My Favorite Next-Generation Firewall Security Features
In this article
This article is part of a series exploring next-generation firewalls (NGFW). If you're new to the subject, I suggest starting with "What is a Next-Generation Firewall?" and "Selecting an NGFW: Other Considerations." This article takes a deeper dive into some unique NGFW features being released by original equipment manufacturers (OEMs) like Cisco, Palo Alto, Fortinet and Check Point.
NGFW solutions typically come with a base set of features that are, for the most part, at parity across OEMs. However, OEMs often include extra features to differentiate their NGFWs in the market.
Let's explore some of my favorite features.
Cisco, which has been in the firewall business for many years, takes a threat-centric approach to protection. Their NGFW platform is called Cisco Secure Firewall, which runs Cisco's Secure Firewall (formerly Firepower Threat Defense (FTD)) software.
My favorite Secure Firewall add-on capability, called Cisco Secure Endpoint (formerly Advanced Malware Protection (AMP)), is available via subscription.
What's unique about an Cisco Secure Endpoint subscription? Simple. It enhances your Cisco Secure Firewall's point-in-time detection and unlocks three of my favorite features:
- Continuous analysis: This feature tracks files after they've entered your network, allowing you to identify where, when and how malicious files got in and then allowing you to block them.
- Retrospective security: Cisco Secure Endpoint continuously tracks and analyzes files and file activity as they traverse the network. If a file begins to exhibit malicious behavior, Secure Endpoint will provide a retrospective alert.
- File capture with integrated malware analysis: This feature allows you to store and retrieve files for further analysis. The integration of Threat Grid (a separate advanced malware add-on) allows you to examine unknown and suspicious files in a safe, highly secure sandbox environment, either in the cloud or locally.
For more on the features that make Cisco's Secure Firewall stand out, explore WWT's hands-on Cisco NGFW Foundations Lab here.
Palo Alto has also been in the firewall business since its first product shipment in 2007. Palo continues to add NGFW capabilities both by internal development and through acquiring companies with compelling products. These enhancements are integrated into the Palo Alto NGFW platform suite.
This brings me to integrated DNS security, my favorite Palo Alto NGFW feature. DNS attacks occur when a threat actor exploits the vulnerabilities of the domain name system (DNS), which translates domain names into IP addresses.
While discussions of DNS security may bring to mind OpenDNS — a suite of consumer products (purchased by Cisco in 2015) aimed at making online user experiences safer, faster and more reliable — Palo's approach to DNS is unique in two respects:
- DNS Security: Palo Alto is the only NGFW to have built-in DNS Security service as part of policy. This service applies predictive analytics, machine learning and automation to block DNS attacks. Tight integration with Palo's NGFW provides automated protections and eliminates the need for independent tools, multiple configurations and a separate management console. Now organizations can rapidly predict and prevent malicious domains, neutralize threats hidden in DNS tunneling and apply automation to quickly find and contain infected devices. While Palo's DNS security service is integrated with PAN-OS — the software that runs all Palo Alto NGFWs — it does require a separate subscription.
- DNS Sinkholing: DNS sinkholing helps organizations identify infected hosts on protected network using DNS traffic in situations where the firewall cannot see the infected client's DNS query (i.e., when the firewall cannot see the originator of the DNS query). Typical deployments have the firewall north of the local DNS server, meaning the threat log will identify the local DNS resolver as the source of the traffic rather than the actual infected host.
Sinkholing malware DNS queries solves this visibility problem by forging responses to the client host queries directed at malicious domains. So clients attempting to connect to malicious domains (for command and control, as an example) will instead attempt to connect to a default Palo Alto Networks sinkhole IP address or a user-defined IP address. This represents an innovative use of older security concept.
Fortinet has been in the firewall business since its FortiGate NGFW product first shipped in 2002. Fortinet brings many features to the table, including my favorite: an integrated software-defined wide area network (SD-WAN) capability.
In a nutshell, SD-WAN involves managing WAN routers from a controller — creating the "brains" of the network — so thousands of routers can potentially be managed from a central portal. In addition to simplified management, SD-WAN enables a NGFW to run over any network medium (such as copper, fiber or LTE) and any type of service provider connection (direct internet, MPLS, etc.).
The key to an SD-WAN solution is that the secure network is easily managed from a central controller. Network administrators can now build policies and seamlessly push them to every device at once, which greatly simplifies IT management.
Now back to the good part. SD-WAN is a built-in feature of the FortiGate NGFW! Most OEMs require SD-WAN to be purchased separately. This built-in feature is a nice value proposition.
Founded in 1993, Check Point is the old player in the enterprise firewall space. Since its founding, Check Point has introduced many security innovations. Along with everything else it does in the security space — with solutions touching mobile protection, IPS, DLP, URL filtering, antivirus, anti-malware and anti-ransomware — Check Point recently introduced Maestro, the industry's first hyperscale network security solution.
Maestro is not a NGFW — it's is a new way to architect and manage a cybersecurity footprint. It allows organizations to scale up existing Check Point security gateways on demand, similar to how you'd spin up servers and compute resources in a public cloud.
Maestro delivers a high standard of resiliency while enabling a single gateway object to expand capacity and performance while enabling elastic flexibility and massive firewall throughput.
My favorite Maestro feature is its nearly limitless scalability because it enables organizations to support the high data rates and ultra-low latency required for 5G.
The principle behind Maestro is very simple: it enables organizations to start with their existing security implementations, no matter how small, and scale those capabilities. With Maestro, there is no need to take firewalls out of production until they're no longer supported.
Note that Maestro must be purchased as an add-on feature.
For a deep dive into Check Point's Maestro, watch this video on our B2B Innovation Platform.
NGFW can be thought of as a platform or ecosystem that continues to evolve through a combination of newly built features and synergies realized from interesting and strategic acquisitions.
Deciding which NGFW product to choose has also become more complex as organizations now must consider other components (e.g., endpoint, branch office, cloud, etc.) in their assessments. The good news is that an integrated environment provides much more visibility and control.
At WWT, we want your organization to select a NGFW security platform that delivers the broadest integration and the most comprehensive visibility/control. With the hands-on labs linked to above, plus many other resources at our disposal in our Advanced Technology Center (ATC), we can help you compare the various NGFW solutions on the market against your unique use cases and requirements to select the best platform.
Contact your WWT Account Manager to schedule a Next-Generation Firewall Workshop today.