||This article needs attention from an expert on the subject. (April 2014)|
A Next-Generation Firewall is an integrated network platform that consists of in-line deep packet inspection (DPI) firewall, Intrusion Prevention System, Application Inspection and Control, SSL/SSH inspection, website filtering, and QoS/bandwidth management in the network to protect the network against latest sophisticated attacks.
Next-Generation Firewall vs. Traditional Firewall
NGFWs encompass the typical functions of traditional firewalls such as packet filtering, network- and port-address Translation (NAT), stateful inspection, and virtual private network (VPN) support. However, as threats continue to move up the OSI stack to include layer 7 and user-targeted attacks make the network user increasingly vulnerable to security risks, enterprises need actionable intelligence and controls across all layers of the computing stack, including the User Layer 8 [L2-L8]. An NGFW should be able to verify a user’s identity and allow user-based policy enablement accordingly.
NGFWs perform deeper inspection compared to stateful inspection performed by the first-generation firewalls. They go deeper to inspect the payload of packets and match signatures for harmful activities such as known vulnerabilities, exploit attacks, viruses and malware – all on the fly.
Gartner defines an NGFW as "a wire-speed integrated network platform that performs deep inspection of traffic and blocking of attacks." At minimum, Gartner states an NGFW should provide:
• Non-disruptive in-line bump-in-the-wire configuration
• Standard first-generation firewall capabilities, e.g., network-address translation (NAT), stateful protocol inspection (SPI) and virtual private networking (VPN), etc.
• Integrated signature based IPS engine
• Application awareness, full stack visibility and granular control
• Capability to incorporate information from outside the firewall, e.g., directory-based policy, blacklists, white lists, etc.
• Upgrade path to include future information feeds and security threats
• SSL decryption to enable identifying undesirable encrypted applications
Evolution of Next-Generation Firewalls
New-age threats like web-based malware attacks, targeted attacks, application-layer attacks, and more, are quickly changing the threat landscape from bad to critical. In fact, greater than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful Inspection firewalls with simple packet filtering capabilities were good at the job of blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols. But today, blocking an application like Farmville that uses Port 80 by closing the port would also mean blocking other applications like Sharepoint and Salesforce.com that use the same Port 80, which most organizations cannot afford to do. Protection based on ports, protocols, IP addresses is no more reliable and viable.
Additionally, for want of easy availability and cost savings to the business, many client-server applications like Salesforce.com and Google’s Office Suite are moving to the web to become web-based services. Such critical business applications have today become indistinguishable from the less important applications in a business network that also utilize HTTP for the purpose of network communications. Enterprises, therefore, need a deeper awareness of and control over individual applications along with deeper inspection capabilities by the firewall that allow administrators to create very granular allow/deny rules for controlling use of websites and applications in the network.
Bolt-on security solutions ineffective
Deploying stand-alone security products like Intrusion Prevention System, URL filtering, Anti-Virus/Anti-malware, and more, proves inadequate in increasing the effectiveness of the first-generation firewalls. The far-sightedness of SI firewalls rubs on to the added solutions as these solutions work based on limited efficacy of these firewalls with their ports/ protocols-based classification techniques. “Device sprawl” arising out of multiple solutions add complexities of cost, maintenance and management for the organizations.
- Intro to Next Generation Firewalls - By Eric Geier, 06 September, 2011
- Next gen security - by Ben Rossi - 07 August, 2012
- Next Generation Firewall (NGFW) - Network Intelligence
- NEXT-GENERATION FIREWALLS - Cyberoam
- Next-generation firewalls: Security without compromising performance - By Patrick Sweeney, 17 October 2012
- Next-Generation Firewalls 101 - By Frank J. Ohlhorst, 1 March 2013
- Defining the Next-Generation Firewall - Gartner RAS Core Research Note G00171540, John Pescatore, Greg Young, 12 October 2009, R3210 04102010
- Next Generation Firewalls: Restoring Effectiveness Through Application Visibility and Control - by Palo Alto