In this article...
Next-generation firewalls (NGFW) are an advanced way of protecting an organization by monitoring and screening network traffic. Traditional firewalls normally provide stateful inspections of incoming and outgoing traffic. Next gen firewalls, on the other hand, include features such as integrated intrusion prevention, application awareness and control, and cloud-delivered threat intelligence. NGFWs are adaptive, powerful, come with a variety of features, and are often a cloud-based service. Typically, a next gen firewall will include both hardware and the firewall software.
Traditional firewalls are simply no longer capable of effectively dealing with the variety of advanced cyber threats that currently exist. Next gen firewalls go well beyond creating a first line of defense by integrating DPI (deep packet inspection), IPS (intrusion prevention system), sandboxing, application and identity awareness, encryption, and threat intelligence.
Threat prevention is a natural extension of NGFWs because of its deep packet inspection features. As the communications pass through the network firewall, they inspect the traffic for known patterns of exploiting of the system’s vulnerabilities (by way of the IPS).
Businesses cannot afford to leave their network communications unprotected. While traditional firewalls may have been effective deterrents in the past, next-generation firewalls act to prevent cyber threats, malware infections, and ransomware that traditional firewalls were never designed to intercept and block. The primary benefit of next generation firewalls is their ability to safely allow use of the internet, while blocking undesirable applications.
Cisco Secure Firewall
Huawei Unified Sec Gateway
|Product||DPI||IPS||Sandboxing||App & ID Awareness|
This platform was designed with hybrid clouds in mind, and its Firewall F-Series will preserve legacy hardware while meeting new challenges within a hybrid network environment at the same time. Management can access the latest features available for combating advanced threats using built-in SD-WAN, IDPS, traffic management, and VPN capabilities. Barracuda relies primarily on multiple detection layers and includes static code analysis and threat signatures (although, signature-based defenses have become increasingly unreliable).
The Barracuda CloudGen Firewall offers an extremely reliable detection and classification system capable of identifying over 1,200 applications and sub-applications. It does this by combining behavioral traffic analysis and deep packet inspection (DPI), regardless of the protocols being used (port hopping techniques, advanced obfuscation, or encryption). It can support the creation of dynamic application policies and enforce acceptable access and use policies. Management can:
It is focused on application development teams and offers real-time network security across a variety of environments and clouds. Built with Kubernetes, this platform is designed as a developer-friendly “apps access” solution. Cisco Secure Fire supports visibility and policy enforcement for dynamic applications. It offers the unified management of firewalls, intrusion prevention, URL filtering, application control, and malware defense policies. The Cisco Secure Firewall includes:
This platform is designed for data centers and large enterprises. Its most recent version — the USG6700E Series AI Firewall — is advertised as reducing operating expenses for simplified service deployment and change policies by more than 80%. Huawei comes with a suite of firewall solutions. This platform will link with other security devices and actively defend against a variety of network threats. It is designed to defend against advanced threats and resolve performance degradation problems. Some of its features include:
This firewall is designed to defend data centers, the network edge, cloud environments, and containers. The Juniper SRX Series’ devices offer security using a broad array of tools. It provides end-to-end security for protecting critical network resources. Firewall solutions include an intrusion prevention system (IPS), a “stateful firewall,” security intelligence, and AppSecure. Features for this firewall:
The Palo Alto Networks NGFW offers security teams complete visibility over their entire network. It supports traffic identification, threat intelligence technologies, and malware prevention. It does not rely on port procedures and protocol for protecting network traffic from threats but instead provides organizations with a range of advanced security tools. Its features include:
NGFWs provide protection from several types of threats, but not every company will need all features. Here are some standard features you can expect from most NGFW vendors.
Truly understanding how well a NGFW performs requires a thorough test run. Sadly, simply researching a vendor’s specifications or running a little traffic through it will not provide a good understanding of the system’s strengths and weaknesses. In fact, most firewalls perform quite well when the traffic is light. The true test is how well the firewall responds with a full workload, especially after the encryption has been turned on. Approximately 80% of today’s traffic is encrypted, making the ability to sustain performance levels during times of heavy traffic critical.
NGFWs must have the ability to plug into a platform seamlessly, so it can view all activities within the network — ranging from cloud traffic to IoT endpoints to end-user devices. Additionally, after the NGFW has collected the data, the system should be capable of performing analytics and providing insights. This feature enables the next gen firewall to react and enforce policies throughout the network.
All major functions (including anti-malware, IPS, application and user identification, logging, and URL filtering) must be tested to understand how a NGFW will hold up during regular use. Beware, firewall providers often advertise a single performance number, taken while core features were turned off. Before making any commitments, insist on running tests using as many types of traffic as possible and with different types of applications. Important factors to consider include connections per second, application throughput, and SSL performance.
NGFWs must also fit into the broader security platform. While some might assume using the same vendor for both NGFW and overall network security would be the best approach, this does not necessarily lead to the best security. Keeping it simple is a good idea, but maybe not too simple. Think of the security platform as an open architecture, which allows third-party products (such as NSFWs) to plug into it.
The purpose of automation is to remove as many manual steps as possible. Almost all firewall providers advertise some automation, and finding automated services that fulfill an organization’s needs is very important. Automation can be used to protect the business by immediately identifying predictable threat behaviors and quickly providing protection. Automation, if used correctly, can prevent cyber attacks much more quickly than a human monitoring the network. Listed below are three ways automation supports NGFWs:
This feature simplifies security by taking responsibility for several of the normal, day-to-day, mundane tasks. Working with multiple devices and multiple environments, a network system can become quite complex, and security risks can be introduced through configuration errors. This automated process can guide network management at every stage. Without workflow automation, management must go through a list of potential problems and identify them manually.
As change is a constant in the world of business, it is almost impossible for companies to keep policies updated using the old manual methods. Policy automation makes sure the policies are adhered to continuously.
This feature helps to find and react to threats quickly and in near real time. Threats can often linger within an organization’s network for days, weeks, and even months before being identified (and can cause significant damage while undetected). This feature is especially useful because it can identify the most minor anomaly and quarantine it in a secure segment.
NGFW firewall providers should be able to provide instructions for creating a container that can be deployed on a range of platforms, including the cloud. Few firewall providers have developed an NGFW container, but the vendor should be able to describe how it can be accomplished.
If a company has a broad product line, with each product needing individual management, it becomes difficult to keep rules and policies up to date, and in turn, leads to inconsistencies in functions and features. A firewall vendor should have a “single-pane-of-glass” firewall management tool capable of providing end-to-end visibility and allowing management to make changes. Visibility should extend throughout the system, including the cloud, branch offices, the internet of things, and operational technology. A single dashboard can be remarkably useful when implementing and maintaining segmentation, rather than having to configure each individual product or device.
When selecting a next-generation firewall software vendor, there are some concerns which should be taken into consideration. For many, a new NGFW will replace an older NGFW or a traditional firewall. In that situation, a final decision should take into consideration what type of hardware is being replaced and the other network components that are involved.
Modern NGFWs are key to the success of modern network security strategies. While some features obviously overlap from one NGFW vendor to the next, there are some distinct differences which need to be understood and evaluated, based on the network’s security needs. Consider the following:
A monitor communicates what is happening on the business’s network at all times. One area where NGFWs can vary widely is application and network visibility. Be sure to understand the vendor’s visibility functions, and make certain it meets (or even exceeds) the company’s needs. A firewall should present a holistic view of all network activity and show:
There is a balance which must be met between great performance and threat protection. Getting the features needed, along with the performance needed, can be tricky. The NGFW should be flexible enough to meet changing circumstances.
Next-generation firewalls often interact with several other networks and security tools, logging servers, network monitoring tools, authentication servers, and external web/email security solutions. Interoperability will vary from vendor to vendor. Make certain the limitations and strengths are understood, and verify the interoperability of the external components and applications with the NGFW. Choose an NGFW that:
Ideally, a threat is detected and dealt with before actually entering the network. Sadly, the current industry standard states threats are normally detected between 100 to 200 days, during which significant damage can take place. An NGFW should be able to:
The total cost of ownership should be considered. With the understanding that licensing, hardware, and ongoing support will be part of the package, these costs should be included. Prices will vary significantly from one vendor to another, so it is important to complete a cost/benefit analysis and determine which product will give your business a comfortable degree of security for the best price.
Next-gen firewalls have evolved into a multi-tool package for IT security. As a common occurrence, companies will use some tools on a daily basis, while others are rarely used. Commonly used features include secure remote access, intrusion prevention, and VPN. Other security features depend on the needs of the company and the price of the tool. Features such as sandboxing, global threat protection, or advanced emerging threats may not be necessary.
In addition to the traditional threats (viruses, Trojan horses), there are advanced threats, which are continuously evolving. Ransomware and M2M attacks are becoming more commonplace (as a result of the potential for profit) and becoming increasingly diversified. Advanced threats, as a rule, are more covert and spread faster. To face these rapidly evolving threats, NGFWs must deal with the following challenges:
As a result, next-generation firewalls must be continuously upgraded to respond to these advanced threats. The development of artificial intelligence (AI) for security purposes creates new opportunities for the development of firewalls. AI supports cybersecurity at both the micro and macro levels.
From the macro perspective, embedded machine learning (ML) algorithms detect, and then block, suspicious files. The ML algorithm can detect specific behaviors expressed by a file, and if that file meets a certain threshold, it is isolated before being analyzed. Every time the ML algorithm gets used, the NGFW examines previously analyzed behaviors and learns, becoming more proficient with each use. An NGFW that is equipped with AI can handle unknown threats with greater efficiency and can detect “mutating attacks.”
Huawei, Juniper, and Palo Alto have each developed AI firewall technologies. Their use of ML (ML and AI are used interchangeably these days, though ML is actually a subdivision of AI) and AI greatly improves the accuracy and speed of threat detection. Additionally, AI can offer facial recognition, providing another layer of security.