’s Shwed acknowledges that from what he sees, adoption of virtual firewalls hasn’t seemed to take off.
But firewalls are hardly dead as Gartner analyst Greg Young pointed out in his recent presentation at the Gartner Security and Risk Management Summit. He noted that the enterprise firewall market at $8.7 billion remains the single largest segment of the overall IT security market. And that’s expected to rise to $9.4 billion by year-end. But there are discontents around specific things.
Web A/V filtering, in particular, causes a significant performance hit on a firewall, he pointed out, and this functionality is likely better deployed on a secure gateway. The firewall contenders out there have yet to leave their marks in virtualization, the data center and SDN, “the next battle to be fought,” Young said.
Cisco’s Harrell contends Cisco is positioning itself to engage in that battle effectively with its application-centric infrastructure and controller with a way to configure firewalls and load balancers in simple English-language rules. However, it all remains very new.
一些Gartner分析师正在寻找比在未来帮助网络防火墙等。一位Gartner分析师约瑟夫Feiman,甚至认为,一个2岁的技术,称为“运行应用程序自保护”(RASP)可以接管大多数网络防火墙的职责。
我n a debate between Young and Feiman at the conference, Feiman argued ardently that that RASP -- described as an instrumentation of runtime in servers or clients to protect applications against a variety of attacks — is basically a better approach than traditional firewalls because the perimeter is dissolving due to cloud services and mobile. “We’re failing with our perimeter security,” he said, “I’m asking us to change our view.”
Gartner analyst, Joseph Feiman
Feiman表示,与RASP产品厂商包括惠普,Prevoty,形状安全,Waratek,BLUEBOX和Lacoon酒吧移动安全。年轻,不过,嘲笑的概念RASP将排挤边界防火墙的下一件大事,并指出RASP产品需要添加到每个OS或手机可能希望保护。
And how does Check Point’s Shwed feel about RASP? He acknowledges he’s really not familiar with it, and it’s not something that troubles him. What does concern him is how the modern firewall needs to evolve to gain information about ever-more stealthy threats to block them. He thinks information-sharing among security vendors of many kinds is the way forward, and that’s what Check Point is pursuing.