Next-generation firewalls (NGFW) are an advanced way of protecting an organization by monitoring and screening network traffic. Traditional firewalls normally provide stateful inspections of incoming and outgoing traffic. Next gen firewalls, on the other hand, include features such as integrated intrusion prevention, application awareness and control, and cloud-delivered threat intelligence. NGFWs are adaptive, powerful, come with a variety of features, and are often a cloud-based service. Typically, a next gen firewall will include both hardware and the firewall software.
Traditional firewalls are simply no longer capable of effectively dealing with the variety of advanced cyber threats that currently exist. Next gen firewalls go well beyond creating a first line of defense by integrating DPI (deep packet inspection), IPS (intrusion prevention system), sandboxing, application and identity awareness, encryption, and threat intelligence.
Threat prevention is a natural extension of NGFWs because of its deep packet inspection features. As the communications pass through the network firewall, they inspect the traffic for known patterns of exploiting of the system’s vulnerabilities (by way of the IPS).
Find your new next-generation firewall software
Businesses cannot afford to leave their network communications unprotected. While traditional firewalls may have been effective deterrents in the past, next-generation firewalls act to prevent cyber threats, malware infections, and ransomware that traditional firewalls were never designed to intercept and block. The primary benefit of next generation firewalls is their ability to safely allow use of the internet, while blocking undesirable applications.
Barracuda |
yes | yes | yes | yes |
Cisco Secure Firewall |
yes | yes | no | yes |
Juniper Networks |
yes | yes | yes | yes |
Huawei Unified Sec Gateway |
no | yes | yes | no |
Paloalto Networks |
no | yes | yes | yes |
Product | DPI | IPS | Sandboxing | App & ID Awareness |
---|
This platform was designed with hybrid clouds in mind, and its Firewall F-Series will preserve legacy hardware while meeting new challenges within a hybrid network environment at the same time. Management can access the latest features available for combating advanced threats using built-in SD-WAN, IDPS, traffic management, and VPN capabilities. Barracuda relies primarily on multiple detection layers and includes static code analysis and threat signatures (although, signature-based defenses have become increasingly unreliable).
The Barracuda CloudGen Firewall offers an extremely reliable detection and classification system capable of identifying over 1,200 applications and sub-applications. It does this by combining behavioral traffic analysis and deep packet inspection (DPI), regardless of the protocols being used (port hopping techniques, advanced obfuscation, or encryption). It can support the creation of dynamic application policies and enforce acceptable access and use policies. Management can:
- Control and manage acceptable traffic
- Block the unwanted applications of certain users or groups
- Enable or disable specific applications
- Preserve bandwidth
- Intercept SSL-encrypted application traffic
It is focused on application development teams and offers real-time network security across a variety of environments and clouds. Built with Kubernetes, this platform is designed as a developer-friendly “apps access” solution. Cisco Secure Fire supports visibility and policy enforcement for dynamic applications. It offers the unified management of firewalls, intrusion prevention, URL filtering, application control, and malware defense policies. The Cisco Secure Firewall includes:
- Support for AWS, VMware, and Azure tags
- Unified control over firewall tools
- Dynamic policy support with tag-based policies
- Highly flexible, developer-friendly, cloud-native firewall options
- Log management with behavioral analysis and security incidents
This platform is designed for data centers and large enterprises. Its most recent version — the USG6700E Series AI Firewall — is advertised as reducing operating expenses for simplified service deployment and change policies by more than 80%. Huawei comes with a suite of firewall solutions. This platform will link with other security devices and actively defend against a variety of network threats. It is designed to defend against advanced threats and resolve performance degradation problems. Some of its features include:
- Uses integrated tools (data loss prevention, URL filtering, AV, VPN, and IPS
- It works with local or cloud sandboxes to detect, analyze, and prevent threats
- Supports a deception system for identifying threat scans and investigations
- Uses chip-level pattern matching and accelerated cryptography
This firewall is designed to defend data centers, the network edge, cloud environments, and containers. The Juniper SRX Series’ devices offer security using a broad array of tools. It provides end-to-end security for protecting critical network resources. Firewall solutions include an intrusion prevention system (IPS), a “stateful firewall,” security intelligence, and AppSecure. Features for this firewall:
- Uses microsegmentation, VPNs, and validated threat prevention
- Identifies, secures, and manages network traffic with AppSecure
- An IPS that can accommodate custom signatures
- Uses centralized controls to streamline configuration management and scaling
The Palo Alto Networks NGFW offers security teams complete visibility over their entire network. It supports traffic identification, threat intelligence technologies, and malware prevention. It does not rely on port procedures and protocol for protecting network traffic from threats but instead provides organizations with a range of advanced security tools. Its features include:
- App-ID, which continuously monitors network traffic, examining the traffic while security policies determine whether the app should be allowed access, blocked, or securely analyzed.
- User-ID monitors user activity with enablement policies rather than relying on IP addresses alone.
- Content-ID can securely allow applications access, while simultaneously blocking vulnerability attacks, viruses, malware, and other threats. Content-ID also uses a URL database for additional data filtering.This threat prevention service protects organizations with an extra layer of intrusion detection and prevention capabilities to keep critical assets secure.
- WildFire is a cloud-based malware protection service which uses machine learning to detect extremely advanced threats. It uses shared data from various intelligence communities and partnerships and can use this data to block new threats it has never encountered before.
NGFWs provide protection from several types of threats, but not every company will need all features. Here are some standard features you can expect from most NGFW vendors.
Truly understanding how well a NGFW performs requires a thorough test run. Sadly, simply researching a vendor’s specifications or running a little traffic through it will not provide a good understanding of the system’s strengths and weaknesses. In fact, most firewalls perform quite well when the traffic is light. The true test is how well the firewall responds with a full workload, especially after the encryption has been turned on. Approximately 80% of today’s traffic is encrypted, making the ability to sustain performance levels during times of heavy traffic critical.
NGFWs must have the ability to plug into a platform seamlessly, so it can view all activities within the network — ranging from cloud traffic to IoT endpoints to end-user devices. Additionally, after the NGFW has collected the data, the system should be capable of performing analytics and providing insights. This feature enables the next gen firewall to react and enforce policies throughout the network.
All major functions (including anti-malware, IPS, application and user identification, logging, and URL filtering) must be tested to understand how a NGFW will hold up during regular use. Beware, firewall providers often advertise a single performance number, taken while core features were turned off. Before making any commitments, insist on running tests using as many types of traffic as possible and with different types of applications. Important factors to consider include connections per second, application throughput, and SSL performance.
NGFWs must also fit into the broader security platform. While some might assume using the same vendor for both NGFW and overall network security would be the best approach, this does not necessarily lead to the best security. Keeping it simple is a good idea, but maybe not too simple. Think of the security platform as an open architecture, which allows third-party products (such as NSFWs) to plug into it.
The purpose of automation is to remove as many manual steps as possible. Almost all firewall providers advertise some automation, and finding automated services that fulfill an organization’s needs is very important. Automation can be used to protect the business by immediately identifying predictable threat behaviors and quickly providing protection. Automation, if used correctly, can prevent cyber attacks much more quickly than a human monitoring the network. Listed below are three ways automation supports NGFWs:
This feature simplifies security by taking responsibility for several of the normal, day-to-day, mundane tasks. Working with multiple devices and multiple environments, a network system can become quite complex, and security risks can be introduced through configuration errors. This automated process can guide network management at every stage. Without workflow automation, management must go through a list of potential problems and identify them manually.
As change is a constant in the world of business, it is almost impossible for companies to keep policies updated using the old manual methods. Policy automation makes sure the policies are adhered to continuously.
This feature helps to find and react to threats quickly and in near real time. Threats can often linger within an organization’s network for days, weeks, and even months before being identified (and can cause significant damage while undetected). This feature is especially useful because it can identify the most minor anomaly and quarantine it in a secure segment.
NGFW firewall providers should be able to provide instructions for creating a container that can be deployed on a range of platforms, including the cloud. Few firewall providers have developed an NGFW container, but the vendor should be able to describe how it can be accomplished.
If a company has a broad product line, with each product needing individual management, it becomes difficult to keep rules and policies up to date, and in turn, leads to inconsistencies in functions and features. A firewall vendor should have a “single-pane-of-glass” firewall management tool capable of providing end-to-end visibility and allowing management to make changes. Visibility should extend throughout the system, including the cloud, branch offices, the internet of things, and operational technology. A single dashboard can be remarkably useful when implementing and maintaining segmentation, rather than having to configure each individual product or device.
When selecting a next-generation firewall software vendor, there are some concerns which should be taken into consideration. For many, a new NGFW will replace an older NGFW or a traditional firewall. In that situation, a final decision should take into consideration what type of hardware is being replaced and the other network components that are involved.
Modern NGFWs are key to the success of modern network security strategies. While some features obviously overlap from one NGFW vendor to the next, there are some distinct differences which need to be understood and evaluated, based on the network’s security needs. Consider the following:
- The ability to stop attacks before they get into the system
- A built-in IPS that catches stealth threats and stops them
- URL filtering to enforce policies
- Built-in sandboxing and advanced malware protection
A monitor communicates what is happening on the business’s network at all times. One area where NGFWs can vary widely is application and network visibility. Be sure to understand the vendor’s visibility functions, and make certain it meets (or even exceeds) the company’s needs. A firewall should present a holistic view of all network activity and show:
- Threat activity from users, other networks, and devices
- The source of a threat and when it originated, its history across the organization’s network, and what the threat is doing now
- All active applications and websites
There is a balance which must be met between great performance and threat protection. Getting the features needed, along with the performance needed, can be tricky. The NGFW should be flexible enough to meet changing circumstances.
- Deploys in the cloud or on-premises
- Can be customized with features for an organization’s specific needs
- A broad range of throughput speeds are available
- Services are automated
Next-generation firewalls often interact with several other networks and security tools, logging servers, network monitoring tools, authentication servers, and external web/email security solutions. Interoperability will vary from vendor to vendor. Make certain the limitations and strengths are understood, and verify the interoperability of the external components and applications with the NGFW. Choose an NGFW that:
- Automates security tasks
- Seamlessly integrates with tools from the same vendor
- Automatically shares threat information
Ideally, a threat is detected and dealt with before actually entering the network. Sadly, the current industry standard states threats are normally detected between 100 to 200 days, during which significant damage can take place. An NGFW should be able to:
- Detect threats in seconds, not days
- Detect a successful breach in hours, or preferably minutes.
- Prioritize alerts for swift action to eliminate threats
- Deploy consistent policy with automatic enforcement
The total cost of ownership should be considered. With the understanding that licensing, hardware, and ongoing support will be part of the package, these costs should be included. Prices will vary significantly from one vendor to another, so it is important to complete a cost/benefit analysis and determine which product will give your business a comfortable degree of security for the best price.
Next-gen firewalls have evolved into a multi-tool package for IT security. As a common occurrence, companies will use some tools on a daily basis, while others are rarely used. Commonly used features include secure remote access, intrusion prevention, and VPN. Other security features depend on the needs of the company and the price of the tool. Features such as sandboxing, global threat protection, or advanced emerging threats may not be necessary.
In addition to the traditional threats (viruses, Trojan horses), there are advanced threats, which are continuously evolving. Ransomware and M2M attacks are becoming more commonplace (as a result of the potential for profit) and becoming increasingly diversified. Advanced threats, as a rule, are more covert and spread faster. To face these rapidly evolving threats, NGFWs must deal with the following challenges:
- The internet of things opens a network to more security threats
- Signature-based security can be accessed easily by professional hackers
- Threat handling is labor intensive and time consuming
As a result, next-generation firewalls must be continuously upgraded to respond to these advanced threats. The development of artificial intelligence (AI) for security purposes creates new opportunities for the development of firewalls. AI supports cybersecurity at both the micro and macro levels.
From the macro perspective, embedded machine learning (ML) algorithms detect, and then block, suspicious files. The ML algorithm can detect specific behaviors expressed by a file, and if that file meets a certain threshold, it is isolated before being analyzed. Every time the ML algorithm gets used, the NGFW examines previously analyzed behaviors and learns, becoming more proficient with each use. An NGFW that is equipped with AI can handle unknown threats with greater efficiency and can detect “mutating attacks.”
Huawei, Juniper, and Palo Alto have each developed AI firewall technologies. Their use of ML (ML and AI are used interchangeably these days, though ML is actually a subdivision of AI) and AI greatly improves the accuracy and speed of threat detection. Additionally, AI can offer facial recognition, providing another layer of security.