Firewalls are a great way to delineate network segments and control traffic, and in a simpler time not so long ago, they did a great job of allowing in what you wanted inside your network, and blocking what you didn’t want. But first generation firewalls were mainly focused on controlling network traffic based on things like IP address, port or protocol. While this is still good, and still a part of next generation firewalls, it is no longer sufficient in today’s world of sophisticated attacks on web-enabled applications. Think of it as a first generation PC running DOS. It wasn’t a bad thing, but it is no longer sufficient, yet some of the underlying features like the “command prompt” are still useful.
In simple terms, the term “next generation firewall” (NGFW) is used to describe hardware or software based systems designed and used to provide network security. In addition to address, port and protocol controls, they utilize security policies and advanced heuristics that can also detect and block sophisticated attacks at the application level.
As an analogy, if you think of a first generation firewall as a flip phone, an NGFW would be a smart phone. NGFWs remain true to the original purpose of controlling and segregating traffic, but they have been expanded and now include three key asset areas: traditional enterprise-level firewall capabilities, an intrusion prevention system and application level controls. This application level control expands on first generation dynamic packet filtering, where more than just packet headers are examined to determine valid traffic. NGFWs add even more context to the firewall’s intelligence dealing with application level traffic passing through the firewall. This enables better detection of bad traffic which in turn provides the NGFW a greater ability to initiate actions to restrict, redirect or even block traffic that might be attempting to exploit vulnerabilities.
With the rapid expansion of web and network enabled applications, there are more opportunities than ever before to reach out and exploit someone. Criminals know that not every organization is capable of (or willing to?) put up a first-class defense against information security threats. This combination of facts keep the hackers busy searching for their next victim. Just as business takes advantage of automation to reduce overhead and improve consistency, cyber criminals have access to a number of tools that enable them to automate many aspects of a cyber attack, especially in the realms of Phishing and Ransomware. NGFW’s are far more capable of detecting and intervening based on suspicious traffic patterns and characteristics.
Regulatory and compliance requirements also drive the need for NGFW’s. For example, PCI DSS Requirement 1 is often misinterpreted as simply obtaining a dump of firewall rules, but it is much more than that. It calls for documenting additional security features or controls you have enabled for each insecure service. To meet this requirement, you must map all in-use services to know which insecure protocols are in use and need further action. NGFW management software often has capabilities that can satisfy these new and ever expanding requirements.
Networks are vastly more complex than they used to be, since they have to account for Internet facing applications, third party and business partner integration and mobile work from anywhere employees. Cyber attacks become more sophisticated and plentiful every day, be they from individuals or organized crime. Firewalls are still a great idea, but don’t be caught using yesteryear’s technology to defend against tomorrow’s threats. Next generation firewalls provide a great deal more protection than their predecessors, and today’s network climate demands it!