Redirected from AccessNow
AccessNow is now part of Ericom Connect.
Try the Ericom Connect online demo now or contact an Ericom representative
to discuss the solution you need.
What is a Next Generation Firewall (NGFW)?
A firewall is a security device that acts as a barrier between an organization’s internal network and the internet, based on the organization’s administrator-defined security policies. For most organizations, a firewall is seen as one of the most basic and essential aspects of a security strategy. A next generation firewall takes this one step further, by adding more sophisticated features beyond those provided by the traditional firewall, for increased security effectiveness. These features allow an organization to protect its network and data centers from a wide range of threats.
Remote Browser Isolation, Explained

Stateful vs next generation firewalls

The difference in traditional and next generation firewalls lies in the way the firewall evaluates network traffic.

A traditional firewall, also known as a stateful firewall, monitors the full state of all active network connection sessions, and analyzes the complete context of data and traffic packets before they are allowed to enter the network. This is also known as ‘dynamic packet filtering’, and includes looking at details of the connection, such as its protocol and port, as well as whether the connection is meeting the organization’s network security policies. It does not analyze individual data packets in isolation, rather it analyzes the state of each connection as a whole. Each connection is approved when it first connects, and then continues to be able to send and receive as long as it remains connected. This type of firewall doesn’t require much processing power and can handle high traffic volumes. A stateful firewall is one of the most standard types of network firewall today.

As a further level of threat protection, a next generation firewall goes beyond basic port and protocol inspection, to combine the functions of a traditional, stateful network-based firewall with other network device filtering technologies. These technologies include threat intelligence, application control, deep packet inspection (DPI), and intrusion prevention systems (IPS). This combination allows for protection against the latest threats, such as advanced malware, and application-layer attacks.

As opposed to the stateful firewall, which works at layer 4 in the OSI model (the transport layer), the NGFW can operate up to layer 7 (the application layer). Instead of looking at each connection as a whole, it can filter packets at the application level, and even inspect each packet’s content. The NGFW uses the principles of Zero Trust, analyzing every individual packet in a context-aware manner. This allows identification of suspicious packets that may have malicious content. Of course, such a solution will require more processing power than a stateful firewall, but it allows for more advanced threat prevention. As the processing power provided by typical CPUs becomes greater over time, this drawback has become much less significant.

NGFW benefits

A stateful firewall is often seen as the backbone of an organization’s network security strategy, ensuring endpoint protection from web-based threats. It uses ports, protocols, and known IP addresses of senders and receivers to provide protection. These firewalls are often chosen because they are readily available, and both easy and inexpensive to integrate. However, using a next generation firewall provides a higher level of protection against even the latest, emerging internet-based threats, albeit not one that is airtight. Many new threats target vulnerabilities in applications in order to bypass the firewall, leaving organizations and their data centers at risk. This is especially relevant when it comes to web-based applications, which can no longer be identified with a particular port. A next generation application firewall reduces the likelihood that this will happen.

The benefits can be summed up as follows:

Content inspection and identification

The content of each packet is identified and inspected. This provides protection from newer attacks, which often take place at layers 4-7 of the OSI model - from the network level through to the application level. For example, some threats will bypass regular firewalls by using an alternative port. This type of activity will not be able to evade detection by next generation firewalls.

Application access control and application-level filtering

Network traffic can be filtered according to applications, as opposed to just port or protocol. For example, the firewall could be set up to block all traffic from certain applications, or application access can be controlled in detail.

Policy control

The organization can set up and control policies at a granular level, for users, groups of users, applications, and more.

Network visibility and control

The firewall can display all activity across hosts, networks, devices, and users. This includes active applications and websites visited, as well as connections between different devices, and files sent between devices. This detailed level of monitoring leaves no stone unturned, allowing an organization to prevent malicious behavior and achieve better threat detection using a Zero Trust approach.

Replaces many different network security solutions

Instead of using many different solutions to provide firewall capabilities, IPS, filtering, etc., a next generation application firewall can provide all of these features in one package, for easier integration and simple, centralized management through one application dashboard. This also makes it far easier to keep the firewall updated, making the IT department’s job much simpler.


NGFW features

A next generation firewall vendor should include the following features in their solution:

  1. Stateful firewall capabilities
    The ability to use ports and protocols, together with IP addresses, to inspect connections and identify possible threats.

  2. Application control and monitoring
    The ability to control access and monitor traffic at the application level.

  3. Deep packet inspection (DPI)
    The firewall will analyze the contents of each packet, to identify anything suspicious or malicious.

  4. Intrusion prevention systems (IPS)
    These systems monitor the network to find any malicious activity that could signal intrusion, whether from known or unknown, zero-day threats. For example, if an unauthorized user is trying to gain remote access to the network. When malicious activity is found, it is blocked before intrusion can occur. There are three main ways to achieve this - either through blocking activity that violates policies, using behavior patterns to block any abnormal activity, or blocking based on known threat signatures.

  5. Granular policy control
    Policy control beyond the simple block or allow functions provided by a stateful firewall. The organization can choose which users can access which applications, and in even more depth, which parts of the application they can access, on an as-needed basis.

  6. High performance and rapid detection
    A good solution will detect threats rapidly in real time, providing alerts that allow swift threat management and elimination. High performance ensures that the firewall can handle traffic without affecting employee productivity through decreased network speed.

  7. Threat intelligence
    An increasing number of attackers are using encrypted traffic to conceal their malicious activity. To prevent such attacks, it’s important to select a solution that includes integration with an external threat intelligence network, especially one that uses machine learning to detect threats.

NGFWs for Zero Trust security

For organizations looking to implement a Zero Trust model, NGFWs provide many of the necessary features. Instead of recognizing threats based on signatures, NGFWs use a Zero Trust approach, analyzing the contents of every packet. Increased network visibility ensures that every aspect of the network can be monitored and analyzed. The firewall provides many application controls needed in order to implement a Zero Trust framework. However, because NGFWs rely on recognizable signatures, behavior patterns and activity, they cannot be relied upon to always stop the newest and most stealthy types of attacks.
NGFW integration options

There are a few different ways that NGFWs can be integrated.
• On-site, either at the network perimeter or along organizational network boundaries
• In a private cloud, such as VMWare
• In a public cloud, such as Amazon AWS or Microsoft Azure

A cloud delivered firewall is known as an FWaaS - Firewall as a Service. Cloud-based FWaaS have a number of benefits:
1. Scalability - the resources used can be scaled based on the amount of network traffic that must be processed, saving money and ensuring maximum performance.
2. Easier maintenance and support - the service provider provides technical support and maintenance as and when it is needed, so it isn’t the burden of the IT department.
3. Free upgrades and patches - the service provider is responsible for ensuring the software is up-to-date, so the organization is always protected from the latest threats.


We worked with Ericom to implement a web security solution that provides the highest level of protection against web-based cyberthreats. This gives our employees the broad secure web access they need to remain productive while ensuring our organization remains secure.

Paul E. Rousseau, SVP IT Architecture and
Engineering Director at Enterprise Bank

Window width:








Please make sure that the email address you have entered is one you’ve used on our site in the past and try again. If this issue persists, please register as a new user.