Next Generation Firewalls (NGFWs) provide the blended features of a standard firewall along with advanced security features. They apply deep packet inspection (DPI) technology with integrated intrusion prevention systems (IPS), along with application intelligence and control to visualize the content of the data being accessed and processed.
Apart from these security capabilities, NGFW’s offer additional features such as SSL/ SSH inspection, reputation-based malware filtering and Active Directory integration support too. These granular security policies and controls help NGFW’s to detect application-specific attacks, making them capable to capture more malicious activity than traditional firewalls.
Why the need for NGFW’s?
Organizational network communications are no longer restricted to simple emails; but have expanded to include real-time collaboration tools like Web 2.0 applications, instant messenger (IM), peer-to-peer applications, VoIP, streaming media and teleconferencing. These tools automatically open new avenues for potential attacks. Enterprises need tools to guarantee bandwidth for critical business relevant applications while ensuring speed and security for a productive work environment.
What NGFW’s can do?
Next-generation firewalls can deliver application intelligence and control, intrusion prevention, malware protection and SSL inspection at multi-gigabit speeds; scalable to support the highest-performance networks. This ensures there is no security or performance based degradation.
The high number of simultaneous files or network streams does not limit high-end NGFWs; so infected files can’t slip undetected even when the firewall is under heavy load. NGFWs apply all security and application control technologies to SSL encrypted traffic, ensuring this does not become a new malware vector into the network.
IT administrators must ensure that the NGFW solution is sufficiently scalable to the projected network performance requirements delivering robust performance, network analytics and BlueScope and ease of implementation.
Features of NGFW
Typical features offered by NGFWs are as follows:
- Standard capabilities of the first-generation firewall such as packet filtering, stateful protocol inspection, NAT, VPN connectivity, etc.
- Truly integrated intrusion prevention includes support for both vulnerability facing and threat facing signatures, and suggesting action based on IPS activity.
- Full stack visibility and application identification: ability to enforce policy at the application layer independently from port and protocol.
- Extra firewall intelligence: Ability to create blacklists or whitelists and being able to map traffic to users and groups using active directory.
- Adaptability to the modern threat landscape which support upgrade paths for integration of new information feeds and new techniques to address future threats.
- Non-disruptive in-line bump-in-the-wire configuration
- SSL decryption to enable identifying undesirable encrypted applications
Evaluating Next-Generation Firewalls
Business leaders can follow these steps to evaluate and embrace a next-generation firewall:
Next generation devices should apply all of their security capabilities on a single inspection, demonstrating true integration of all its components instead of bundling different component on a single box.
Make sure that throughput matches the expectations for your production environment.
Ease of use:
The managing interface should reduce the complexity of managing disparate security products. It must be intuitive to use, providing the ability to easily define rules that can be as granular or complex as desired.
Things to watch out for before deploying NGFWs
As a baseline, you must have a thorough understanding of your organization's needs and should have performed extensive testing before deciding to implement NGFW. Here are few things you should look into before deploying NGFW in your enterprise.
All NGFWs are not designed equal
One of the key traits of next-gen firewalls is the identification and control of traffic at the application layer. Enterprises should also look for a robust Layer 7 application matching mechanism. Find that vendor which has support for the applications you use and are able to do with speed and accuracy.
Check performance claims in your environment
The performance characteristics on some next-generation firewalls can drop even below 50% if you just change the amount of traffic or switching on some application inspection functionality. So it is wise to check their functionality of NGFW on your network (ideally test environment) during the demonstration process itself.
NGFW is not a UTM replacement
NGFW acts as a combination of a network IPS with Deep Packet Inspection (DPI) capabilities built-in, whereas UTM capabilities are mostly that of stateful inspection firewall with additional security functionality.
Onboard SSL Decryption may not happen as promised
At high speed, onboard SSL decryption can be a quite a difficult process unless you have multiple NGFWs clustered.
How we can help you?
Our Solutions team has worked on numerous NGFW products and solutions offered by our partners such as Fortinet Fortigate® Next Generation Firewall and Palo Alto Networks. Our solutions team specializes in implementation and re-engineering these products for our clients. Our team members are well-experienced, trained and certified across Fortigate and Palo Alto line of products.