Technology is advancing at a rapid pace, and those who want to retain a competitive edge must embrace modern solutions. The relentless evolution of the threat landscape, which has become significantly more heterogeneous, is fueling the need for a new generation of firewalls, one that’s capable of looking beyond the perimeter of the network and offering more than protection based on ports, protocols, and IP addresses.
Called the Next-Generation Firewall, or NGFW for short, these application-aware firewalls blend the capabilities of traditional firewalls with true application awareness to deliver a comprehensive detection and enforcement system in which every network device becomes a point of enforcement. Explained below are the key features of NGFWs as well as their benefits.
The Difference Between Next-Generation Firewalls and Traditional Firewalls
The fundamental task of a network firewall is to act as a barrier between a trusted internal network and an untrusted external network, typically the Internet. Traditional firewalls accomplish this task by filtering traffic based on ports and protocols. They tend to come with network address translation (NAT) functionality to hide the true address of a device connected to the network and make internal resources publicly accessible.
Traditional firewalls come from a very different era, and they are no longer effective at managing traffic and coping with the many challenges presented by the current threat landscape and the rise of online applications and SaaS services. Not only have cybercriminals evolved their techniques to circumvent the all-or-nothing approach of traditional firewalls, but most IT security threats now come from inside the network.
Next-generation firewalls overcome the limitations of traditional firewalls by including the traditional firewall functionalities, such as port/protocol inspection and network address translation, and adding application identification and filtering, SSL and SSH inspection, intrusion prevention, malware filtering, and the ability to use external intelligence sources, among other things.
- Application identification and filtering: Instead of just filtering traffic based on ports and protocols, NGFWs can identify and filter traffic based on specific applications, which allows them to effectively prevent malicious applications from evading traditional traffic filtering techniques by using non-standard ports.
- SSL and SSH inspection: Because NGFWs often include a full web proxy service that can sit in the middle of an encrypted HTTPS session, they can inspect SSL and SSH encrypted traffic and provide extra protection from malicious applications that use encryption to hide their activity from traditional firewalls.
- Intrusion prevention: NGFWs are able to perform sophisticated intrusion detection and prevention, which is why the term unified threat management (UTM) is sometimes used to describe them. NGFWs with intrusion prevention capabilities use signatures to identify network activity that resembles known and generic attacks.
- Malware filtering: Ideally, malware should be filtered out before it has a chance to enter the network, and NGFWs with malware filtering using basic signature-based analysis accomplish just that. While simple malware scanning using signatures has its limitations, it’s a good first layer of protection against generic attacks.
- Bringing intelligence from outside the firewall: NGFWs can receive dynamic information from a cloud server to help it detect malicious applications by looking for unexpected activity, such as a web server creating outbound connections to strange IP addresses.
“An NGFW should not be confused with a stand-alone network intrusion prevention system (IPS), which includes a commodity or non–enterprise firewall, or a firewall and IPS in the same appliance that are not closely integrated,” explains Gartner in its IT Glossary.
Benefits of Next-Generation Firewalls
By bundling traditional firewall functionality with intrusion prevention and malware filtering, next-generation firewalls are able to provide much more comprehensive network security while reducing infrastructural complexities and largely removing the need for a separate security solution. With fewer infrastructural complexities, operational expenses can be greatly reduced, and the entire infrastructure becomes more robust.
Streamlined infrastructure additionally brings greater network speed because data doesn’t have to travel through multiple protection devices and services, all of which promise a different throughput, which may or may not correspond to their real-world performance.
Most importantly, NGFWs have the necessary application awareness that’s so important in the day and age of cloud computing and sophisticated cyber attacks. Blocking common application ports or services on a network is no longer enough because network connectivity has become significantly more complex, requiring granular control and the ability to set policies depending on the user and the application.
Even though traditional firewalls and next-generation firewalls have identical purpose—to act as a barrier between a trusted internal network and an untrusted external network—they accomplish it very differently.
By combining traditional firewall functionality with other kinds of network device filtering, NGFWs are able to achieve the granular control needed to cope with the challenges of the current threat landscape, making them a right choice for all businesses and organizations that can’t risk taking any chances when it comes to cybersecurity.
Written by: Payam Pourkhomami, President & CEO, OSIbeyond