If the firewall isn't dead it may be old and sick and not up to the job anymore, while an emerging technology called "Runtime Application Self-Protection" (RASP) could take over most of its duties.
That was a matter of debate between two Gartner consultants sparring this morning at the Gartner Security and Risk Management Summit 2014 in National Harbor, Md.
Joseph Feiman argued ardently that RASP--described as an instrumentation of runtime in servers or clients to protect applications against attacks such as SQL injection, cross-site scripting and unauthorized access--is basically a better approach than traditional firewalls. Gartner analyst Greg Young, however, raised possible downsides, asking, "Why are we suddenly going to have this magic revolution?"
For about two years Gartner has been tracking RASP server, client and mobile application products originating from vendors that include HP, Prevoty, Shape Security, Waratec, Bluebox and Lacoon Mobile Security. This protection for runtime capabilities, said Feiman, is the "future."
Though it can inspect traffic and content and make a decision to terminate a session, perimeter firewalls can't see how traffic is being processed in applications. With the perimeter dissolving for the enterprise because of mobile devices and cloud services, among other factors, the firewall seems less important to security than ever, Feiman said.
"Stop investing endlessly in perimeter security---teach applications to protect themselves," Feiman said. This can be done with RASP technologies added directly into the Java virtual machine or .Net they are intended to protect, he said.
Young scoffed at the notion that RASP is the next big thing to edge out perimeter firewalls. Less than 1% of security used today is based on RASP, and there are potential downsides, such as RASP adds processing overhead and extra workload on servers for a performance hit. Feiman said vendors benchmark this performance hit as not more than 1% of the server's productivity. Young argued it's not clear RASP can keep up with vulnerabilities and attack paths or stave off denial-of-service attacks.
Unlike comparable approaches, such as Web application firewalls, RASP has to be added to each OS or handset it might want to protect, raising questions of scalability and its language dependence. Young acknowledged the Web Application Firewall market remains fairly small today as well.
But Feiman, while conceding performance and possible false positives are issues in RASP, remained ardent in his enthusiasm that this emerging technology will be developed out over the years to play a key role in enterprise security that perimeter firewalls simply can't tackle. "We're failing with our perimeter security," he said. "I'm asking us to change our view."