As a result of a combination of factors, the shortage of raw materials is having an impact on the cybersecurity industry. This is prompting manufacturers and distributors to ask themselves new questions. How can they work around these shortages? In terms of firewalls, the hardware itself seems to be in short supply; so, could this spell the end of the physical firewall?
In other words, is it time for us to dispense with these critical computer boxes? Spoiler alert: no. But the answer is a little more complex than that. The issue essentially comes down to semiconductors. In his essay Chip War, US professor Chris Miller traces the history of this critical component that is now at the centre of an intense geopolitical battle. This context of tension, accentuated by the over-consumption of these components by our “always-connected” society, is reflected in the cyber industry. And this shortage is forcing the industry to confront its own contradictions, raising new issues. This has direct consequences for the manufacture of firewall hardware.
The firewall: a collateral victim of the crisis in the semiconductor supply chain
To get to the root of the current shortage, let’s take a trip back in time. And specifically, to the 1960s, a pivotal period during which the United States decided to relocate semiconductor production to Singapore, Hong Kong and then –from the 1980s onwards – Taiwan, recalls Chris Miller. Taiwan now holds 55% of the manufacturing contracts for all semiconductors produced worldwide. This small island off the coast of China has specialised in particular in the manufacture of high-performance chips, through its flagship company Taiwan Semiconductor Manufacturing Company (TSMC), which has developed cutting-edge technology. Tensions between the United States and China, most recently reignited by the US Department of Commerce's decision to restrict the export of these components to China against a backdrop of historical tensions, are raising the threat of international conflict. In addition to geopolitical tensions, cyclical phenomena are also playing a part. Bad weather has affected several large production plants, including a typhoon that hit the Renesas plant in Japan in July. A few months earlier, a drought had hit Taiwan, slowing production and supply chains. Even earlier, in the winter of 2021, the Samsung foundry in Texas was shut down due to weather events. In addition, each new outbreak of the Covid-19 pandemic leads to tensions on the semiconductor production line.
These various tensions impact the entire field of IT, and physical products in particular. Taking the example of a firewall, many of its components are affected by this shortage of computer components (PCB, optical fibre, RAM, processor, disk, diodes, voltage converters, etc.). And this is not only true for the United States; its effects are also highly visible in Europe, where anticipation of these shortages in computer components has varied from one manufacturer to another. “Lead times for some components are now routinely one or two years,” explains Alain Dupont, Stormshield's Customer Service Director and Managing Director. Since mid-2020, this has led us to plan our firewall production orders more than a year in advance.” Although some have been able to plan ahead and build up a stock of equipment, others are now finding themselves in difficulty. A cyber version of the proverbial grasshopper and ant, but with a third factor in the equation: companies that are stockpiling not equipment, but components, with the aim of driving up prices.
Lead times for some components are now routinely one or two years. Since mid-2020, this has led us to plan our firewall production orders more than a year in advance.Alain Dupont, Director of Customer Service and Deputy Managing Director, Stormshield
Faced with this unprecedented (and yet undoubtedly long-term) uncertainty, how are the main stakeholders reacting? Some are choosing to turn to the secondary market for computer components, commonly known as the “open market” or “grey market”. This is no trivial choice, and it is an area “whose working practices you need to be fully conversant with to avoid the potential risks”, explains Julien Paffumi, Senior Product Manager at Stormshield. Because you need to be sure of the quality of the components you find there.” To ensure the necessary quality, “you should at least ask for and check samples before ordering complete batches,” explains Alain Dupont. And for sensitive components, don't forget to ask for certificates of sale and authenticity. ”
Manufacturers' responses to the shortage
This tense environment for the supply of semi-conductors has also prompted new approaches to the links with physical firewalls, and greater musings over the potential use of virtual firewalls. On paper, the features are identical; the major difference is in how they are deployed (a physical network device, or a server that hosts virtual environments). While physical firewalls are most often deployed in the form of a 1U box containing all the Ethernet ports on the back, virtualised firewalls are deployed as a virtual machine on a hypervisor. But the question of this hypervisor brings us back to everyday reality: “All we're doing is shifting the problem elsewhere, because behind a virtual firewall, there's always hardware,” Alain explains.
All we're doing is shifting the problem elsewhere, because behind a virtual firewall, there's always hardware.Alain Dupont, Director of Customer Service and Deputy Managing Director, Stormshield
Another option is to implement perimeter security via a cloud hosting provider. Many cloud-based filtering offers exist, such as FWaaS (firewall-as-a-service) and, more recently, the concept of SASE (secure access service edge), described in 2019 by US firm Gartner. These flexible offerings are easy to deploy, but customers are forced to delegate the management of the security of the hosting platform to a third party. From a contractual point of view, customers are also exposed to potential price increases.
What solutions exist for users?
These two alternative methods are not magic: both have their limits. Firstly, because neither of them can really solve the issue of dependence on semiconductors; the cloud requires hardware infrastructure (data centres), sharing some of the same components as physical firewalls. Secondly, from a financial point of view, it is not possible to characterise virtual solutions as being just a cheaper version than their physical counterparts; the costs are shifted from the physical firewall at the network edge to the server containing the hypervisor on which the virtual firewall is installed. Some (small) companies are currently unable to invest in such expensive equipment instead of a dedicated physical box at an entry-level price.
At the same time, the firewall-as-a-service solution is not ideal for all types of companies, such as France’s opérateurs d’importance vitale (OIVs). This type of critical structure, which inspired the Operator of Essential Services (OES) structure at European level, must use on-premises facilities where possible. Especially since France’s ANSSI cybersecurity agency currently declines to qualify virtual versions of firewalls, unlike their physical counterparts.
Another option for dealing with component shortages is to extend the life of existing firewalls. But like all the options already mentioned, this too carries its share of risk. If the manufacturer no longer maintains the device in question, the lack of updates can lead to security holes remaining open. And customers will sooner or later have to deal with the failure of their equipment, without the option of replacing it when it does. So this solution is not really a solution from a cyber point of view. Under the other scenario, in which the manufacturer still maintains its physical equipment, it will continue to provide regular updates. But growing requirements for performance will fall short. “When we renew a range, we do so to achieve an optimal level of performance in relation to current bandwidth and needs,” says Julien.
Refurbishment can also be an option for users. However, be sure to choose your supplier carefully. Last July, a US entrepreneur was arrested for importing reconditioned equipment. The problem was that these refurbished firewalls were fraudulent and contained backdoors...
In conclusion, it would seem very unwise to report the death of the physical firewall, even given the current semiconductor shortage. While we continue to await European reindustrialisation by 2030 as initiated by the European Commission, the supply war in the world of cybersecurity continues to rage.