A next-generation firewall is within the third generation of firewall technology, designed to address advanced security threats at the application level through intelligent, context-aware security features. An NGFW combines traditional firewall capabilities like packet filtering and stateful inspection with others to make better decisions about what traffic to allow.
A next-generation firewall has the ability to filter packets based on applications and to inspect the data contained in packets (rather than just their IP headers). In other words, it operates at up to layer 7 (the application layer) in the OSI model, whereas previous firewall technology operated only up to level 4 (the transport layer). Attacks that take place at layers 4–7 of the OSI model are increasing, making this an important capability.
Next-generation firewall specifications vary by provider, but they generally include some combination of the following features:
In addition to these foundational features, next-generation firewalls may include additional features such as antivirus and malware protection. They may also be implemented as a Firewall as a Service (FWaaS), a cloud-based service that provides scalability and easier maintenance. With FWaaS, the firewall software is maintained by the service provider, and resources scale automatically to meet processing demand. This frees enterprise IT teams from dealing with the burden of handling patches, upgrades, and sizing.
Next-generation firewalls provide much better and more robust security than a traditional firewall. Traditional firewalls are limited in their capabilities: They may be able to block traffic through a particular port, but they can’t apply application-specific rules, protect against malware, or detect and block anomalous behavior. As a result, attackers can evade detection by entering through a nonstandard port, something that a next-generation firewall would prevent. Thanks to their context-aware nature and their ability to receive updates from external threat intelligence networks, next-generation firewalls are able to protect against a broad and ever-changing array of advanced threats, and may even use intelligent automation to keep security policies up to date without requiring intervention from busy IT staff.
In addition, next-generation firewalls offer streamlined security infrastructure that’s easier and cheaper to maintain, update, and control. They combine several security features into one solution and report incidents through a single reporting system. The alternative of maintaining many different security products places an additional burden on IT staff and increases the potential for security breaches.
Traditional firewalls rely on port/protocol inspection and blocking to protect enterprise networks at the data link and transport layers (layers 2 and 4 of the OSI model). This static approach was effective in the past, when the IT environment was less dynamic than it is now, and applications could be identified by port. But with the increasing complexity of virtualized networks and more advanced security threats, it’s no longer enough. Next-generation firewalls are smarter: They can filter packets based on application (layer 7 of the OSI model), and even based on behavior, making fine-grained distinctions that are far more effective than the generic methods used by traditional firewalls. They also refer to external data to identify threats. This dynamic, flexible approach allows them to identify and defend against attackers that are much more sophisticated than in the past.
Targeted and sophisticated security threats are causing more damage to internal networks than ever before. Traditional firewall technologies are heavily reliant on port/protocol inspection, which is ineffective in a virtualized environment where addresses and ports are assigned dynamically. By comparison, a next-generation firewall uses deep-packet filtering to inspect the contents of packets, provides layer 7 application filtering, and can even monitor and block suspicious activity. These capabilities are a must to ensure security in a complex, dynamic environment.