Get started Bring yourself up to speed with our introductory content.

Introduction to next-generation firewalls in the enterprise

Expert Mike Villegas explains how the integrated security platforms that are NGFWs better protect enterprise networks from attacks and intrusion.

Recent security breaches to some of the largest and seemingly most secure network environments beg the question: Are existing protection mechanisms sufficient enough to deter unauthorized access to critical assets?

While some feel that traditional firewalls, antivirus software and intrusion prevention systems (IPS) have lost their usefulness, these security technologies are, in reality, still very much in use -- and needed. However, more robust, effective and, especially, integrated products are often required to keep up with those that threaten today's network infrastructures.

Enter next-generation firewalls (NGFWs).

NGFWs are integrated network security platforms that consist of in-line deep packet inspection (DPI) firewalls, IPS, application inspection and control, SSL/SSH inspection, website filtering and quality of service (QoS)/bandwidth management to protect networks against the latest in sophisticated network attacks and intrusion.

NGFWs are not traditional firewalls

Enterprises need to make an NGFW purchase decision based on need, risk and future growth. Don't buy a Cadillac if a Chevy pickup truck will do the job.

Unlike NGFWs, traditional packet-filtering firewalls only provide protection at Layer 3 (network) and Layer 4 (transport) of the OSI model. They include metrics to allow and deny packets by discriminating the source IP address of incoming packets, destination IP addresses, the type of Internet protocols the packet may contain -- e.g., normal data carrying IP packets, ICMP (Internet Control Message Protocol), ARP (Address Resolution Protocol), RARP (Reverse Address Resolution Protocol), BOOTP (Bootstrap Protocol) and DHCP (Dynamic Host Configuration Protocol) -- and routing features.

Although firewalls are placed between the Internet and an internal network inside the DMZ, attackers have found ways to circumvent these controls and cause considerable damage before detection. Meanwhile, traditional firewalls often necessitate having to install separate IPS, Web application firewalls (WAFs), secure coding standards based on the Open Web Application Security Project's (OWASP) Top 10 vulnerabilities, strong encryption at the Web layer (SSL/TLS), and antivirus and malware prevention.

Having to deploy, manage and monitor this unwieldy number of network security products to mitigate multiple heterogeneous attack vectors is challenging, to say the least. In addition, this diverse array of security products can compromise each other's functionality at the expense of broadband resource usage, response times, monitoring and maintenance requirements.

NGFWs address these issues by providing a single-vendor product with a common management process that includes multiple security services. It is, for the most part, a more cost-effective and pragmatic approach to network security.

NGFWs are not UTMs

Unified threat management systems (UTMs) are all-in-one network security platforms that are meant to provide simplicity, streamlined installation and use, as well as the ability to concurrently update all security functions. These systems, like NGFWs, clearly have a major advantage over acquiring a variety of network security technologies, as there's no need to maintain disparate security products and figure out how they all work together.

UTMs were originally designed for small to medium-sized businesses (SMBs), not large organizations, however. NGFWs, on the other hand, are generally more expansive and work to secure the networks of businesses from the size of an SMB to large enterprise environments. Unlike UTMs, most NGFWs, for example, offer threat intelligence, a degree of mobile device security, data loss prevention and an open architecture that allow clients to use regular expressions (regex) to tailor application control and even some firewall rule definitions.

Nonetheless, security vendors often differ in their definitions of UTM and NGFWs. Over time, UTM references will likely dissipate -- the same may even happen for NGFWs -- but what's certain is that enhancements to multifunctional security products, whatever they're called, will continue.

A guide to optimal NGFW functionality

Optimal NGFW products must have three characteristics: be comprehensive, flexible and easy to use. Yes, this sounds oxymoronic, but achieving this trifecta is very doable for NGFW vendors.

First, NGFWs must be comprehensive, so that they include IPS, antivirus/malware prevention, application control, deep packet inspection and stateful firewalls (the former inspects incoming packets, the latter, outgoing), encryption, compression, QoS, and other capabilities. One drawback NGFWs need to overcome is the reluctance many enterprises have of relying on a single point of failure for network security.

Second, NFGWs must be flexible, which also means scalable, so that features can be modularized and activated based on need.

Andthird, NFGWs must be easy to use, with a fairly intuitive management interface that provides a clean and easy-to-read dashboard, feature activations, rule set definitions, configuration analysis, vulnerability assessments, activity reports and alerts.

Today's NGFWs make up a cadre of network security products that purport to offer these three characteristics. Although NGFW services are listed with commonly named features (e.g., DLP, application control and threat intelligence), a close look shows some variation between NGFW vendor products. For example, those NGFWs that offer mobile device security will admit this is not a mobile device management (MDM) product. They can identify mobile devices and operating systems, provide policy enforcement based on apps, users and content, and even extend a VPN tunnel to prevent malware, but they do not provide total device management as offered by MDM products.

Meanwhile, some NGFW features are more robust and advanced than others. So it is incumbent upon customers to carefully vet the features of individual NGFW products to determine the best fit for them. For example, not all NGFWs provide two-factor authentication or mobile device security, but then, not every customer needs those features. And while there are those NGFWs that say they support such features, some might require additional modules or products to make them work.

How NGFWs are sold

Most NFGWs are appliance-based, but some are available as virtual products (software) -- where enterprises can install them on their own servers -- and some delivered over the cloud as a software as a service. Most are modular, such that an enterprise can choose to purchase and activate features commensurate with their specific needs and risks.

Another important point about NFGWs: Never pay retail price. NFGW vendors want the business, and their job is to demonstrate the differentiators that set them apart from competitors.

Enterprises should also never buy the best or most technologically advanced product. They need to make an NGFW purchase decision based on need, risk and future growth. Don't buy a Cadillac if a Chevy pickup truck will do the job. Just make sure to know how long that pickup truck is needed, and ensure it'll be sufficient to maintain the organization's anticipated pace of growth.

The future of NGFWs

We live in exciting times. In speaking with top NGFW vendors, there are features under development that will make the IT department's life easier while further strengthening network security. These companies are also resolved to develop NGFW products that are better tailored to the network security requirements of SMBs, large enterprises and everything in between.

NGFW vendors are also spending a considerable amount of time and expense in R&D to keep pace with today's sophisticated attacks and meet the comprehensive, flexible and easy-to-use requirements outlined above. One of the major differentiators that, ironically, all of these major NGFW companies purport to be working on is threat intelligence that is current, open, continuous, adaptive and automatic.

In addition, all of today's NGFW vendors resolve to provide as comprehensive a coverage package to customers as possible without sacrificing performance.To help decide which one is the best for your environment, review the NGFWs performance results in the NSS labs' NGFW comparative analysis, conducted Oct. 7, 2014. This independent study reported on 12 vendor NGFWs and addressed performance, security and total cost of ownership.

Next Steps

UTM vs. NGFW: Comparing unified threat management, next-gen firewalls

Palo Alto NGFW fails NSS Labs report, war of words ensues

This was last published in February 2015

Dig Deeper on Network device security: Appliances, firewalls and switches

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your organization use NGFWs?
NGFWs come with a variable functionality that allows an organization to choose on what to implement and when even though the main prospect with such firewalls to realize deep-inspection high perimeter firewalls which may therefore equate to a higher horsepower and resource requirement.  They also provide application awareness capable to inspect session activities and IPS integrations that provide more cost conscious application awareness. They are also equipped with malware monitoring and identify awareness securities.
To me, NGFWs offer integrated network security that is not only comprehensive and cost-effective, but also scalable, and can be easily managed via common processes.
Are NFGW the same thing as NGFW? There are several times in the article were the letters are switched around. Thank you.