Your Next Router Will be a Firewall
Security is now the top priority for network managers, displacing reliability and application performance. With this, we will see a transition in the marketplace with more enterprises using their firewall vendor for routing. I like the prediction that in 2017, network routing and security will become one.
In the consumer space, this is starting to occur. At CES 2017, Norton announced a new secure home router called Core at a cost of $200 plus an annual fee of $99 for on-going updates and guaranteed protection.
As network operators move away from a secured perimeter model to a zero trust model, security must start at the very edge of the network and maintained through the core. Deny-all is the architecture that all IP networks will be forced to move to. With this, firewall functionality will exist everywhere within the network.
Firewalls can do the following things that a router cannot:
- Stateful – Firewalls maintain session state for every TCP & UDP flow. This allows them to prevent denial of service and man-in-the-middle attacks and enforce security rules in both directions. When a packet is fragmented, the firewall understands the original size of the packet, but a router does not.
- Auto-Updates – Security vendors and their products are designed to be updated in near real-time as new threats are identified. The number of hacks (both successful and unsuccessful) is growing by over 40%/year and the methods for hacking are constantly evolving with a new one coming out every 12 seconds.
- Logging & Reporting – While routers do provide logs, they were not designed from the ground up to do logging, and logging severely impacts router performance. Firewalls are designed to log and correlate traffic. After a breech, having logs to understand exactly what happened is crucial.
- Least Privileged Access – Firewalls are designed to block everything and then specific rules are applied to allow traffic through. Routers are designed to pass traffic and have default routers and rules are then applied to block traffic. The paradigm difference is important, both technically and culturally.
- Signatures – Next generation firewalls have the ability to detect traffic patterns and bits within a packet and match it to known security threats.
With threats from exponentially increasing end-points coming from IoT and BYOD which are commonly on networks outside of the core enterprise network, the levels of threats are also growing exponentially. Part of the reason the SD-WAN market is taking off is that the successful new SD-WAN vendors are integrating routing & security into a single platform.
SDN & NFV will not solve the problem of combining routing and security. Putting two separate platforms on a common hardware platform does not create the synergy of being able to use a single orchestration engine for all security and routing policies.
So, a hot theme in networking in 2017 will be combining routing and security into a single platform.
Look ma, no ads!
Admit it! You just can’t look away. Yet, there’s so much more.
Become a subscriber to TalkingPointz for access to reports and premium posts.
There are several ways to stay informed:
- Visit this site regularly.
- Receive new posts in your email once a week.
- Become an Insider or All Access Subscriber for alerts and access to uncensored content.
TalkingHeadz Podcast
The TalkingHeadz podcasts are @DaveMichels and @EvanKirstel chatting with interesting guests. These are unsponsored and unscripted for your enjoyment. You can subscribe on most podcast apps including iTunes.
TalkingHeadz with Brad Hintze of Crestron
Multi-camera video is best demonstrated in large conference rooms, and that can be a challenge in an expo hall. Crestron solved it: We’re going to need a bigger booth. I experienced Crestron’s 1 Beyond experience in an expo booth with…
Leave a Comment