Not another appliance

Today, firewalls see all traffic crossing the trust boundary, and are in a unique position to enforce policy. The thing that most traditional network firewalls are missing is any sort of relevant traffic classification mechanism (deconstruction and deduction).

The typical response from security vendors is to sell enterprises yet another security appliance that sits next to the firewall. This approach has resulted in lots of complexity and additional cost for enterprises. It has, for many organizations, also proved unsustainable in a cost-constrained yet increasingly regulated environment.

The reality is that this level of classification and control needs to be done by a device that is capable of both seeing all of the traffic crossing the trust boundary, and capable of exerting control over that traffic -- which, in most organizations, is the firewall.

This will obviously require some reengineering of the traditional network firewall -- all of the techniques described above will heavily tax existing firewall software and hardware. Simply bolting this functionality on will result in poor performance. Some of this can be addressed by specialized hardware, but the classification engine on the firewall must get fundamentally more sophisticated.