Next-generation firewalls can replace
current security technologies across enterprises, both large and small. However, next-generation firewalls, also known as NGFW, are not all that new. The technology that underpins the devices has been
around for some time. However, what is new is the integration and thoroughness
of the protection offered, thanks to high performance processing and
application awareness.

Perhaps “next generation” is not
the best moniker for these firewalls, which do much more than just block ports
and filter traffic. Nevertheless, the term has stuck and a brand new crop of
security appliances are coming on to the market, each sporting the
classification of next-generation firewall. So, mystery aside – what
exactly is a NGFW, and more importantly, what can it do?

To fully comprehend what a NGFW is all
about requires taking a look at how networks are protected. As the internet
grew in popularity, network protection became a critical concern for IT managers and firewalls were placed at the edge of the network to prevent
external threats from entering internal systems – hence, the name firewall. Those
early firewalls used very rudimentary technology to block ports and control
what access was allowed. Over time, firewalls evolved and added new
capabilities, such as packet examination and malware inspection. Nevertheless,
threats evolved as well, making those technologies obsolete as well.

The truth of the matter is that previous
generation firewalls pose a serious security risk to today’s organizations. Simply
put, threats are now able to bypass much of the detection capabilities
integrated into previous-generation firewalls. Even more troubling is the fact
that undetected threats can wreck all sorts of havoc, without anyone ever
knowing about it.

Traditional firewall technology has
effectively become obsolete as the the technology fails to inspect the data payload of network
packets circulated by today’s Internet criminals. What’s more is that
traditional firewalls add latency to connections and many vendors tout Stateful
Packet Inspection (SPI) speeds and capabilities only, not revealing the true
measure of performance – which amounts to deep packet inspection throughput and

To address those performance and security
concerns, most firewall vendors have implemented additional malware inspection capabilities,
akin to what traditional desktop anti-virus solutions are supposed to do.
However, that proves far from ideal, because to inspect for malware, the device
must buffer downloaded files and then inspect the whole file for malware. That method
not only introduces significant latency, it also poses significant security
risks. That anti-malware technology relies on firewall based storage and must
limit the maximum file size that can be processed.

Next-generation firewalls

A NGFW differs greatly from the packet
inspection/anti-malware methodology used by traditional firewall vendors. In
simple terms, a NGFW applies deep packet inspection (DPI) firewall technology
by integrating intrusion prevention systems (IPS), and application intelligence
and control. That allows the device to “visualize” the content of the data
being accessed and processed.

Gartner defines an NGFW as “a wire-speed
integrated network platform that performs deep inspection of traffic and
blocking of attacks.” At minimum, Gartner states an NGFW should provide:

  • Non-disruptive in-line
    bump-in-the-wire configuration.
  • Standard first-generation
    firewall capabilities, e.g., network-address translation (NAT), stateful
    protocol inspection (SPI) and virtual private networking (VPN), etc.
  • Integrated signature based IPS
  • Application awareness, full
    stack visibility and granular control.
  • Capability to incorporate
    information from outside the firewall, e.g., directory-based policy,
    blacklists, white lists, etc.
  • Upgrade path to include future
    information feeds and security threats SSL decryption to enable identifying
    undesirable encrypted applications.

evolution of next-generation firewalls

The SPI generation of firewalls addressed
security in a world where malware was not a major issue and web pages were just
documents to be read. Ports, IP addresses, and protocols were the key factors
to be managed. However, the Internet evolved, the ability to deliver dynamic
content from the server and client browsers introduced a wealth of applications
we now call Web 2.0.

Today, many applications are accessed via
web connections, either by remote users, private cloud users and even
internally. Many of those applications require access to TCP port
80 as well as encrypted SSL (TCP port 443), making those applications targets
for malware, interception and a host of other nefarious activities.

A next-generation firewall addresses those
concerns by inspecting the payload of packets and matches signatures for
nefarious activities such as known vulnerabilities, exploit attacks, viruses
and malware all on the fly. The inclusion of DPI allows administrators to create
very granular permit and deny rules for controlling specific applications and
web sites.

Full inspection of packets also means that
lots of information can be gathered about traffic. In turn, that information
can be used to normalize what are considered standard communications and make
anomaly detection much more effective. The gathered data can also be used for
statistical analysis, as well as forensics – giving administrators a full
picture of what is going on traffic-wise. That enables administrators to perform
capacity planning, troubleshoot problems or monitor what individual employees
are doing throughout the day.

and application control

NGFWs offer a significant advantage when it
comes to applications – since NGFWs are application aware, the devices can
filter anomalous traffic and prevent intrusions, data theft and malware
insertion. However, protection is only part of the application story of NGFWs,
discovery and control are the other parts.

Many organizations are now experiencing
chaos, at least when it comes to applications. Networks have evolved beyond simple
store-and-forward applications, such as email. Today, real-time collaboration
tools, such as Web 2.0 applications, instant messenger (IM), and peer-to-peer
applications, Voice over IP (VoIP), streaming media and teleconferencing have
become the primary means of passing data. However, each of those applications
has become conduits for potential attacks.

Today, organizations need to deliver
critical business solutions, while also contending with employee use of
wasteful and often dangerous (from a security perspective) web-based
applications. Critical applications need bandwidth prioritization while social
media and gaming applications need to be throttled or completely blocked.
Moreover, organizations can face fines, penalties and loss of business if they
are in noncompliance with security mandates and regulations.

Further complicating the situation is that
most organizations cannot differentiate between what is legitimate business use
of those applications and what is not. What’s more, many organizations do not
have any control over those apps on the network and cannot account for what
applications are running. Knowing what is running, who is using it and if the
usage is legitimate is becoming the mantra of network security professionals
and NGFWs are poised to help answer those questions, while adding more control
and management to protect corporate assets.

Dealing with new threats

For enterprises, protection and performance
must go hand-in-hand. Legacy firewalls simply don’t offer enough protection,
while hobbled together security appliances create unacceptable bottlenecks – a
recipe for disaster. Any delays in firewall or network performance can degrade
quality in latency-sensitive and collaborative applications, which in turn can
negatively affect service levels and productivity. To make matters worse, some
IT organizations even disable functionality in their network security solutions
to avoid slowdowns in network performance.

Organizations are facing new threats from
vulnerabilities in commonly-used applications, which are exacerbated by the popularity
of social networks and interconnectedness solutions, which have become a breeding
ground for malware and an ad hoc home for Internet criminals. At the same time,
businesses are turning to online blogging, socializing, messaging, videos,
music, games, shopping, and email more and more to engage customers, creating
an even bigger concern for those looking to secure corporate resources.

Applications such as streaming video,
peer-to-peer (P2P), and hosted or cloud-based services are now exposing organizations
to potential infiltration, data leakage and downtime. What’s more, those same
applications are not only introducing security threats; they are also draining
bandwidth and productivity while competing with mission-critical applications.

NGFWs can help, simply because they deliver
application intelligence and control, intrusion prevention, malware protection
and SSL inspection at multi-gigabit speeds, scalable to support the
highest-performance networks.

NGFWs enable administrators to control and
manage both business and non-business related applications to enable network
and user productivity, and they can scan files of unlimited size across any
port and without security or performance degradation. The number of
simultaneous files or network streams does not limit high-end NGFWs, preventing
infected files from slipping through undetected. In addition, NGFWs can apply
all security and application control technologies to SSL encrypted traffic,
ensuring that this does not become a new malware vector into the network.

NGFWs are clearly the future of protection
for enterprise networks, offering a unified method for protecting applications,
users and data by looking at what is actually occurring on the network and
applying needed policies, as well as scanning for problems concurrently. The
key here is to make sure that your NGFW can work with all of your existing
applications, as well as be robust enough to deal with future use cases. When
selecting a NGFW, administrators should make sure they choose one that is scalable
to their projected network performance requirements, and offers network
analytics and insight, and ease of implementation and administration.