Back in about 1996 when the Internet was still young and many of us were scrambling to figure out what it was all about and how it worked, firewalls were big and expensive. Many customers didn’t see the need to have one and would say things like “why would anyone want to attack my company”. Selling security is always a tough, as you are not selling something that will help grow a business or improve processes, you are selling piece of mind. In those days there weren’t that many security vendors to choose from. The big names were Check Point, Cisco and Novel. Oh, that’s right I almost forgot – does anybody remember SHIVA….
Check Point was clearly the front runner with their Firewall-1 product, but was also the most complex and expensive. Novel’s BorderWare was popular due to the large install base and popularity of NetWare and Cisco was the trailer with the Cisco PIX. I think the first model was the PIX 10000. A 4U Appliance with two 10 Meg interfaces complete with floppy drive for upgrades.
We stayed away from BorderWare, as we were already down the TCP/IP path and had distanced ourselves from Novel’s NetWare previously. Our first Check Point deployment was a nightmare. Running on top of WinNT required driver upgrades, registry changes and took forever to get working. I always felt like it was hanging from a shoe string and could blow up at any minute. The PIX on the other hand was almost too easy. Power it up, connect a console and enter 5 commands to get it working. Seriously – 5 commands.
Inside address 192.168.1.1
Outside address x.x.x.x
Global 1 x.x.x.x
NAT (inside) 1
Route 0.0.0.0 0.0.0.0 x.x.x.x
This was enough to secure the inside and let users out to the Internet.
Other than our first nightmare, there were many other reasons we did not go with Check Point. There licencing was very confusing, there pricing was very high and at that time they were software only and did not have an appliance solution. Later Check Point partnered with Nokia to deliver an appliance, but that was even more of a licensing nightmare. additionally you had to manage the routing and interfaces via the Nokia engine and the Check Point was a bolt on. So, we happily sold the PIX and became experts in the field of Firewalling and NAT.
Then came IPSec… Cisco were slow to respond and there first implementation (ver 5.0) in the PIX worked, but was not very secure. The tunnels terminated on the outside interface and you needed to create Conduits (that was the PIX’s term for ACL) into the internal network. The problem here was that These Conduit referenced the LAN IP’s at both the remote and local network. As a test I connected to out upstream router, created a loopback address that matched the remote LAN and then telnet’d from the loopback through the PIX into the local network.
Nortel came out with the Contivity Appliance for IPSec tunnels for both Site to Site and remote access. Clearly they were a market leader in this area. Cisco acquired Altiga and came out with the VPN 3000 Series Concentrator. Interestingly, the interface on the VPN3000 was very similar to the Nortel. Possibly they were both creations from the same technology. I can tell you that we still have a Contivity and VPN 3000 running in our network and they serve a purpose.
Cisco had also built Firewalling and IPSec capabilities into their routers. Cisco’s Firewall implementation was called CBAC (Context Based Access Control) and was relatively easy to configure and manage. I should point out that Access Control List, the basis for any firewall configuration had been around long before Firewalls. An ACL on it’s own can block traffic, but it cannot dynamically allow traffic in the return direction unless there is an ACL that already allows that traffic to return. The Firewalling component to the ACL is that it tracks the state of the connection and dynamically creates ACL entries for return traffic.
Many other vendors started to show up in the market and although I am not clear on the timing, Netscreen appeared in 1997 and quickly became a market leader in FW and VPN technologies, so much so that Juniper bought them for $4 Billion in 2004. We quickly jumped onto the Netscreen bandwagon as Cisco had started to fall behind in some keys areas for Firewalling and VPN’s. Netscreen’s were easy to configure, easy to manage, had both a CLI and GUI, and were more cost effective that the equivalent Cisco appliances. Other vendors we started to see in the late 90’s were WatchGuard and SonicWall, and although we ran into them from time to time they were of little threat as they did not provide the features and functionality of the bigger players.
It is fascinating to me as to how small the industry really is, as these founders and leaders jump around from company to company reinventing the same product. For example.
One of the three Netscreen Founders left after only three years and founded Fortinet. Netscreen acquired One-secure who’s founder was a Check Point Engineer that later went on to create Palo Alto. This type of activity is common and it is no wonder there are so many competitors out there today.
For the first few years after Juniper acquired Netscreen, it was business as usual and we were enjoying designing and installing quality networks, for which Juniper/Netscreen were a big part. Juniper then made what I would consider a huge mistake. They determined that “One OS” built on the JUNOS platform was more important than enhancing the capabilities of the existing ScreenOS products. Certification requirements quickly changed and our organization was expected to drop everything and get all our techs up to speed on JUNOS. Before jumping in with both feet I had Juniper send me a couple of the new SRX Platforms running JUNOS for testing. The SRX were suppose to be the replacement to the Netscreen FW’s. The SRX was not ready for prime time. There we features “not available yet”, we ran into a bunch of bugs and for some of the more basic tasks we had to run scripts within the box. Junipers plans to End of Life the Netscreen products did not go well and even today many of the ScreenOS products are still available for sale.
Check Point, although still around today, had completely fallen off the radar. We rarely ran into them and when we did, displacing them was not difficult due to their complexity and pricing.
Cisco had once again started to catch up with both their Router based Firewalls and their ASA firewalls. Between these two products and the fact that Juniper was still selling the Netscreen products we had good solid solutions through the 2000’s.
UTM (Unified Threat Management) and NGFW (Next Generation FireWall) is the next phase in the evolution of Firewalls. Integrating URL Filtering, Application Control, IPS, AntiX and in some cases DLP into one appliance is the new way to go. This is where we now see the likes of Fortinet, Palo Alto, SonicWall all making headway. Cisco have once again fallen behind in this technology and are scrambling to catch up (More on this below). Dells acquisition of SonicWall has helped them considerably from both a marketing standpoint and probably pumping a lot of Money into R&D. Fortinet is a solid product that works well with all of these services enabled. To date our experience with Fortinet Technical support and the RMA process has been positive. We have had some experience with Palo Alto and SonicWall and they are also good units. My problem with Palo Alto is that I can’t get them to call me back after contacting them to talk about a partnership. Not a good start to the relationship and it puts a bad taste in my mouth as to the level of support we would be getting. My issue with SonicWall is that because they are under the Dell brand there are really no margins to be had. I know they are good firewalls, but are they better than Fortinet and Palo Alto – not really. All of these products do what they say, some have features that others don’t but overall they are all very similar. So, in the end what it comes down to now is our ability to manage and maintain a network effectively. So, even though Cisco lacks features that others may have, we know what to expect from support and product replacement. As I said Fortinet are also good in this respect. Juniper have always had good support, but the SRX fiasco leaves them far behind.
Back to Cisco and their NGFW. Unfortunately Cisco have done the bolt on method again. I love their products as they are well built and their support is still better than their competitors. However, to manage and deploy a Cisco ASA with NGFW requires two management interfaces. one for the Firewall and one for the NGFW Services. This is not something a Network Manager wants to deal with.
Through all my experience with all of these products one thing is still true. No one box from any vendor does it all perfectly. We still require deployments that without a Cisco Router would be near impossible. Many times the Cisco Router sits in parallel with a Juniper or Fortinet or ever the Cisco ASA.
No magic bullet – sorry…..