It\u2019s been 20 years since Check Point Software Technologies shipped its first enterprise network firewall, marking the beginning of a mass market for firewalls that has protected millions of networks across the world.Check Point\u2019s FireWall-1, unveiled at NetWorld+Interop in 1994, wasn\u2019t the first network firewall, of course. The firewall had begun taking shape with the rise of the Internet. Companies and universities throughout the 1980s and 90s saw the need to block unwanted IP traffic by creating a perimeter gateway barrier however they could. In that era, they sometimes \u201crolled their own\u201d based on routers or other gear until vendors eventually came to their rescue with firewall products that spared them this unwanted labor.+More on Network World: HP rolls out next gen firewall line\u00a0Marcus Ranum, now chief security officer at Tenable Network Security, is considered the most prominent of the early commercial firewall innovators because he designed the DEC SEAL firewall in 1990, and worked on the Gauntlet firewall and TIS toolkit at Trusted Information Systems. TIS, founded in 1983 by a former NSA employee Steve Walker, focused on high-security government customers; the company was sold to Network Associates (which later became McAfee) in 1998. Other early efforts, such as the Raptor firewall, also existed. But it was the launch of Check Point\u2019s FireWall-1 that ended up creating the kind of mass market soon joined not just by the big network providers such as Cisco and Juniper, but a host of other players, such as WatchGuard.It was Check Point that gained steam while TIS didn\u2019t. Ranum mulls why that may have been so: \u201cThe proxy firewalls that ruled the technology at the time required some analysis of the application protocol, and the design of a gateway system to parse, process and filter the layer-7 traffic going through the,\u201d Ranum points out. \u201cThis took time \u2014 development time to produce a proxy, and processor time in the firewall\u2019s CPU to do the analysis. When the Internet bubble began, Check Point really took off because they didn\u2019t do any layer-7 analysis and it was easy to write a rule to let traffic through. New applications were popping up all over the place and Check Point\u2019s ability to respond (and their performance story \u2014 it\u2019s easy to be fast if you don\u2019t do much!) made them a much easier sell. They also had Sun and the Sun reseller channel behind them \u2014 so they crushed everyone with a combination of being in the right spot and having technology that was fast and offered basic, adequate security.\u201d\u201cStateful inspection was fast and easy,\u201d says Scott Montgomery, CTO at Intel Security, who remembers those days, saying the Gauntlet firewall was relegated to only the most high-security networks.The early years with the TIS Toolkit as the proxy firewall didn\u2019t gain widespread adoption because \u201cit was so hard to maintain a proxy firewall,\u201d says Matt Howard, now at Norwest Venture Partners, who helped develop Network Translation\u2019s PIX firewall later acquired by Cisco.Back then, \u201ceveryone thought the firewall would be killed \u2014 the router would subsume the firewall,\u201d says Howard. But that didn\u2019t happen. Infrastructure providers Cisco and Juniper certainly sell firewalls in routers and switches.But Gartner reckons that enterprises tend not to depend on that approach for their core firewall purchases. Though it faces tough competitors, Check Point continues to hold the top spot at 22% of the market for firewall equipment, by Gartner\u2019s reckoning. By consultancy IDC\u2019s account, Cisco may be slightly ahead with 24.3% share.Check Point is \u201cone of the stalwarts of the firewall group\u201d and the two have been rivals for a long time, says Scott Harrell, vice president of product management for security at Cisco. \u201cThey\u2019re a formidable competitor and we see them in many accounts.\u201dGil Shwed is co-founder and CEO of Check Point, with which began with help from Israeli tech investor Shlomo Kramer and vice chair Marius Nacht. Shwed says he agrees with many of Ranum\u2019s points about that era. Shwed notes that Check Point\u2019s strong suit was its stateful inspection engine and simple graphical interface. Check Point FireWall-1 ushered in a \u201cturning point\u201d that turned a \u201cniche\u201d into \u201ca mainstream,\u201d he notes. He adds he holds Ranum, a recognized pioneer in the field, in high regard.Check Point's FireWall-1 firewall management\u00a0console back in 1994 when it was introduced.Shwed said his own ideas for the firewall began coming together long before the founding of Check Point while he served in the Israeli military and was busy connecting networks.Corey Nachreiner, director of research and strategy at WatchGuard, agrees that Check Point\u2019s FireWall-1 can be considered the \u201cfirst real commercial run\u201d at a firewall. He notes that Check Point early on was software-based while WatchGuard differentiated its early Firebox as a hardware appliance. (In a back to the future kind of way, WatchGuard is reviving the Firebox brand name it had earlier dropped.)Today what\u2019s called the firewall typically does far more than simple port-based filtering and control. It might also include an intrusion detection and protection system (IPS), antivirus or URL filtering, act as data-loss prevention device, and much more, including sandbox-style zero-day threat detection. Security analysts at tech consultancies have left their mark by criticizing whatever the security vendors were doing over the years, and urging them to reach for more, such as higher throughput speeds or better management.At research firm IDC, security products research director Charles Kolodgy coined the term \u201cunified threat management\u201d for a class of firewall-capable devices, often seen as suitable for small to mid-sized businesses. And at Gartner, analysts Greg Young and Neil MacDonald in recent years began urging network-firewall providers to produce the kind of \u201capplication-aware\u201d gear that would be able to establish access and user identity controls through granular knowledge of the applications, plus capabilities such as IPS.Palo Alto Networks, founded in 2005 by its CTO Nir Zuk, set the pace with its Next Generation Firewall (NGFW) that shipped in 2007. This compelled vendors that include Cisco, Check Point, Intel Security division McAfee, Barracuda Networks, and recently HP, to join the charge to NGFW.Along the way, Zuk, who had been at Check Point developing the early firewalls, has stepped upon the stage as a clear \u2014 but controversial \u2014 leader and innovator. After a falling out early on with Check Point management, he started OneSecure in 1999, which was acquired by NetScreen in 2002, later acquired by Juniper for $4 billion in 2004.After Zuk left Juniper to establish Palo Alto, Juniper launched firewall-related patent-infringement lawsuits. The two sides dueled over firewall patent lawsuits until finally in May of this year they settled it with a cross-licensing arrangement that included Palo Alto agreeing to pay $175 million in cash and equity.While some of his former employers tend to wince at his name, Zuk nonetheless gets the nod from others.\u201cNir\u2019s the brains,\u201d comments Ranum. \u201cHe did the design of a lot of Check Point, Netscreen (now Juniper) and Palo Alto \u2014 he takes a team of programmers around with him, who \u2014 by now \u2014 can code firewalls in their sleep.\u201dThe world has moved far beyond what was possible in the early '90s, Ranum adds. \u201cNow that you can buy programmable \u2018switch on a chip\u2019 processors like the Cavium Octeon, it\u2019s possible to do the layer-7 analysis at packet speed, which we could never do in 1991. I see the trend as a sort of vindication of the idea the game was always at layer-7 to begin with and \u2018stateful inspection\u2019 was a 15-year-long digression.\u201d+ ALSO ON NETWORK WORLD Cisco impresses with first crack at next-gen firewall +In all this time, the firewall market has mushroomed into what Gartner thinks will be more than a $9 billion market this year. Firewalls have long since been used not just at the perimeter but also inside of enterprise networks to cordon off segments. But despite all this, the irony is that the role of the network firewall is more in doubt than ever before because of the rise of the use of cloud-based services and mobile devices.IT and security managers have always had their doubts about firewalls, especially when web traffic had to be let through. Those doubts reached a crescendo in the 2005 timeframe and on when a group of security professional from several large global enterprises gathered together under the banner of the \u201cJericho Forum\u201d to voice their displeasure with firewalls.Their complaints centered around the idea that the growth of cloud services, e-commerce and mobile were all acting to eliminate any discernible \u201cperimeter\u201d in their networks they had once enjoyed. The Jericho Forum, led by security pros such as Paul Simmonds, who worked at paint and chemicals firm ICI and later AstraZeneca, spoke out passionately about the perceived limits of firewalls and a deep desire for new approaches that were data-centric.Under the auspices of the Open Group, the Jericho Forum began issuing position papers, notably the Jericho Forum\u2019s \u201cCommandments\u201d for good security to \u201cdeliver a de-perimeterized vision.\u201d It fired more than a few shots at the firewall. \u201cWhereas boundary firewalls may continue to provide basic network protection, individual systems and data will need to be capable of protecting themselves,\u201d the group stated. Other guidelines were, \u201cIn general, it is easier to protect an asset the closer protection is provided.\u201dIn the ongoing debate, which enlivened many tech conferences, Gartner, among others, tended to push back on the notion the perimeter firewall should go away. Companies kept buying more firewalls. But the Jericho Forum\u2019s basic concepts about how use of cloud services and mobile devices, especially employee-owned \u201cBring Your Own Device\u201d situations, were causing difficulties for perimeter firewalls, hit home for many companies. And the rise of virtualized networks and the looming terrain of future Software-Defined Networks for switching, is challenging firewall vendors to adapt.Some vendors, including Check Point, have designed software-based firewalls to work in the Amazon Web Services EC2 cloud service, for example, though Amazon itself offers a firewall service. Cisco doesn\u2019t yet, but Harrell says that\u2019s in the works along with other cloud services. He acknowledges one issue is that each one represents a platform needing a specific firewall build and a way to charge for a firewall in the \u201cpay as you go\u201d model of cloud services. He adds Cisco also has firewall hosting services for the enterprise that are going to be expanded in the future.Adoption of virtual firewalls has been fairly slow, Gartner believes, predicting that fewer than 5% of enterprises will deploy all-virtualized firewalls in their data centers by 2016. Check Point\u2019s Shwed acknowledges that from what he sees, adoption of virtual firewalls hasn\u2019t seemed to take off.But firewalls are hardly dead as Gartner analyst Greg Young pointed out in his recent presentation at the Gartner Security and Risk Management Summit. He noted that the enterprise firewall market at $8.7 billion remains the single largest segment of the overall IT security market. And that\u2019s expected to rise to $9.4 billion by year-end. But there are discontents around specific things.Web A\/V filtering, in particular, causes a significant performance hit on a firewall, he pointed out, and this functionality is likely better deployed on a secure gateway. The firewall contenders out there have yet to leave their marks in virtualization, the data center and SDN, \u201cthe next battle to be fought,\u201d Young said.Cisco\u2019s Harrell contends Cisco is positioning itself to engage in that battle effectively with its application-centric infrastructure and controller with a way to configure firewalls and load balancers in simple English-language rules. However, it all remains very new.Some Gartner analysts are looking other than the network firewall for help in the future. One Gartner analyst, Joseph Feiman, even argues that a 2-year-old technology called \u201cRuntime Application Self-Protection\u201d (RASP) could take over most of the duties of the network firewall.In a debate between Young and Feiman at the conference, Feiman argued ardently that that RASP -- described as an instrumentation of runtime in servers or clients to protect applications against a variety of attacks \u2014 is basically a better approach than traditional firewalls because the perimeter is dissolving due to cloud services and mobile. \u201cWe\u2019re failing with our perimeter security,\u201d he said, \u201cI\u2019m asking us to change our view.\u201dWe\u2019re failing with our perimeter security.Gartner analyst, Joseph FeimanFeiman said vendors with RASP products include HP, Prevoty, Shape Security, Waratek, Bluebox and Lacoon Mobile Security. Young, however, scoffed at the notion RASP would be the next big thing to edge out perimeter firewalls, noting RASP products need to be added to each OS or handset it might want to protect.And how does Check Point\u2019s Shwed feel about RASP? He acknowledges he\u2019s really not familiar with it, and it\u2019s not something that troubles him. What does concern him is how the modern firewall needs to evolve to gain information about ever-more stealthy threats to block them. He thinks information-sharing among security vendors of many kinds is the way forward, and that\u2019s what Check Point is pursuing.