What is a Next-Generation Firewall (NGFW) and how can it assist safeguard your network?
Security firms are increasingly using the term “next generation firewall” to characterise their network security technologies. However, there is no unanimous agreement on the exact features required to name a firewall next generation (or not).
This article will describe how a standard firewall works, how so-called next-generation firewalls vary from classic firewalls, and how the extra features these devices provide can help to improve network security.
How do firewalls function?
A firewall, which was first developed in the late 1980s, is a device that restricts communication between two networks (or network segments).
Simple packet filters, the first firewalls could only manage connections based on TCP/IP port numbers and IP addresses. Because TCP uses well-known port numbers for specific services (HTTP is on port 80, for example), the firewall may prevent access to an FTP server by refusing to allow data destined for FTP’s well-known port 21.
During the 1990s, technology improved to the point where the firewall could monitor communication between specified hosts on either side of the firewall, a feature known as stateful filters. Around the same time, NAT (Network Address Translation) became widespread, which meant that when a firewall was installed between two networks, all outgoing traffic seemed to originate from the firewall. Because it concealed the details of the internal network from devices on the internet, this was a critical technology that facilitated the emergence of secure internet communications.
Application Layer Firewall
The application layer firewall was the penultimate step in the classical firewall’s progression. Data flow can be regulated not merely by the server behind the firewall or the port number used for a specific protocol, but also by the programme executing on the server that is listening on a certain port, by monitoring individual socket connections to each TCP port.
A simple analogy is to consider a corporate firewall to be similar to the mail room in the basement of a company’s headquarters building.
People can send letters to the accounts department, but not parcels, according to basic firewall regulations. Alternatively, no one can write to the HR department, but they can write to anyone else.
Allow lists based on the sender’s address located on the reverse of the envelope are used by more advanced firewalls. People in the United Kingdom, for example, can write to the accounts department, but not in Russia. Alternatively, Microsoft’s accounts department may send letters to our accounts department, but no one from Cisco.
The purpose of the analogy is that when we think about what a future general firewall is, it’s like the mail department opening and reading every letter before deciding whether or not to deliver it: This letter sent to the CEO looks like a hoax, therefore throw it out.
Traditional firewalls are primarily concerned with the protocol and addressing information contained in the data’s header. They deal with rules that govern which IP addresses and we allowed ports to send and receive data from other IP addresses, ports, protocols, and even sockets.
A next-generation firewall performs all of this with the header information, but it also reads and ‘understands’ the data payload to determine whether we should allow communication to enter or exit the network.
What makes a next-generation firewall unique?
By evaluating more layers of the OSI model and looking at the contents of data packets to make filtering decisions, a next-generation firewall aims to improve network security.
A next-generation firewall, in essence, combines several existing security techniques into a single device with the goal of making security easier to operate and hence more effective.
The utilisation of external intelligence to dynamically and continually update its rules is perhaps the most intriguing component of the next-generation firewall. (This is what Gartner refers to as “intelligence from outside the firewall” in their definition.) In this case, the firewall, for example, receives regular updates from its vendor. Because the vendor is constantly receiving updates and analysing malware behaviour from around the world, they can spot trends and establish the source of malware command and control servers – and restrict access to them from your network automatically. Even if malware manages to infiltrate your network, it will be unable to communicate with the outside world for instructions.
It’s still necessary to have multiple layers of defence.
While the idea of a Next Generation Firewall may appeal to busy, budget-conscious security managers wanting to get more bang for their buck, a word of caution is in order. The Next Generation Firewall’s allure – integrated management, ease of deployment, and increased levels of protection – could also be its downfall. Defence in depth is still crucial — we need more than one layer of security to safeguard our networks, and the next-generation firewall’s ‘one device to rule them all’ approach may dilute your network’s security depth. Every piece of software has faults and vulnerabilities, and if you only have one device to defend, you might not be as safe as you think.
The answer could be to use firewalls from several vendors, such as network edge firewalls from one vendor and internal core firewalls from another. Therefore, we can block any fault or deficiency in one.
We found the rate at which vulnerabilities and then exploited is increasing, and it will continue to do so. This means that security administrators will have to respond to security threats much faster, and ‘information from beyond the firewall’ will become even more critical to network security.