A next generation firewall (NGFW) provides capabilities beyond that of a stateful network firewall, technology that was first pioneered in 1994 by Check Point Software Technologies. A stateful firewall is a network security device that filters incoming and outgoing network traffic based upon Internet Protocol (IP) port and IP addresses. By intelligently inspecting the payload of some packets, new connection requests can be associated with existing legitimate connections. A next generation firewall adds additional features such as application control, integrated intrusion prevention (IPS) and often more advanced threat prevention capabilities like sandboxing.
A next generation firewall includes:
The above NGFW features are in addition to features typically found in network firewalls such as network address translation (NAT), dynamic routing protocol support and high-availability capabilities. The distinction between a next generation network firewall and Unified Threat Management (UTM) device is somewhat blurry. UTM devices are designed for the Small to Medium Business (SMB) market segment where a turnkey, comprehensive security solution is needed.
In contrast, enterprises with larger deployments of distributed next-generation network firewalls require strong central management, inspection of HTTPS encrypted tunnels, integration with third party vendors and well-defined APIs for provisioning and policy orchestration. The latter is essential for automating security in software-defined networks (SDN). Third party integration examples include authenticating users against identity stores like Microsoft Active Directory and exporting security logs to Security Information Event Management (SIEM) vendors.
Today’s next generation network firewall can be found deployed:
The main benefit of an NGFW is the ability to safely enable the use of Internet applications that empower users to be more productive while blocking less desirable applications. Next generation firewalls achieve this by using deep packet inspection to identify and control applications regardless of the IP port used by the application.
The typical security policy of a network firewall deployed at the perimeter of an organization blocks inbound connections and allows outbound connections. Some limits may be applied, but outbound Web traffic is generally allowed. Applications have learned to use available open ports like Web port 80 to the Internet to give their customers a seamless user experience. This is true of applications that enable employees to work more efficiently and applications that are less desirable to the interests of the company. Next generation firewalls give companies more visibility into what applications their employees are using and control over their application use.
At a minimum, a security policy rule of a network firewall says a connection from this source to this destination is allowed or denied. The source and destination are traditionally defined as an IP address assigned to a laptop or is a larger network address that includes multiple users and servers. This static address policy definition is difficult for humans to read, but also doesn’t work well to set security policy for users who have different IP addresses as they roam throughout the company and when working off-site.
Next generation network firewall vendors solve this by integrating with third party user directories such as Microsoft Active Directory. Dynamic, identity-based policy provides granular visibility and control of users, groups and machines and is easier to manage than static, IP-based policy. In a single, unified console administrators define the objects once. When network firewalls see a connection for the first time, the IP is mapped to the user and group by querying the third party user directory. This dynamic user to IP mapping frees administrators from constantly updating the security policy.
Threat prevention capabilities are a natural extension of next-gen firewalls deep packet inspection capabilities. As the traffic passes through the network firewall device, they also inspect the traffic for known exploits of existing vulnerabilities (IPS). Files can be sent off-device to be emulated in a virtual sandbox to detect malicious behavior (sandbox security).
As security threats continue to grow, companies are transitioning away from Next Generation Firewalls and moving towards a new firewall technology that Gartner refers to as the “Network Firewall“. Network Firewalls provide real-time threat intelligence along with additional security functions across the data center, cloud, mobile, endpoint, and IoT.
A firewall is an essential component of any organization’s security architecture that can help protect sensitive data, meet compliance requirements, and guide organizations towards achieving digital transformation.