The Future of the Firewall is in the Cloud 

Listen to post: Getting your Trinity Audio player ready...

I read with some surprise the interview with Zscaler’s CEO, Jay Chaudry, in CRN where he stated that the “network firewalls will go the way of the mainframe,” that “the network is just plumbing” and that Zscaler proxy overlay architecture will replace it with its “application switchboard.”  

Well, our joint history in network security teaches us a very different lesson. This is my take.  

The first time I met Jay Chaudry was in an office space in Atlanta back in 1995. We were starting to build the Check Point partner network and Jay just started SecureIT, a reseller, service, and training business focused on our product.  

Jay has always been a visionary. He bet that the Check Point network firewall would beat established firewall players like Raptor, Gauntlet TIS, and Sidewinder. Have you heard any of these names? I guess not. They were all proxy firewalls, which protected specific applications using per-application code and were the established market leaders at the time. Jay correctly understood that a more general-purpose firewall, the network firewall, would win that battle by embedding security directly into the network and applying inspection to all traffic, not just application traffic. 

The network firewall was initially met with skepticism and only visionaries like Jay saw the future. But with the proliferation of protocols and applications, and the growing complexity of the security stack, it was clear that the network firewall was the winning approach. The proxy firewalls faded. Jay made the right bet building his business around the Check Point Network Firewall and used this success and his entrepreneurial spirit to launch Zscaler.  

Zscaler offered a secure web gateway (SWG) as a service. It solved an urgent problem – users wanted direct internet access from anywhere without the need to backhaul to corporate VPN concentrators appliances or data center firewalls. With the public Internet being the underlying network, Zscaler only option was to build its solution as an overlay proxy. 

Following SWG came the need for CASB, which used the same proxy architecture applied to SaaS applications. Lastly, ZTNA used the same approach to access private apps in datacenters. This progression created a multibillion-dollar security company. But, as these various products appeared on scene, so did complexity. Enterprises had to maintain their MPLS networks, SD-WANs, and network firewalls and layer on top of them the SWG, CASB, and ZTNA proxies.  

Migrating your Datacenter Firewall to the Cloud| Download the White Paper

This complex reality was what Gur Shatz and I set out to change as we launched Cato Networks in 2015. We created the architecture and category that Gartner would later call SASE declaring it the future of wide-area networking and network security. The idea behind Cato is simple. Create a cloud service that converges the networking and network security capabilities provided by appliances and the ones delivered by proxies like SWG, CASB and ZTNA. The resulting cloud service will make these capabilities available through a single-pass architecture delivered elastically all over the world and to all edges – physical locations, cloud and physical data centers, remote users, IoT, etc. Much like an AWS for networking and security, Cato SASE enables enterprises to use these capabilities without owning the stack that delivers them. SASE enables each converged capability to contribute to the effectiveness of all the others. The network provides 360-degree visibility, which enables complete real-time context that drives real-time decisions and accurate detection and response.  

Essentially, what Gur and I created was a brand-new form factor of the network firewall built for the cloud. I was lucky enough to create with Gil Shwed the first one: the software form factor that was Firewall-1. I was lucky enough to write the first check to Nir Zuk that created the second form factor of the converged NG-Firewall appliance at Palo Alto Networks. SASE and Cato’s implementation of it are the third form factor: the Secure Cloud Network. 

Jay, firewalls are here to stay, just using a different form factor. It is Zscaler’s proxy approach that is going away. You knew better 28 years ago; you should know better now.