NGFW Firewall

Next generation firewalls protect the organization from breaches and cyber threats, so it’s important to validate that the next generation firewall can accomplish its advertised functions. The best next generation firewalls are rigorously tested and certified by trusted, independent technology product assurance testers, such as ICSA Labs.

When evaluating solutions, consider that the best next generation firewall may be part of a broader solution. For example, the HPE Aruba Networking EdgeConnect SD-WAN platform combines advanced SD-WAN capabilities with identity- and role-based traffic segmentation, enforced with a built-in next gen firewall (including IDS/IPS and other security functions). HPE Aruba Networking was also the first SD-WAN vendor to attain ICSA Labs Secure SD-WAN certification, validating its built-in next generation firewall and advanced security features.

Today’s cyberthreat landscape demands robust threat protection, and traditional firewalls aren’t up to the task. NGFWs can block advanced malware, and they’re better equipped to thwart advanced persistent threats (APTs), such as Cozy Bear, responsible for the SUNBURST supply chain attack of 2020, and Deep Panda, who are notorious for exploiting the Log4Shell vulnerability. Plus, with integrated threat intelligence and options for networking and security automation, NGFWs have given organizations the opportunity to not only simplify security operations, but also take the first step toward a fully realized security operations center (SOC).

All of this potential upside, however, comes with some challenges. Challenges for NGFWs Limited by their hardware, there are many cases where physical NGFW appliances can’t effectively perform to meet the needs of today’s modern environments, introducing multiple issues. Backhauling Traffic for Security Backhauling to an NGFW made sense when data centers, endpoints, and resources were mostly on-premises. But now, as user mobility and cloud adoption continue to trend upward, NGFW hardware in a traditional data center just can’t keep up. Cloud apps like Microsoft 365 are designed to be accessed directly via the internet. But for VPNs and NGFWs in an organization’s data center to provide access and security, all traffic needs to go through that data center, slowing everything down. To deliver a fast user experience, organizations need to route internet traffic locally.

Securing Local Internet Breakouts You can secure local internet breakouts with NGFW hardware, but to do so, you need a separate security stack in each location—NGFWs and potentially more appliances in every branch office, all of which need to be manually deployed, maintained, and eventually replaced, which can quickly get prohibitively complex and expensive. Inspecting TLS/SSL-Encrypted Traffic Almost all of today’s web traffic is encrypted. To perform SSL inspection, most NGFWs use bolt-on proxy capabilities that execute the inspection in software, rather than at the chip level. This heavily impacts performance, which hurts the user experience—but without inspection, you’re blind to more than 85% of attacks.

A next-generation firewall (NGFW) does this, and so much more.

In addition to access control, NGFWs can block modern threats such as advanced malware and application-layer attacks.

According to Gartner's definition, a next-generation firewall must include: Standard firewall capabilities like stateful inspectionIntegrated intrusion preventionApplication awareness and control to see and block risky appsThreat intelligence sourcesUpgrade paths to include future information feedsTechniques to address evolving security threats.

What should I look for in a next-generation firewall?

The best next-generation firewalls deliver five core benefits to organizations, from SMBs to enterprises.

Make sure your NGFW delivers: Breach prevention and advanced security.

The number-1 job of a firewall should be to prevent breaches and keep your organization safe.

But since preventive measures will never be 100% effective, your firewall should also have advanced capabilities to quickly detect advanced malware if it evades your front-line defenses.

Invest in a firewall with the following capabilities: Prevention to stop attacks before they get insideA best-of-breed next-generation IPS built in to spot stealthy threats and stop them fastURL filtering to enforce policies on hundreds of millions of URLsBuilt-in sandboxing and Advanced Malware Protection that continuously analyzes file behavior to quickly detect and eliminate threatsA world-class threat intelligence organization that provides the firewall with the latest intelligence to stop emerging threats.

Comprehensive network visibility.

You can't protect against what you can't see.

You need to monitor what is happening on your network at all times so you can spot bad behavior and stop it fast.

Your firewall should provide a holistic view of activity and full contextual awareness to see: Threat activity across users, hosts, networks, and devicesWhere and when a threat originated, where else it has been across your extended network, and what it is doing nowActive applications and websitesCommunications between virtual machines, file transfers, and more.

Flexible management and deployment options.

Whether you are a small to medium-sized business or a large enterprise, your firewall should meet your unique requirements: Management for every use case: Choose from an on-box manager or centralized management across all appliancesDeploy on-premises or in the cloud using a virtual firewallCustomize with features that meet your needs: Simply turn on subscriptions to get advanced capabilitiesChoose from a wide range of throughput speeds.

Fastest time to detection.

The current industry standard time to detect a threat is between 100 to 200 days; that is far too long.

A next-generation firewall should be able to: Detect threats in secondsDetect the presence of a successful breach within hours or minutesPrioritize alerts so you can take swift and precise action to eliminate threatsMake your life easier by deploying consistent policy that's easy to maintain, with automatic enforcement across all the different facets of your organization.

Automation and product integrations.

Your next-generation firewall should not be a siloed tool.

It should communicate and work together with the rest of your security architecture.

Choose a firewall that: Seamlessly integrates with other tools from the same vendorAutomatically shares threat information, event data, policy, and contextual information with email, web, endpoint, and network security toolsAutomates security tasks like impact assessment, policy management and tuning, and user identification.

A next-generation firewall (NGFW) is a part of the third generation of firewall technology, combining a conventional firewall with other network device filtering functions, such as an application firewall using in-line deep packet inspection (DPI) and an intrusion prevention system (IPS).

Other techniques might also be employed, such as TLS-encrypted traffic inspection, website filtering, QoS/bandwidth management, antivirus inspection, third-party identity management integration (e.g. LDAP, RADIUS, Active Directory),[1] and SSL decryption.[2]

One of the first mentions of the NGFW term was in a 2004 document by Gartner.

NGFWs include the typical functions of traditional firewalls such as packet filtering,[4] network- and port-address translation (NAT), stateful inspection, and virtual private network (VPN) support.

The goal of next-generation firewalls is to include more layers of the OSI model, improving filtering of network traffic that is dependent on the packet contents.

The most significant differences are that NGFWs include intrusion prevention systems (IPS) and application control.[5]

Next-generation firewalls perform deeper inspection compared to stateful inspection performed by the first- and second-generation firewalls.[6]

NGFWs use a more thorough inspection style, checking packet payloads and matching signatures for harmful activities such as exploitable attacks and malware.[7]

Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape.

In fact, one in four[8] attacks exploit vulnerabilities in public-facing applications, as opposed to weaknesses in networking components and services.

Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations.

Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

But blocking a web application that uses port 80 by closing the port would also mean complications with the entire HTTP protocol.

Protection based on ports, protocols, IP addresses is no more reliable and viable.

This has led to the development of identity-based security approach, which takes organizations a step ahead of conventional security appliances which bind security to IP-addresses.

NGFWs offer administrators a deeper awareness of and control over individual applications, along with deeper inspection capabilities by the firewall.

Administrators can create very granular "allow/deny" rules for controlling use of websites and applications in the network.

Next-generation firewalls (NGFWs) are, as you might expect, the more advanced of the two types, offering the most robust protection for business networks.

But what are the differences between traditional and NGFWs, and how do they benefit your business?

Before we get into the finer details, it’s important to clarify that next-generation firewalling is not a new concept, despite what its name suggests.

It is, however, the most advanced form of firewall that is currently available – and therefore the most recent.

NGFWs, as we’ll cover further down, go one step further than standard stateful inspection.

NGFWs have many of the traditional firewall’s common functions – plus several more.

In plain terms, NGFWs have more layers of security built into them, to protect against more sophisticated threats.

Crucially, they go beyond the static inspection that traditional firewalls are limited to, instead having application-level control.

Application awareness enables an organisation to view packets through proper context, and set application-specific rules.

Intrusion prevention system (IPS) An extension of the intrusion detection system (IDS), IPSs have the capability to actively block intrusions once detected – dropping malicious packets, and logging the IP addresses and blacklisting all future traffic from them.

Deep packet inspection (DPI) Whereas standard packet filtering only reads the header of a packet, DPI ensures thorough inspection of the packet’s contents, including its source, which means that the NGFW is able to see the full context of each packet.

With it’s more sophisticated features for detecting and protecting against threats, next-generation firewalling is currently the most effective solution to enterprise cyber security in the cloud age.