What is a Next Generation Firewall?

A next generation firewall includes:

• application and user control
• integrated intrusion prevention
• advanced malware detection such as sandboxing
• and leverages threat intelligence feeds

The above NGFW features are in addition to features typically found in network firewalls such as network address translation (NAT), dynamic routing protocol support and high-availability capabilities. The distinction between a next generation network firewall and Unified Threat Management (UTM) device is somewhat blurry. UTM devices are designed for the Small to Medium Business (SMB) market segment where a turnkey, comprehensive security solution is needed.

In contrast, enterprises with larger deployments of distributed next-generation network firewalls require strong central management, inspection of HTTPS encrypted tunnels, integration with third party vendors and well-defined APIs for provisioning and policy orchestration. The latter is essential for automating security in software-defined networks (SDN). Third party integration examples include authenticating users against identity stores like Microsoft Active Directory and exporting security logs to Security Information Event Management (SIEM) vendors.

Today’s next generation network firewall can be found deployed:

• on-premises at the edge of enterprises and branch offices
• on-premises at internal segment boundaries
• in public clouds, e.g. Amazon (AWS), Microsoft Azure, Google Cloud Platform
• in private clouds, e.g. VMware, Cisco ACI

What is the Main Benefit of a Next Generation Firewall?

The main benefit of an NGFW is the ability to safely enable the use of Internet applications that empower users to be more productive while blocking less desirable applications. Next generation firewalls achieve this by using deep packet inspection to identify and control applications regardless of the IP port used by the application.

The typical security policy of a network firewall deployed at the perimeter of an organization blocks inbound connections and allows outbound connections. Some limits may be applied, but outbound Web traffic is generally allowed. Applications have learned to use available open ports like Web port 80 to the Internet to give their customers a seamless user experience. This is true of applications that enable employees to work more efficiently and applications that are less desirable to the interests of the company. Next generation firewalls give companies more visibility into what applications their employees are using and control over their application use.

How do Next Generation Firewalls implement User Control?

At a minimum, a security policy rule of a network firewall says a connection from this source to this destination is allowed or denied. The source and destination are traditionally defined as an IP address assigned to a laptop or is a larger network address that includes multiple users and servers. This static address policy definition is difficult for humans to read, but also doesn’t work well to set security policy for users who have different IP addresses as they roam throughout the company and when working off-site.

Next generation network firewall vendors solve this by integrating with third party user directories such as Microsoft Active Directory. Dynamic, identity-based policy provides granular visibility and control of users, groups and machines and is easier to manage than static, IP-based policy. In a single, unified console administrators define the objects once. When network firewalls see a connection for the first time, the IP is mapped to the user and group by querying the third party user directory. This dynamic user to IP mapping frees administrators from constantly updating the security policy.

How do Next Generation Firewalls enforce Threat Prevention?

Threat prevention capabilities are a natural extension of next-gen firewalls deep packet inspection capabilities. As the traffic passes through the network firewall device, they also inspect the traffic for known exploits of existing vulnerabilities (IPS). Files can be sent off-device to be emulated in a virtual sandbox to detect malicious behavior (sandbox security).

What’s next for Next Generation Firewalls?

As security threats continue to grow, companies are transitioning away from Next Generation Firewalls and moving towards a new firewall technology that Gartner refers to as the “Network Firewall“. Network Firewalls provide real-time threat intelligence along with additional security functions across the data center, cloud, mobile, endpoint, and IoT.

A firewall is an essential component of any organization’s security architecture that can help protect sensitive data, meet compliance requirements, and guide organizations towards achieving digital transformation.