Firewalls are a standard security tool for the majority of companies, but in today’s changing threat landscape, next-generation firewalls are the only firewalls that can provide proper protection.

What is a Next-Generation Firewall (NGFW)?

A next-generation firewall is within the third generation of firewall technology, designed to address advanced security threats at the application level through intelligent, context-aware security features. An NGFW combines traditional firewall capabilities like packet filtering and stateful inspection with others to make better decisions about what traffic to allow.

A next-generation firewall based on applications and inspects theta contained in packets (rather than just their IP headers). In other words, it operates up to layer 7 (the application layer) in the OSI model, whereas previous firewall technology operated only up to level 4 (the transport layer). Attacks that take place at layers 4–7 of the OSI model are increasing, making this an important capability.

next-generation firewall

The main benefit of a Next-Generation Firewall

The main benefit of an NGFW is the ability to safely enable the use of Internet applications that empower users to be more productive while blocking less desirable applications. Next-generation firewalls achieve this by using deep packet inspection to identify and control applications regardless of the IP port used by the application.

The typical security policy of a network firewall deployed at the perimeter of an organization blocks inbound connections and allows outbound connections. Some limits may be applied, but outbound Web traffic is generally allowed. Applications have learned to use available open ports like Web port 80 to the Internet to give their customers a seamless user experience. This is true of applications that enable employees to work more efficiently and applications that are less desirable to the interests of the company. NGFW gives companies more visibility into what applications their employees are using and control over their application use.

What are NGFW features?

Next-generation firewall specifications vary by provider, but they generally include some combination of the following features:

  • Application awareness, or the ability to filter traffic and apply complex rules based on application (rather than just based on the port). This is a key feature of next-generation firewalls: They can block traffic from certain applications, as well as maintain greater control over individual applications.
  • Deep-packet inspection, which inspects the data contained in packets. Deep-packet inspection is an improvement over traditional firewall technology, which only inspected a packet’s IP header to determine its source and destination.
  • The Intrusion Prevention System (IPS), monitors the network for malicious activity and blocks it where it occurs. This monitoring can be signature-based (matching activity to signatures of well-known threats), policy-based (blocking activity that violates security policies), or anomaly-based (monitoring for abnormal behavior).
  • High performance, allows the firewall to monitor large amounts of network traffic without slowdown. Next-generation firewalls include several security features that require processing time, so high performance is important to avoid disrupting business operations.
  • External threat intelligence, or communication with a threat intelligence network to ensure that threat information is up to date and help identify bad actors.

In addition to these foundational features, next-generation firewalls may include additional features such as antivirus and malware protection. They may also be implemented as a Firewall as a Service (FWaaS), a cloud-based service that provides scalability and easier maintenance. With FWaaS, the firewall software is maintained by the service provider, and resources scale automatically to meet processing demand. This frees enterprise IT teams from dealing with the burden of handling patches, upgrades, and sizing.

next-generation firewall

How does NGFW enforce Threat Prevention?

Threat prevention capabilities are a natural extension of next-gen firewalls’ deep packet inspection capabilities. As the traffic passes through the network firewall device, they also inspect the traffic for known exploits of existing vulnerabilities (IPS). Files can be sent off-device to be emulated in a virtual sandbox to detect malicious behavior (sandbox security).

Why Next-Generation Firewalls are important

As increasing numbers of organizations began using (and depending on) online applications and SaaS services, it became clear that simply inspecting ports and protocols was insufficient to provide effective network security. The most significant innovation at the time was the ability to provide layer 7 application profiling and IPS, enabling highly granular policy enforcement based on specific applications.

NGFWs are by now a mature solution category. However, the ongoing mass migration of IT workloads to public-cloud IaaS platforms such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform – and the resulting increase in the complexity of hybrid network architectures – is driving a push to expand the capabilities of advanced network firewalls yet again. In this case, to provide advanced traffic management, WAN optimization, quality-of-service, and transparent cloud-platform integration.