What is a Next Generation Firewall (NGFW)?

What makes NGFWs different from traditional firewalls?

A firewall is a network security device that acts as a barrier between an organization’s internal network and the internet, based on the organization’s administrator-defined security policies. For most organizations, a firewall is seen as one of the most basic and essential aspects of a network security strategy. A next generation firewall (NGFW) takes this one step further, by adding more sophisticated features beyond those provided by traditional firewalls, for increased security effectiveness. Next generation firewall technology allows an organization to protect its network and data centers from a wide range of threats.

Stateful vs next generation firewalls

The difference in traditional and next generation firewalls lies in the way the firewall technology evaluates network traffic.

Traditional firewalls, also known as stateful firewalls, monitor the full state of all active network connection sessions, and analyze the complete context of data and traffic packets before they are allowed to enter the network. This is also known as ‘dynamic packet filtering’. This type of packet filtering includes looking at details of the connection, such as its protocol and port, as well as whether the connection is meeting the organization’s network security policies. A traditional firewall does not analyze individual data packets in isolation, rather it analyzes the state of each connection as a whole. Each connection is approved when it first connects, and then continues to be able to send and receive as long as it remains connected. This type of firewall doesn’t require much processing power and can handle high traffic volumes. A stateful firewall is one of the most standard types of network firewall today.

As a further level of threat protection, a next generation firewall goes beyond basic port and protocol inspection, to combine the functions of traditional, stateful network-based firewall technology with other network device filtering technologies. These technologies include threat intelligence, application control, deep packet inspection (DPI), and integrated intrusion prevention systems (IPS). This combination allows next generation firewalls (NGFWs) to protect against the latest security threats, such as advanced malware, and application-layer attacks, without requiring extra third party solutions.

As opposed to the stateful firewall, which works at layer 4 in the OSI model (the transport layer), the next generation firewall (NGFW)can operate up to layer 7 (the application layer). Instead of looking at each connection as a whole, it can filter packets at the application level, and even inspect each packet’s content, making it suitable for a wide range of use cases. The NGFW uses the principles of Zero Trust, analyzing every individual packet in a context-aware manner. This allows identification of suspicious packets that may have malicious content. Of course, such a solution will require more processing power than a stateful firewall, but it allows for more advanced threat prevention. As the processing power provided by typical CPUs becomes greater over time, this drawback has become much less significant.

Learn More


NGFW benefits

A stateful firewall is often seen as the backbone of an organization’s network security strategy, ensuring endpoint protection from web-based security threats. It uses ports, protocols, and known IP addresses of senders and receivers to provide protection. These firewalls are often chosen because they are readily available, and both easy and inexpensive to integrate. However, using a next generation firewall provides a higher level of protection against even the latest, emerging internet-based threats, albeit not one that is airtight. Many new threats target vulnerabilities in applications in order to bypass the firewall, leaving organizations and their data centers at risk. This is especially relevant when it comes to web-based applications, which can no longer be identified with a particular port. A next generation application firewall reduces the likelihood that this will happen.

Content inspection and identification

When using a next generation firewall (NGFW), the content of each packet is identified and inspected. This provides protection from newer attacks, which often take place at layers 4-7 of the OSI model – from the network level through to the application level. For example, some threats will bypass regular firewalls by using an alternative port. This type of activity will not be able to evade detection by next generation firewalls.

Application access control and application-level filtering

Network traffic can be filtered according to applications, as opposed to just port or protocol, when a next generation firewall (NGFW) is being used. For example, the firewall could be set up to block all traffic from certain applications, or application access can be controlled in detail.

Policy control

Next generation firewalls allow the organization to set up and control policies at a granular level, for users, groups of users, applications, and more, to provide policies tailored for all use cases.

Network visibility and control

Next generation firewalls can display all activity across hosts, networks, devices, and users. This includes active applications and websites visited, as well as connections between different devices, and files sent between devices. This detailed level of monitoring leaves no stone unturned, allowing an organization to prevent malicious behavior and achieve better threat detection using a Zero Trust approach.

Replaces many different network security solutions

Instead of using many different network security solutions to provide firewall capabilities, IPS, filtering, etc., a next generation application firewall can provide all of these features in one package, with alerts in real time, for easier integration and simple, centralized management through one application dashboard. This also makes it far easier to keep the firewall updated, making the IT department’s job much simpler.

Learn More


NGFW features

Next generation firewalls vendor should include the following features in their solution:

  1. Stateful firewall capabilities: The ability to use ports and protocols, together with IP addresses, to inspect connections and identify possible threats.
  2. Application control and monitoring: The ability to control access and monitor traffic at the application level.
  3. Deep packet inspection (DPI): The firewall will analyze the contents of each packet, to identify anything suspicious or malicious.
  4. Intrusion prevention systems (IPS): Integrated intrusion prevention systems monitor the network to find any malicious activity that could signal intrusion, whether from known or unknown, zero-day threats. For example, if an unauthorized user is trying to gain remote access to the network. When malicious activity is found, it is blocked before intrusion can occur. There are three main ways to achieve this – either through blocking activity that violates policies, using behavior patterns to block any abnormal activity, or blocking based on known threat signatures.
  5. Granular policy control: Policy control beyond the simple block or allow functions provided by a stateful firewall. The organization can choose which users can access which applications, and in even more depth, which parts of the application they can access, on an as-needed basis.
  6. High performance and rapid detection: A good solution will detect threats rapidly in real time, providing alerts that allow swift threat management and elimination. High performance ensures that the firewall can handle traffic without affecting employee productivity through decreased network speed.
  7. Threat intelligence: An increasing number of attackers are using encrypted traffic to conceal their malicious activity. To prevent such attacks, it’s important to select a solution that includes integration with an external threat intelligence network. A solution that uses machine learning based threat intelligence to detect threats is highly recommended.

NGFWs for Zero Trust Network Security

For organizations looking to implement a Zero Trust model, NGFWs provide many of the necessary features. Instead of recognizing threats based on signatures, NGFWs use a Zero Trust approach, analyzing the contents of every packet. Increased network visibility ensures that every aspect of the network can be monitored and analyzed. The firewall provides many application controls needed in order to implement a Zero Trust framework. However, because NGFWs rely on recognizable signatures, behavior patterns and activity, they cannot be relied upon to always stop advanced malware, and the newest and most stealthy types of attacks.

NGFW integration options

There are a few different ways that NGFWs can be integrated, for both on-site and cloud security.

On-site security

  • Either at the network perimeter or along organizational network boundaries
  • Cloud security
    In a private cloud, such as VMWare
  • In a public cloud, such as Amazon AWS or Microsoft Azure

A cloud delivered firewall is known as an FWaaS – Firewall as a Service. Cloud-based FWaaS have a number of benefits:

  1. Scalability: The resources used can be scaled based on the amount of network traffic that must be processed, saving money and ensuring maximum performance.
  2. Easier maintenance and support: The service provider provides technical support and maintenance as and when it is needed, so it isn’t the burden of the IT department.
  3. Free upgrades and patches: The service provider is responsible for ensuring the software is up-to-date, so the organization is always protected from the latest threats.

Enhancing NGFWs

Since next generation firewalls use a Zero Trust approach and analyze the contents of every packet, they provide superior security to older connection-based firewalls. Additional technologies can be integrated with NGFWs to make them even safer, protecting against packets that are not yet recognized as harmful by signature-based protocols.

Remote Browser Isolation

Remote Browser Isolation (RBI) can be deployed alongside a NGFW. When a user clicks a link or enters a URL, website code is run in a virtual browser in an isolated container, typically in the cloud. The user sees a visual rendering of the website, but the actual website code can not reach the users device. At the end of the session, the container, along with the website code and any malware that may be lurking within the site, is destroyed.

Application Isolation

Application Isolation is the flip side of RBI. Just as RBI protects users from malicious code, Application Isolation protects your apps and networks from malicious content sent by user devices. With Application Isolation the user interacts with a rendered version the website or app. This makes it impossible for cybercriminals to take advantage of a vulnerability in page source code, APIs, or developer tools. This can be especially important for securing legacy apps that may not be receiving ongoing security updates.

Read these related blog posts

Moving to a Zero Trust isolation-based security approach is faster and easier than you think.

Get a 1:1 Demo