A next-generation firewall is within the third generation of firewall technology, designed to address advanced security threats at the application level through intelligent, context-aware security features. An NGFW combines traditional firewall capabilities like packet filtering and stateful inspection with others to make better decisions about what traffic to allow.
A next-generation firewall has the ability to filter packets based on applications and to inspect the data contained in packets (rather than just their IP headers). In other words, it operates at up to layer 7 (the application layer) in the OSI model, whereas previous firewall technology operated only up to level 4 (the transport layer). Attacks that take place at layers 4–7 of the OSI model are increasing, making this an important capability.
Next-generation firewall specifications vary by provider, but they generally include some combination of the following features:
- Application awareness, or the ability to filter traffic and apply complex rules based on application (rather than just based on port). This is a key feature of next-generation firewalls: They can block traffic from certain applications, as well as maintain greater control over individual applications.
- Deep-packet inspection, which inspects the data contained in packets. Deep-packet inspection is an improvement over traditional firewall technology, which only inspected a packet’s IP header to determine its source and destination.
- Intrusion Prevention System (IPS), which monitors the network for malicious activity and blocks it where it occurs. This monitoring can be signature-based (matching activity to signatures of well-known threats), policy-based (blocking activity that violates security policies), or anomaly-based (monitoring for abnormal behavior).
- High performance, which allows the firewall to monitor large amounts of network traffic without slowdown. Next-generation firewalls include a number of security features that require processing time, so high performance are important to avoid disrupting business operations.
- External threat intelligence, or communication with a threat intelligence network to ensure that threat information is up to date and help identify bad actors.
In addition to these foundational features, next-generation firewalls may include additional features such as antivirus and malware protection. They may also be implemented as a Firewall as a Service (FWaaS), a cloud-based service that provides scalability and easier maintenance. With FWaaS, the firewall software is maintained by the service provider, and resources scale automatically to meet processing demand. This frees enterprise IT teams from dealing with the burden of handling patches, upgrades, and sizing.
Next-generation firewalls provide much better and more robust security than a traditional firewall. Traditional firewalls are limited in their capabilities: They may be able to block traffic through a particular port, but they can’t apply application-specific rules, protect against malware, or detect and block anomalous behavior. As a result, attackers can evade detection by entering through a nonstandard port, something that a next-generation firewall would prevent. Thanks to their context-aware nature and their ability to receive updates from external threat intelligence networks, next-generation firewalls are able to protect against a broad and ever-changing array of advanced threats, and may even use intelligent automation to keep security policies up to date without requiring intervention from busy IT staff.
In addition, next-generation firewalls offer streamlined security infrastructure that’s easier and cheaper to maintain, update, and control. They combine several security features into one solution and report incidents through a single reporting system. The alternative of maintaining many different security products places an additional burden on IT staff and increases the potential for security breaches.
Traditional firewalls rely on port/protocol inspection and blocking to protect enterprise networks at the data link and transport layers (layers 2 and 4 of the OSI model). This static approach was effective in the past, when the IT environment was less dynamic than it is now, and applications could be identified by port. But with the increasing complexity of virtualized networks and more advanced security threats, it’s no longer enough. Next-generation firewalls are smarter: They can filter packets based on application (layer 7 of the OSI model), and even based on behavior, making fine-grained distinctions that are far more effective than the generic methods used by traditional firewalls. They also refer to external data to identify threats. This dynamic, flexible approach allows them to identify and defend against attackers that are much more sophisticated than in the past.
Targeted and sophisticated security threats are causing more damage to internal networks than ever before. Traditional firewall technologies are heavily reliant on port/protocol inspection, which is ineffective in a virtualized environment where addresses and ports are assigned dynamically. By comparison, a next-generation firewall uses deep-packet filtering to inspect the contents of packets, provides layer 7 application filtering, and can even monitor and block suspicious activity. These capabilities are a must to ensure security in a complex, dynamic environment.
- Packet filtering firewall: Looks at the IP header of packets and drops ones that are flagged.
- Circuit-level gateway: Flags malicious content based on TCP handshakes and other network protocol session initiation messages, rather than looking at the packets themselves.
- Stateful inspection firewall: Combines packet filtering with session monitoring for an additional level of security.
- Application-level gateway: Filters packets by destination port and HTTP request string. Also known as a proxy firewall.
- Next-generation firewall: Employs application-level, context-aware, intelligent technology to protect against advanced threats.