Recent security breaches to some of the largest and seemingly most secure network environments beg the question: Are existing protection mechanisms sufficient enough to deter unauthorized access to critical assets?
While some feel that traditional firewalls, antivirus software and intrusion prevention systems (IPS) have lost their usefulness, these security technologies are, in reality, still very much in use -- and needed. However, more comprehensive, effective and, especially, integrated products are often required to keep up with those that threaten today's network infrastructures.
Enter next-generation firewalls (NGFWs).
NGFWs are integrated network security platforms that consist of inline deep packet inspection firewalls, IPS, application inspection and control, SSL/SSH inspection, website filtering and quality of service (QoS)/bandwidth management to protect networks against the latest in sophisticated network attacks and intrusions.
Next-generations firewalls vs. traditional firewalls
Unlike NGFWs, which are meant to thwart the growing number of application attacks taking place at Layers 4 through 7 of the OSI network stack, traditional packet-filtering firewalls only provide protection at Layer 3 (network) and Layer 4 (transport). They include metrics to allow and deny packets by discriminating the source IP address of incoming packets, destination IP addresses, the type of internet protocols the packets may contain (e.g., normal data-carrying IP packets as well as local-link network discovery protocols) and routing features.
Although firewalls are usually deployed between the public internet and an internal network inside the DMZ, attackers have found ways to circumvent these controls and cause considerable damage before detection. Traditional firewalls are limited in scope, and other security controls are still necessary to protect enterprise networks, including intrusion prevention systems, web application firewalls, secure coding standards based on the Open Web Application Security Project's Top 10 vulnerabilities, strong encryption at the web layer (SSL/Transport Layer Security), and antivirus and malware prevention.
Having to deploy, manage and monitor this unwieldy number of network security products to mitigate multiple heterogeneous attack vectors is challenging, to say the least. In addition, unforeseen interactions between security products can compromise some products' functionality at the expense of broadband resource usage, response times, monitoring and maintenance requirements.
NGFWs can address many of these issues by providing a single-vendor product with a common management process that includes multiple security services. It is, for the most part, a more cost-effective and pragmatic approach to network security.
NGFWs are not UTMs
Unified threat management (UTM) systems are all-in-one network security platforms that seek to provide simplicity, streamlined installation and use, as well as the ability to concurrently update all security functions. These systems, like NGFWs, clearly have a major advantage over acquiring a variety of network security technologies, since there's no need to maintain disparate security products and figure out how they all work together.
UTMs mainly serve SMBs, not large organizations. The advantage of next-generation firewalls, on the other hand, is that they are generally more expansive and work to secure the networks of businesses from SMBs to large enterprises. Unlike UTMs, NGFWs may integrate threat intelligence, a degree of mobile device security, data loss prevention and use an open architecture that allows clients to use regular expressions to tailor application control and even some firewall rule definitions.
Nonetheless, security vendors often differ in their definitions of UTMs and NGFWs, which is why it is important to understand the difference between next-generation firewalls vs. UTMs. Over time, UTM references will likely dissipate -- the same may even happen for NGFWs -- but what's certain is that enhancements to multifunctional security products will continue.
A guide to optimal NGFW functionality
Optimal NGFW products must be comprehensive, flexible and accessible. While this may seem like an unattainable combination, achieving this trifecta is very doable for NGFW vendors.
First, NGFWs may include IPS, antivirus and malware prevention, application control, deep packet inspection and stateful firewalls, encryption, compression, QoS and other capabilities. One drawback NGFWs need to overcome is the reluctance of many enterprises to rely on a single point of failure for so many different network security controls.
Second, NGFWs must be flexible, which also means scalable, so that features can be modularized and activated based on need.
And third, NGFWs should provide a comprehensive user interface that provides well-defined access to product features, whether through a traditional command-line interface or a GUI dashboard, with well-documented access to feature activations, rule set definitions, configuration analysis, vulnerability assessments, activity reports and alerts.
Today's NGFWs make up a cadre of network security products that purport to offer these three characteristics. Although NGFW services are listed with commonly named features, including data loss prevention, application control and threat intelligence, a close look shows some variation between NGFW vendor products.
Some NGFWs can terminate SSL/Transport Layer Security circuits as well as perform URL filtering. They also support software-defined wide area networks.
Some NGFW vendors offer mobile device security, but these are not comprehensive mobile device management (MDM) products. These NGFWs can identify mobile devices and operating systems; provide policy enforcement based on apps, users and content; and even extend a VPN tunnel to prevent malware, but they do not provide the total device management offered by MDM products.
Customers should carefully vet the features of individual NGFW products to determine the best fit for them. For example, not all NGFWs provide two-factor authentication or mobile device security, but then, not every customer needs those features. And while there are NGFWs that say they support such features, some might require additional modules or products to make them work.
How NGFWs are sold
Most NGFWs are appliance-based, but some are available as software products that enterprises can install on their own servers or delivered over the cloud as a SaaS. Most are modular, enabling an enterprise to purchase and activate features commensurate with their specific needs and risks.
However, there are some questions as to whether these cloud products provide the same protection as traditional on-premises appliances, or protect against the specific threats that are associated with how enterprises use cloud resources. To understand this further, companies should research the differences between next-generation firewalls vs. traditional.
While enterprises are considering deploying cloud NGFW technologies in their IT security architectures, it's still early and actual deployments vary. As such, enterprise requirements for SaaS NGFWs will likely affect the growth of this technology significantly.
Another important point about NFGWs: Never pay retail price. NGFW vendors want the business, and their job is to demonstrate the differentiators that set them apart from competitors.
Enterprises should make NGFW purchase decisions based on whether the product is sufficient to maintain the organization's anticipated pace of growth.
The future of NGFWs
The global NGFW market is expected to grow to $4.69 Billion by 2023. The largest market in IT security products, it is still growing around 8% a year.
In speaking with top NGFW vendors, there are features under development that will make the IT department's life easier while further strengthening network security. These companies are also resolved to develop NGFW products that address the network security requirements of organizations of all sizes.
NGFW vendors are also spending a considerable amount of time and expense in R&D to keep pace with today's sophisticated attacks and meet the comprehensive, flexibility and accessibility requirements outlined above. One of the main features major NGFW companies offer is threat intelligence that is current, open, continuous, adaptive and automatic.
One vendor's R&D efforts have produced such features as a strong centralized management console and detection engines that are resistant to evasion techniques.
In addition, NGFW vendors aim to provide the most comprehensive coverage packages to customers as possible, without sacrificing performance. To help decide which one is the best for your environment, review the NGFWs performance results in the NSS labs' 2018 NGFW comparative analysis. This independent study reported on 10 vendor NGFWs and addressed performance, security and total cost of ownership.
Linda Rosencrance contributed to this report
UTM vs. NGFW: Comparing unified threat management, next-gen firewalls
Palo Alto NGFW fails NSS Labs report, war of words ensues