What is a Next-generation Firewall (NGFW)?
Learn about the history of NGFW and three areas where it can have a major impact.
The NGFW abbreviation is often used in the Information Security industry. What is a next-generation firewall (NGFW) and why is it significant? Also, what makes a firewall “next generation?”
The NGFW will give you unparalleled visibility into your traffic and control all traffic that traverses it… if you let it!
The NGFW is generally a third-generation firewall technology. Some technologists call application firewalls the third-generation and NGFW the fourth-generation. However, we will consider application firewalls a stutter step to NGFW. Firewall generations one and two will be quickly summarized below, then explained in more detail later in this article.
- First-generation firewall – Filters packets only; very basic capability and minimal visibility
- Second-generation firewall – Introduces session awareness and enhances traffic visibility
The NGFW combines a traditional firewall (generations one and two) with other network and application related filtering functionalities. Below is a list of the other functionalities that make a firewall next generation.
- Application firewall – A solution that controls access (inputs/outputs) to an application by a user or other application. The application firewall can operate on any network layer
- Intrusion prevention system (IPS) – The IPS is a network security technology that monitors network traffic for malicious activity and can block and/or alert based on configuration.
- Website filtering – A solution that allows filtering of websites based on multiple criteria (i.e. key words) and categorizations (i.e. gambling).
- Bandwidth management – A solution also referred to as Quality of Service (QoS). This solution enables controlling communications to avoid poor performance for critical services.
- Anti-virus inspection – This technology is used to monitor, detect and eradicate malware that can impact computer systems and services.
- Identity management integration – This feature enables NGFW integration into identity services (i.e. Active Directory). This integration enables the NGFW to leverage a user’s identity to make decisions about access over and above the Internet Protocol (IP) or web address.
Some NGFW manufacturers include additional features to the list above. However, the list above is generally considered the minimum to be considered a NGFW.
NGFW significantly impacts three areas
- Consolidation of technology components
- Deeper visibility and traffic control
- Unified management
Let’s dive deeper into each area.
Consolidation of technology components
Imagine a time when each NGFW component was a different device or server. Then imagine that each component was replicated to provide redundancy. Initially seven different devices replicated to fourteen for redundancy. Then imagine a multi-egress organization where these fourteen devices must be replicated multiple times to avoid “backhauling” traffic. The magnitude and cost of this infrastructure became significant. A NGFW consolidates the technologies into one suite and is replicated once. Fourteen or more devices become two.
Deeper visibility and traffic control
Network traffic has become more complex. Media platforms like Facebook, Google and YouTube have many features, but require different controls in a corporate environment. The days of just blocking Facebook, Google and YouTube are gone. Many corporations use Facebook and YouTube to market products and services. Additionally, Facebook and Google are used to communicate to customers.
Therefore, we need technologies that understand the media platforms and can control access. Features like identity, deep inspection and platform awareness are critical to managing evolving corporate environments.
The NGFW brings capabilities to meet these changing needs. An example: The corporate marketing team needs access to Facebook to manage the corporate presence. However, we do not want our overall workforce to have access to Facebook. Achieving this requirement generally requires identity awareness and user control. The control can allow access to Facebook for users in the marketing team by user ID. However, all other users are blocked from Facebook. Furthermore, we can enable content controls when the upload function is permitted to stop content that contains sensitive information from being shared online.
The unified management component is an extension/benefit of the technology consolidation brought by the NGFW. Imagine the original seven device/server environment that was replicated to provide redundancy. Each one of the seven technologies had an administrative console. Additionally, the configurations were independent and non-integrated.
The NGFW brings all the management features together into one management console. Each technology can leverage data from the other for configurations and visibility. This consolidated management helps reduce cost and improve effectiveness as well. Next, we will discuss previous generation firewalls.
Previous firewall generations
The original firewall technology was called a packet filter. The packet filter technology worked by inspecting basic network information between computers. When the traffic traversing the firewall did not match the packet filter’s rules, an action could be taken. The action taken could be drop (discard the packet without response), reject the packet (discard the packet with a notification to the sender) or allow the packet to pass.
The packet filtering technology could leverage the source IP/network address, the destination IP/network address, protocol or source/destination port numbers. Internet communication was mostly Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). However, other communication types such as Internet Control Message Protocol (ICMP) are also used.
The basic features of the first-generation firewalls were useful for basic communication and control. However, these firewalls had to evaluate each packet and had no understanding of an ongoing conversation (stateless). Additionally, it was difficult to write filters that correctly block and allow traffic as expected.
The second generation of firewalls introduced the concept of keeping track of the connection state (stateful inspection). The stateful firewall uses the network and transport layers to keep track of connections between computers. The “state” of the connections was kept in memory. This enhancement to just packet filtering helped improve network security.
This generation of firewall was susceptible to denial of service attacks unless protections were integrated into the design. The denial of service attack was completed by an attacker bombarding the firewall with fake connections to overwhelm the firewall by filling the state memory. The second-generation firewall is still widely used. However, it is typically leveraged as an internal firewall (non-internet facing).
Firewall technology continues to improve. Expect newer technologies to be consolidated into the firewall, setting the foundation for the next next-generation of firewall (fourth generation). The evolution of firewall technology and integration of network services will hopefully create a secure-by-default configuration for network connectivity.