What is a Next Generation Firewall (NGFW)?
A firewall is a network security device that acts as a barrier between an organization’s internal network and the internet, based on the organization’s administrator-defined security policies. For most organizations, a firewall is seen as one of the most basic and essential aspects of a network security strategy. A next generation firewall (NGFW) takes this one step further, by adding more sophisticated features beyond those provided by traditional firewalls, for increased security effectiveness. Next generation firewall technology allows an organization to protect its network and data centers from a wide range of threats.
The difference in traditional and next generation firewalls lies in the way the firewall technology evaluates network traffic.
Traditional firewalls, also known as stateful firewalls, monitor the full state of all active network connection sessions, and analyze the complete context of data and traffic packets before they are allowed to enter the network. This is also known as ‘dynamic packet filtering’. This type of packet filtering includes looking at details of the connection, such as its protocol and port, as well as whether the connection is meeting the organization’s network security policies. A traditional firewall does not analyze individual data packets in isolation, rather it analyzes the state of each connection as a whole. Each connection is approved when it first connects, and then continues to be able to send and receive as long as it remains connected. This type of firewall doesn’t require much processing power and can handle high traffic volumes. A stateful firewall is one of the most standard types of network firewall today.
As a further level of threat protection, a next generation firewall goes beyond basic port and protocol inspection, to combine the functions of traditional, stateful network-based firewall technology with other network device filtering technologies. These technologies include threat intelligence, application control, deep packet inspection (DPI), and integrated intrusion prevention systems (IPS). This combination allows next generation firewalls (NGFWs) to protect against the latest security threats, such as advanced malware, and application-layer attacks, without requiring extra third party solutions.
As opposed to the stateful firewall, which works at layer 4 in the OSI model (the transport layer), the next generation firewall (NGFW)can operate up to layer 7 (the application layer). Instead of looking at each connection as a whole, it can filter packets at the application level, and even inspect each packet’s content, making it suitable for a wide range of use cases. The NGFW uses the principles of Zero Trust, analyzing every individual packet in a context-aware manner. This allows identification of suspicious packets that may have malicious content. Of course, such a solution will require more processing power than a stateful firewall, but it allows for more advanced threat prevention. As the processing power provided by typical CPUs becomes greater over time, this drawback has become much less significant.
A stateful firewall is often seen as the backbone of an organization’s network security strategy, ensuring endpoint protection from web-based security threats. It uses ports, protocols, and known IP addresses of senders and receivers to provide protection. These firewalls are often chosen because they are readily available, and both easy and inexpensive to integrate. However, using a next generation firewall provides a higher level of protection against even the latest, emerging internet-based threats, albeit not one that is airtight. Many new threats target vulnerabilities in applications in order to bypass the firewall, leaving organizations and their data centers at risk. This is especially relevant when it comes to web-based applications, which can no longer be identified with a particular port. A next generation application firewall reduces the likelihood that this will happen.
When using a next generation firewall (NGFW), the content of each packet is identified and inspected. This provides protection from newer attacks, which often take place at layers 4-7 of the OSI model – from the network level through to the application level. For example, some threats will bypass regular firewalls by using an alternative port. This type of activity will not be able to evade detection by next generation firewalls.
Network traffic can be filtered according to applications, as opposed to just port or protocol, when a next generation firewall (NGFW) is being used. For example, the firewall could be set up to block all traffic from certain applications, or application access can be controlled in detail.
Next generation firewalls allow the organization to set up and control policies at a granular level, for users, groups of users, applications, and more, to provide policies tailored for all use cases.
Next generation firewalls can display all activity across hosts, networks, devices, and users. This includes active applications and websites visited, as well as connections between different devices, and files sent between devices. This detailed level of monitoring leaves no stone unturned, allowing an organization to prevent malicious behavior and achieve better threat detection using a Zero Trust approach.
Instead of using many different network security solutions to provide firewall capabilities, IPS, filtering, etc., a next generation application firewall can provide all of these features in one package, with alerts in real time, for easier integration and simple, centralized management through one application dashboard. This also makes it far easier to keep the firewall updated, making the IT department’s job much simpler.
Next generation firewalls vendor should include the following features in their solution:
For organizations looking to implement a Zero Trust model, NGFWs provide many of the necessary features. Instead of recognizing threats based on signatures, NGFWs use a Zero Trust approach, analyzing the contents of every packet. Increased network visibility ensures that every aspect of the network can be monitored and analyzed. The firewall provides many application controls needed in order to implement a Zero Trust framework. However, because NGFWs rely on recognizable signatures, behavior patterns and activity, they cannot be relied upon to always stop advanced malware, and the newest and most stealthy types of attacks.
There are a few different ways that NGFWs can be integrated, for both on-site and cloud security.
A cloud delivered firewall is known as an FWaaS – Firewall as a Service. Cloud-based FWaaS have a number of benefits:
Since next generation firewalls use a Zero Trust approach and analyze the contents of every packet, they provide superior security to older connection-based firewalls. Additional technologies can be integrated with NGFWs to make them even safer, protecting against packets that are not yet recognized as harmful by signature-based protocols.
Remote Browser Isolation (RBI) can be deployed alongside a NGFW. When a user clicks a link or enters a URL, website code is run in a virtual browser in an isolated container, typically in the cloud. The user sees a visual rendering of the website, but the actual website code can not reach the users device. At the end of the session, the container, along with the website code and any malware that may be lurking within the site, is destroyed.
Application Isolation is the flip side of RBI. Just as RBI protects users from malicious code, Application Isolation protects your apps and networks from malicious content sent by user devices. With Application Isolation the user interacts with a rendered version the website or app. This makes it impossible for cybercriminals to take advantage of a vulnerability in page source code, APIs, or developer tools. This can be especially important for securing legacy apps that may not be receiving ongoing security updates.