How we Help?

A traditional firewall provides stateful inspection of network traffic. It allows or blocks traffic based on state, port, and protocol, and filters traffic based on administrator-defined rules.

A next-generation firewall (NGFW) does this, and so much more. In addition to access control, NGFWs can block modern threats such as advanced malware and application-layer attacks. According to Gartner’s definition, a next-generation firewall must include:

• Standard firewall capabilities like stateful inspection
• Integrated intrusion prevention
• Application awareness and control to see and block risky apps
• Threat intelligence sources
• Upgrade paths to include future information feeds
• Techniques to address evolving security threats

The best next-generation firewalls deliver five core benefits to organizations, from SMBs to enterprises. Make sure your NGFW delivers:

1. Breach prevention and advanced security
The No. 1 job of a firewall should be to prevent breaches and keep your organisation safe. But since preventive measures will never be 100 percent effective, your firewall should also have advanced capabilities to quickly detect advanced malware if it evades your front-line defenses. Invest in a firewall with the following capabilities:

• Prevention to stop attacks before they get inside
• A best-of-breed next-generation IPS built-in to spot stealthy threats and stop them fast
• URL filtering to enforce policies on hundreds of millions of URLs
• Built-in sandboxing and advanced malware protection that continuously analyzes file behavior to quickly detect and eliminate threats
• A world-class threat intelligence organization that provides the firewall with the latest intelligence to stop emerging threats

2. Comprehensive network visibility
You can’t protect against what you can’t see. You need to monitor what is happening on your network at all times so you can spot bad behavior and stop it fast. Your firewall should provide a holistic view of activity and full contextual awareness to see:

• Threat activity across users, hosts, networks, and devices
• Where and when a threat originated, where else it has been across your extended network, and what it is doing now
• Active applications and websites
• Communications between virtual machines, file transfers, and more

3. Flexible management and deployment options
Whether you are a small to medium-sized business or a large enterprise, your firewall should meet your unique requirements:

• Management for every use case–choose from an on-box manager or centralised management across all appliances
• Deploy on-premises or in the cloud via a virtual firewall
• Customise with features that meet your needs–simply turn on subscriptions to get advanced capabilities
• Choose from a wide range of throughput speeds

4. Fastest time to detection
The current industry standard time to detect a threat is between 100 to 200 days; that is far too long. A next-generation firewall should be able to:

• Detect threats in seconds
• Detect the presence of a successful breach within hours or minutes
• Prioritise alerts so you can take swift and precise action to eliminate threats
• Make your life easier by deploying consistent policy that’s easy to maintain, with automatic enforcement across all the different facets of your organisation

5. Automation and product integrations
Your next-generation firewall should not be a siloed tool. It should communicate and work together with the rest of your security architecture. Choose a firewall that:

• Seamlessly integrates with other tools from the same vendor
• Automatically shares threat information, event data, policy, and contextual information with email, web, endpoint, and network security tools
• Automates security tasks like impact assessment, policy management and tuning, and user identification

Anyone who seeks to keep their network safe requires an NGFW because:

• It is a many-in-one solution that performs the tasks of multiple software and hardware security solutions – why muck about with multiple security solutions when all you need to do is configure one NGFW?
• It is cost-effective, again, because you won’t have to buy multiple security solutions, administer them, keep track of updates, upgrades, and licenses – when you can have just one big solution to worry about.
• It is a big leap from the traditional firewall – if you are using one – and it makes sense to move to a more modern method of network protection.
• Also, an NGFW will not bite into your bandwidth as would a traditional firewall (and all the other supporting security solutions that usually come with it).
  The big selling point here is: with an NGFW installed, you get a one-stop solution for all your network security issues.

Stateful firewalls were once considered cutting edge. However, NGFWs are a rank above them and so stateful firewalls are now considered by many to be “traditional.” An NGFW must be at least able to examine traffic actress packets (which is stateful). They also need to be able to establish a baseline of activity so that they can spot anomalous traffic. This is an AI-based technique that uses machine learning and is called user and entity behavior analytics (UEBA). An NGFW should also be able to interact with other services that might be provided by different producers. This ability is called SOAR, which stands for security orchestration, automation, and response.

Packet Filtering

All data that traverses a network or the Internet is broken down into smaller pieces called packets. Because these packets contain the content that enters a network, firewalls inspect them and block or allow them to prevent malicious content (such as a malware attack) from getting through. All firewalls have this packet filtering capability.

Packet filtering works by inspecting the source and destination IP addresses, ports, and protocols associated with each packet — in other words, where each packet comes from, where it is going, and how it will get there. Firewalls allow or block packets based on this assessment, filtering out the disallowed packets.

As an example, attackers sometimes try to exploit vulnerabilities associated with the Remote Desktop Protocol (RDP) by sending specially crafted packets to the port used by this protocol, port 3389. However, a firewall can inspect a packet, see which port it is going to, and block all packets directed at that port — unless they are from a specifically allowed IP address. This involves inspecting network traffic at layers 3 (to see source and destination IP addresses) and 4 (to see the port).

Deep packet inspection (DPI)

NGFWs improve upon packet filtering by instead performing deep packet inspection (DPI). Like packet filtering, DPI involves inspecting every individual packet to see source and destination IP address, source and destination port, and so on. This information is all contained in the layer 3 and layer 4 headers of a packet.

But DPI also inspects the body of each packet, not just the header. Specifically, DPI checks packet bodies for malware signatures and other potential threats. It compares the contents of each packet to the contents of known malicious attacks.

NGFWs block or allow packets based on which application they are going to. They do so by analysing traffic at layer 7, the application layer. Traditional firewalls do not have this capability because they only analyse traffic at layers 3 and 4.

Application awareness allows administrators to block potentially risky applications. If an application’s data cannot get past the firewall, then it cannot introduce threats into the network.

According to Gartner’s definitions of the terms, both this capability and intrusion prevention are elements of DPI.

Intrusion prevention analyzes incoming traffic, identifies known threats and potential threats, and blocks those threats. Such a feature is often called an intrusion prevention system (IPS). NGFWs include IPSes as part of their DPI capabilities.

IPSes can use several methods to detect threats, including:

• Signature detection: Scanning the information within incoming packets and comparing it to known threats
• Statistical anomaly detection: Scanning traffic to detect unusual changes in behavior, as compared to a baseline
• Stateful protocol analysis detection: Similar to statistical anomaly detection, but focused on the network protocols in use and comparing them to typical protocol usage

Threat intelligence is information about potential attacks. Because attack techniques and malware strains are continually changing, up-to-date threat intelligence is crucial for blocking those attacks. NGFWs are able to receive and act on threat intelligence feeds from external sources.

Threat intelligence keeps IPS signature detection effective by providing the latest malware signatures.

Threat intelligence can also supply IP reputation information. “IP reputation” identifies IP addresses where attacks (especially bot attacks) often come from. A feed of IP reputation threat intelligence provides the latest known bad IP addresses, which an NGFW can then block.

Some NGFWs are hardware appliances designed to defend an internal private network. NGFWs can also be deployed as software, but they do not need to be software-based to be considered next-generation.

Finally, an NGFW can be deployed as a cloud service; this is called a cloud firewall or firewall-as-a-service (FWaaS). FWaaS is an important component of secure access service edge (SASE) networking models.