There’s a new wave of enterprise firewall on the market called a next-generation firewall (NGFW). Next-generation firewalls (NGFWs) have developed out of necessity of today’s computing environments, where malware attacks have grown in sophistication and intensity, and have found ways of exploiting weaknesses in traditional firewalls. When does a traditional firewall not go far enough? In this blog, we look at the differences between the traditional and next-generation firewalls and how these differences impact the security of a company’s network.
A traditional firewall is usually defined as a device that controls the flow of traffic allowed to enter or exit a point within the network. It can typically do this, either using a “stateless” method or “stateful” method, depending on the type of protocol being run on it. Traditional firewalls typically can only track traffic on layers 2-4.
The stateless method of traffic monitoring means that the firewall simply checks over each packet of data individually without discerning the “flow” of traffic. Stateful traffic monitoring, on the other hand, applies intelligence, albeit rudimentary, to monitor a traffic flow by keeping track of the full cycle of the flow.
Obviously, given a choice, a stateful firewall is more effective than a stateless one. However, as you will note below, even with stateful inspection, a traditional firewall does not go far enough and does not offer all the required protection to deal with the increasing number and types of cyber threats that exist today.
Next-Generation Firewalls (NGFWs)
A NGFW can do far more than a traditional firewall and offers far more features to deal with new and emerging cyber threats.
A NGFW can be defined as a deep-packet inspection firewall that moves beyond traditional port or protocol inspection and blocking, to add application-level inspection, intrusion prevention, and intelligence from outside the firewall -- all to create a unified threat management system. Although specific vendor offerings do differ, there is a selection of features which are generally seen as standard. These features are outlined below.
- Application Awareness and Control
The biggest difference between a traditional firewall and a NGFW is application awareness. Traditionally, firewalls relied on common ports to monitor for attacks. NGFWs monitor traffic from layers 2-7, and then determine if the traffic being transferred is malicious or not.
By being application aware, the NGFW can allow for application control. The NGFW can track the identity of the end user, typically using Active Directory (or similar). The IT department can set usage controls in place, depending on both the application and the user, to control the inbound and outbound traffic through the network and what the user may send and receive. For example, social media may be allowed, but videos can be prevented from playing. This type of control can also reduce bandwidth requirements, saving valuable resources for use elsewhere.
- Stateful Inspection
While the general definition of stateful inspection does not differ from traditional firewalls, a NGFW must be able to, not only track the state of traffic based on layers 2 through 4, but track the state of traffic from layers 5 through 7 as well. This difference allows a lot more control and provides the IT department with the ability to have very granular rules or policies.
- Deep Packet Inspection (DPI)
In addition to looking at the header, footer, source and destination of incoming packets, the NGFW examines the data part of the packet, searching for illegal statements and pre-defined criteria to make a decision about whether or not to let it through based on its content.
DPI combines signature-matching technology with analysis of the data in order to determine the impact of that communication stream. DPI takes the incoming packets apart, examines the data, compares it with set criteria, and then re-assembles the packet. NGFW performs this DPI function quickly, efficiently and without degrading the speed of network traffic.
- Integrated Intrusion Protection System (IPS)
An Intrusion Protection System (IPS) is responsible for detecting attacks based on a number of different techniques including the use of integrated threat signatures, known attacks, anomalous activity and traffic behavioral analysis.
In an environment where a traditional firewall is deployed, it is common to see an Intrusion Detection System (IDS) or IPS deployed, as well as, a separate appliance. With a NGFW, the IPS or IDS appliance is fully integrated. The IPS functionality itself is the same as it was with a separate appliance, but the main difference is in the performance and accessibility of the information from all layers of the traffic.
- Secure Sockets Layer (SSL) Inspection and Secure Shell (SSH) Control
A NGFW should be able to recognize and decrypt SSL and SSH on any port (inbound or outbound); have policy control over decryption; and offer the necessary hardware and software elements to perform SSL decryption simultaneously, across tens of thousands of SSL connections -- with predictable performance.
- Sandbox Integration
Sophisticated cyber attacks can use unknown malware to evade traditional gateway and endpoint protection. These advanced persistent threats (APTs), use custom-developed targeted attacks to gain access to a network and remain undetected for long periods of time. The success of APTs depends on staying under the radar as long as possible, using evasive coding techniques to slip past traditional security barriers and their ability to steal sensitive data. One such threat that has gained recent publicity is called Ransonware.
Sandbox is one technology that is available today to deal with these new and emerging unknown threats. A sandbox is an isolated, safe environment, which imitates an entire computer system. In the sandbox, suspicious programs can be executed to monitor their behavior and understand their intended purpose, without endangering an organization’s network. Sandbox integration is available for most NGFW on the market today.
- Simplified Infrastructure
A NGFW is an all-in-one solution. The best offerings come complete with anti-virus, spam filtering and deep packet inspection, among others. IT staff can manage one device, rather than needing to keep racking up, bolting on and updating new devices.
- Guaranteed Performance
Traditional firewalls can degrade the speed performance of a network. As protection services are added on, the throughput of the firewall tends to plummet. The throughput on a NGFW doesn’t change regardless of how much protection is enabled. A NGFW should deliver visibility and control including content scanning, which is computationally intensive in high-throughput networks with little tolerance for latency.
- Bridged and Routed Modes
While not a completely new feature, the ability of a NGFW to be used in either a bridged mode or routed mode is an important one. Many traditional firewalls are deployed on today's networks, and the majority of them are not yet NGFWs. To ease this transition, a NGFW must be able to be placed in a bridge or transparent mode where the device itself is not shown as part of the routed path. When the time is right for each specific enterprise, the NGFW can then be transitioned to completely replace a traditional firewall by being converted into a routed mode.
Given the threats that company networks face today, it is very clear that organizations need to re-think their security approaches with a goal of incorporating a NGFW as part of their threat management systems. This is especially true for organizations that have relied on traditional firewalls as their first and only line on defense.
How GTB Can Help
GTB can help you select and implement a next-generation firewall to ensure your network is operating at its maximum performance level -- with the maximum security possible. Watch our three-minute video on cyber security and learn more about GTB’s Cyber Security Solutions.