Security is now the top priority for network managers, displacing reliability and application performance. With this, we will see a transition in the marketplace with more enterprises using their firewall vendor for routing. I like the prediction that in 2017, network routing and security will become one.
In the consumer space, this is starting to occur. At CES 2017, Norton announced a new secure home router called Core at a cost of $200 plus an annual fee of $99 for on-going updates and guaranteed protection.
As network operators move away from a secured perimeter model to a zero trust model, security must start at the very edge of the network and maintained through the core. Deny-all is the architecture that all IP networks will be forced to move to. With this, firewall functionality will exist everywhere within the network.
Firewalls can do the following things that a router cannot:
- Stateful – Firewalls maintain session state for every TCP & UDP flow. This allows them to prevent denial of service and man-in-the-middle attacks and enforce security rules in both directions. When a packet is fragmented, the firewall understands the original size of the packet, but a router does not.
- Auto-Updates – Security vendors and their products are designed to be updated in near real-time as new threats are identified. The number of hacks (both successful and unsuccessful) is growing by over 40%/year and the methods for hacking are constantly evolving with a new one coming out every 12 seconds.
- Logging & Reporting – While routers do provide logs, they were not designed from the ground up to do logging, and logging severely impacts router performance. Firewalls are designed to log and correlate traffic. After a breech, having logs to understand exactly what happened is crucial.
- Least Privileged Access – Firewalls are designed to block everything and then specific rules are applied to allow traffic through. Routers are designed to pass traffic and have default routers and rules are then applied to block traffic. The paradigm difference is important, both technically and culturally.
- Signatures – Next generation firewalls have the ability to detect traffic patterns and bits within a packet and match it to known security threats.
With threats from exponentially increasing end-points coming from IoT and BYOD which are commonly on networks outside of the core enterprise network, the levels of threats are also growing exponentially. Part of the reason the SD-WAN market is taking off is that the successful new SD-WAN vendors are integrating routing & security into a single platform.
SDN & NFV will not solve the problem of combining routing and security. Putting two separate platforms on a common hardware platform does not create the synergy of being able to use a single orchestration engine for all security and routing policies.
So, a hot theme in networking in 2017 will be combining routing and security into a single platform.