NetScreen Executive Officer David Flynn on Deepening the Firewall

Judging by its strategy, firewall vendor NetScreen is committed to a holistic view of enterprise security, leading the charge to integrate and deepen the firewall beyond its original parameters. The company’s recently released Deep Inspection Firewall, for example, is designed to prevent application-level attacks, respond proactively to other security concerns, and integrate well with other enterprise security applications. Moreover, NetScreen’s recent acquisition of Neoteris, a leader in SSL VPN (virtual private network) solutions, adds another weapon to its broad security arsenal.

David Flynn, vice president of marketing at NetScreen and one of the eight members of the company’s executive management team, has worked in the networking space for more than a decade. Previously, he held a variety of marketing and product management positions at 3Com. Flynn spoke with the E-Commerce Times about the evolution of the firewall and its role in the enterprise.

What are your customers’ highest priorities right now?

David Flynn: When we talk to our customers, we tend to see two major priorities at the top level. One is reducing their cost of network operations. The other is increasing overall security of their network infrastructure.

In terms of cutting expenses, companies are moving their networks to virtual private networks to reduce their monthly network operations costs for wiring connectivity. That’s been a huge driver of our business, where we’re doing massive deployments. The VPN reduces their cost.

The other category is increasing the overall security level in their network. There are two broad problems that are causing issues. One of those is what we call the disappearance of the trusted network. Putting up a firewall or other products at the place you connect to the Internet used to be good enough, but now there are all kinds of attacks that can happen from within the enterprise. Probably the most insidious — and the most troubling — is people getting infected with a worm like Code Red or Nimda while they’re at home or at a Starbucks on a wireless LAN, and they walk through the front door of the building around the perimeter security on the network, and then they turn on their laptop and blast the entire campus with a worm that takes down the network. That’s created the need to push security enforcement deeper into the network infrastructure, not just at the perimeter.

Yet another huge problem is the move to more and more application-level security attacks. A lot of these worms attack application-level vulnerabilities, usually in Microsoft products, and they ride over protocols that are allowed through a traditional firewall. Customers are struggling with how to deal with that problem.

Are firewalls increasingly converging with other functions, such as spam-blocking or antivirus applications, and how has that affected your product evolution?

Flynn: There is a convergence of multiple functions. Firewalls were originally designed to provide access control — to say, “These users can get into these resources.” They weren’t actually designed to block attacks. They were just designed to enforce security policy.

What’s happening now is the firewall is evolving, and because of this move to application-level attacks, there is more of a move to make the firewall more of an attack detection and blocking device. Particularly, we’re integrating something we call intrusion prevention technology into the firewall so that it doesn’t just look at traffic at a network level. It looks at it at an application level.

So, when I gave you an example of some HTTP traffic going to a Web site, the normal firewall would see that it’s HTTP and say it’s okay. The evolving firewall — what we call the Deep Inspection Firewall — would take that traffic and reassemble it all the way up to the application level to see exactly what the Web server on the other side will see when it assembles the data, and it will actually see, “Oh, there’s a buffer overflow attack embedded in this stream. I better drop that so the Web server doesn’t get taken over.”

A deep inspection firewall is also evolving to do more antivirus scanning at the gateway to augment the virus scanning that’s being done on desktops and servers and provide another layer of defense. So you are seeing a tremendous amount of change in the firewall marketplace right now in the midst of a fundamental redefinition of the market.

How is the market being redefined?

Flynn: There has not been a whole lot of advancement in core firewall technology in the industry for many years. The technology most people deploy is something called stateful inspection technology. It’s probably eight years old, or maybe 10 years old. There’s been innovation in how do you make it run faster, how do you make it easier to manage, make it easier to deploy, but the core technology has been kind of unchanged. What’s happened right now is that, because of the shift in the threat environment, and the aggressive moves on the part of companies like NetScreen, the core technology is finally changing.

We started this redefinition about 18 months ago. We saw that there was a problem — that application-level attacks were able to go right through a firewall, and there was no product designed to solve it. There were people building intrusion detection products that were designed to be deployed behind the firewall that would see an attack and tell you you’ve been attacked, but they actually didn’t stop anything. It was a useless or marginally useful technology, to say the least, and we looked at that as an interesting opportunity to redefine the firewall — to take the right parts of intrusion detection and morph it into what we call intrusion prevention, so that we can actively stop attacks, and integrate it into a firewall.

In 2002, we acquired a company called OneSecure. It was the first intrusion prevention company, and we announced we were going to integrate that with our products and redefine the firewall market.

We just shipped out our first deep inspection firewall last month, and we’re moving forward to deliver more and more products in this category. Other vendors are trying to go in that direction and seeing the world needs to go that way. Fortunately for us, that move helps push the industry exactly where we want them to go. It will take another year or two before it all ripples through the market, but what you will see is the old firewalls will be widely perceived as not good enough, not secure enough, and we’re going to need this new category of firewall.

Given the changes in the industry, who do you consider to be your primary competitors?

Flynn: Historically, the two primary competitors we see are Cisco and Check Point Software, but as this new smarter firewall comes along, we’re seeing some of the antivirus companies, like Symantec and Network Associates, trying to move in this direction. We’re seeing the intrusion detection people try to move in this direction. We’re even seeing networking companies try to move in this direction. I think it’s going to be an interesting, crowded playing field over the next couple of years, but at the end of the day this multifunction firewall platform with the extra layers of security on it is going to be the one that can deliver.

There are really four key things you need to deliver great networking functionality: a high-speed platform that can easily integrate with networks; a deep security expertise; hardware expertise to accelerate custom hardware chips, because it’s very processor-intensive to do this kind of deep inspection; and very strong management software to manage all this functionality and provide the right level of access to all the different parts of the enterprise to use different pieces of it.

Those are the four things NetScreen excels in. We’ll see a lot of people try to play in the same game, but every one of those other people has significant holes in one or many of those four areas, so that’s what we think positions us strategically to win in the long term.

What new functionalities and improvements do you expect to provide with your products in the upcoming year and beyond?

Flynn: The biggest thing we’ll see is the complete integration of intrusion prevention and firewall functionality. We just integrated the antivirus scanning into the firewall, as well as the intrusion prevention, and you’ll see more content filtering and more application-aware security going into the products over the next year. Faster and faster, better and better management. The challenge is you have to be able to deploy all the security to a large number of points on the network. If you can’t manage it well, it will just overwhelm the end customer.

Are you partnering with other types of companies to get all this accomplished, or are you doing this on your own?

Flynn: The key challenge in this business as you broaden the amount of functionality in the box is to provide best-of-breed functionality. Each of the respective functions is excellent on its own, and the integration of all these things is even more powerful.

There are a lot of companies out there that just do 10 things in their box and do none of them well. That’s definitely not our strategy. We call it the worst-of-breed solutions. They acquire a broad array of mediocre products and think that’s awesome. That’s been tried a number of times over the years and failed. One of the most notable attempts is a company called Axcent, which ended up failing and then Symantec bought the remnants — many different security technologies, none of which was world-class. Network Associates did some similar things where they tried to broaden out their portfolio, and they ended up divesting a lot of it.

We’re trying to find the right balance, acquiring some best-of-breed companies, building best-of-breed, and partnering where we know we can’t acquire or build at the world-class level. In particular, we’re partnering on antivirus with Trend Micro, which is the leader in gateway-based antivirus, as opposed to Symantec, which is very strong on the desktop.

Trend is the best at scanning at the enterprise gateway on the network. We’ve integrated their scanning capability into our product. They’ve got 250 engineers around the world who are always looking for the latest virus outbreaks, to which they can rapidly respond. We couldn’t justify hiring those 250 engineers and trying to go toe-to-toe with those guys, and they didn’t have the networking and firewall expertise, so we built an integrated product, and we’re actually both going to market with that product.

We’re going to partner on another technology called URL filtering where you can protect and block people from going to porno sites and things like that. There are some companies that spend their time scouring the Internet to find out, “Oh, is that URL a violent site or a Nazi site or a porno site or any of the bad things?” so you can enforce policies. We’ll enforce the policies, but they’ll spend the time scouring the Internet, which is not our core competency.

So there are certain areas where you can partner very effectively with somebody who’s best-of-breed and integrated and other places where we feel we need to own it. We’ll build it or buy it.

For example, there’s a new technology called SSL VPN that allows remote access to your network using your Web browser, and there’s a company that defined and pioneered that market called Neoteris. We just spent $265 million acquiring these guys. That’s an important market that has just emerged. They own 36 percent of the market share, and they’re the trendsetters. That’s going to become strategic. We’re going to go buy the best. For intrusion prevention we bought the pioneers, the first and best intrusion prevention company. For firewall and VPN, we thought our capabilities were world-class.

You partner where you should, you buy when you should, and you build when you can.

What is the biggest digital threat currently facing the world?

Flynn: The biggest threat we’re seeing today are these rapidly propagating worms that can exploit a vulnerability in an operating system and can in a matter of minutes spread to millions of end stations. So far, the worms that have been written have been more malicious than massively destructive. They clog networks and cause system crashes and things like that. There is no reason these worms couldn’t take all the data and copy it and send it somewhere or couldn’t wipe out half the hard drives in the world. These things are hard to prevent and spread at a tremendous rate. When we talk to our customers about what they are worried about, that’s probably the number one concern on their mind.

There are other extremes like cyberterrorism taking over the power-supply system and things like that. I think those things are real but a much lower probability than the worms wreaking havoc on a monthly basis right now.

Why hasn’t Microsoft attempted to engineer firewall technology into its products?

Flynn: What Microsoft needs to engineer into its products is, first, a more secure product. The second might be an attack-detection or antivirus engine or something like that on the end system. The reality of a firewall, though, is that it needs to be deployed in the heart of the network infrastructure. Technically, a firewall defines your access control rules about what people can talk to, what servers and what networks, and that needs to be enforced in the network infrastructure. Some of the attack and prevention capability you can put on the end station, and I think Microsoft is moving that way. They acquired an antivirus company. I think they are going to help in improving that over time.

They actually do have a firewall product, but we never see it being bought and deployed by our customers. I think many times there has been a perception that Microsoft is the cause of all these security problems, and so why buy security enforcement products from these guys? Let them fix their own product and then tell me they’re going to build a product that’s going to protect the rest of my infrastructure.

It’s a long way to go for those guys to sell such a product, and it’s not a Microsoft-dominated world. There are Linux servers all over, Sun servers all over. Customers need security that works across all the platforms across their whole network infrastructure. The desktops are all Microsoft, but the servers — Linux is everywhere, and Solaris at a lot of places, so there are many, many things that are not Microsoft-oriented. It’s pretty rare to find a pure Microsoft environment.