What Is NGFW? A Primer on the Third Generation of Firewalls
In this article
Cybersecurity programs are in dire need to catch up with the rapid rate of digitization. Today, only about 60% of an organization's business ecosystem is barred by a staunch security perimeter. The remaining 40% often remains unsecured against breaches, vulnerability exploits and targeted hacker attacks.
Such an equation is understandable given the corporate's growing technical imprint. But it's hardly acceptable. Soundly, more comprehensive cybersecurity solutions are coming to the fore. One of them being next-generation firewalls (NGFWs).
NGFW stands for next-generation firewall — the third-generation network security technology (hardware and software) enabling deep-packet inspection of inbound and outbound network traffic. Apart from providing baseline dynamic packet filtering, NGFW solutions also include add-on functionality for application inspection, intrusion prevention and detection, and threat intelligence among others.
These characteristics make NGFWs better equipped to prevent Advanced Persistent Threats (APTs), malware, ransomware and zero-day exploits, prevailing among organizations of all sizes.
Key characteristics of NGFW:
- Combination of advanced routers and software solutions
- Fine-grained security policy enforcement
- Contextualized analysis of networking data
- Advanced application control and awareness
- Integrated intrusion prevention and detection capabilities
- Comprehensive network visibility across users, hosts, networks and apps
- Flexible deployment scenarios
- Centralized security management
- Threat reporting and visualization
Next-generation firewalls also help collect cybersecurity intelligence from outside the firewall. This supplies your cybersecurity teams with extra knowledge for extending protection to every user on the network, despite their location or device.
Traditional firewalls were designed to police the network traffic based on the IP/network address, the destination IP/network address, protocol or source/destination port numbers. Every incoming or outbound packet passes an inspection check based on the above characteristics to get a go/no-go. However, such inspections are mostly stateless. Since each packet is inspected individually, the technology cannot understand the wider context of the transmitted traffic.
This, in turn, can inconveniently limit user access to required resources (e.g., if all corporate IPs are blocked for Twitter, then your social media team cannot post updates) and, at the same time, let more sophisticated threats through the door (e.g., such as man-in-the-middle attacks).
Next-generation firewalls, on the contrary, support stateful inspections. A solution of this type can identify the operating state of packets attempting to enter the network and analyze the packet's content. Moreover, NGFWs solutions include a signature-based intrusion detection system (IDS) for analyzing abnormal patterns in network traffic, signaling a breach attempt. Unlike traditional firewalls, NGFWs also allow the implementation of more granular security controls for URL filtering, application accesses and traffic shaping.
Finally, NGFW technology is primarily distributed as a connected ecosystem of security products (both hardware and software), rather than standalone router devices and/or complementing software.
Given the dramatic spike in cyber incidents, nearly every business today can benefit from a next-generation firewall. But some industries are more susceptible to advanced persisting threats. According to IBM's X-Force Threat Intelligence Index, the most attacked industries are:
- Finance and insurance
- Professional services
Specifically, hackers target Linux systems, operational technology, cloud environments and IoT devices. Ransomware and malware distribution was on the rise last year, too. Unfortunately, the volume of attacks is not expected to abate anytime soon.
Organizations in the above verticals can largely benefit from NGFW adoption since such solutions offer a robust way to prevent breaches through fine-grained policy management, streamlined threat intelligence and built-in malware protection.
Next-generation firewall vendors also provide competitive pricing based on the size of your infrastructure, required functionality and deployment scenario — on-premises or in the cloud. Such solutions can be afforded by smaller companies operating in regulated industries, though larger multi-branch corporations will likely experience faster ROI.
NGFW solutions are more than OEM-supplied hardware. Most vendors now package the deal as an ecosystem of security solutions and connected services users can stack to create a comprehensive security perimeter. If you are new to the concept, read our primer on selecting NGFW ecosystem components first to better understand the type of solution you need.
Palo Alto Networks NGFW offers a robust combination of hardware and virtual appliances, as well as Firewall as a Service (FWaaS) solutions via Prisma Access. In each case, customers receive access to granular application controls, flexible usage-based policy optimization and integrated DNS security. Palo Alto Networks is also one of the first companies to offer a machine learning-powered NGFW.
- Intelligent URL filtering
- Built-in best practice rules
- Tunnel monitoring capabilities
- Mobile device management
- Denial of Service (DoS) protection
- Vulnerability protection
- Anti-spyware, malware, ransomware scanning
- Data Loss Prevention (DLP)
Fortinet FortiGate (NGFW) provides hardware security solutions for every type of business — from a local branch office to a hybrid data center. The solution is based on purpose-built security processors (SPUs), including the latest NP7 model. The physical device is further augmented by FortiGuard Lab threat intelligence and advanced security analytics, provided by FortiAnalyzer.
- Built-in software-defined wide-area networking (SD-WAN) functionality
- One of the highest SSL inspection performances on the market
- The latest models can secure large-scale AI/ML workloads
- User-friendly management interface
- Seamless integration with other security products
Cisco Secure Firewall devices are a long-standing leader in hardware next-generation firewall products and more recently, virtual firewall solutions for public and private clouds, distributed as an FWaaS via Cisco Secure Edge (formerly Umbrella). All Cisco solutions now come with a convenient management interface to exercise unified controls over all connected assets, as well as a deference orchestrator for security policy rollouts and implementation.
- Protect both on-premises and cloud-based workflows
- VMware, KVM, Hypervisor support
- Advanced Malware Protection and URL filtering
- Snort 3 next-generation intrusion prevention system
- State-of-the-art threat intelligence (Talos)
Check Point has a long history of shipping firewall hardware. In 1994, they were the first vendor to introduce a stateful firewall solution with advanced traffic scanning capabilities. Since then, the company significantly evolved its range of physical and virtual NGFW appliances, as well as released Check Point Infinity architecture — a consolidated security framework for extending advanced threat prevention mechanisms across networks, cloud, mobile and IoT ecosystems.
- End-to-end security coverage across your tech real estate
- Robust intrusion protection and malware detection capabilities
- 64 different threat prevention engines included
- Guaranteed protection against zero-day threats
- Convenient, centralized, automated security management control across networks
Next-generation firewalls offer higher levels of protection against ever-evolving threats. Instead of a single packet filtering solution, you gain access to a host of modular network and application security tools and features for establishing a bulletproof perimeter no malicious party can penetrate.
Learn more about how WWT can help you right-size your next-generation firewall implementation.