Early on, stateful inspection firewalls classified traffic by looking only at the destination port (e.g., tcp/80 = HTTP). As the need for application awareness arose, many vendors added application visibility and other software or hardware ‘blades’ into their stateful inspection firewall and sold the offering as a UTM (Unified Threat Management). UTMs did not improve security since the functions were retrofitted into the firewall, and not natively integrated.
Unlike UTM, a Next Generation Firewall is application aware and makes decisions based on application, user and content. It’s natively integrated design simplifies operation and improves security. Given its success, the term NGFW has now become synonymous with firewall.
Next Generation Firewall
An NGFW provides the following capabilities:
User Identity Awareness and Protection: The user identity feature on NGFWs identifs users in all locations, irrespective of device types and operating system. However, the issue of user identity goes beyond classifying users for policy reporting. Protecting user identity is equally important. The 2017 Verizon Data Breach Investigation Report found that 81-percent of hacking-related breaches leveraged weak and/or stolen credentials2. Attackers use stolen credentials to access an organization, move laterally, and escalate privileges for unauthorized applications and data. A NGFW enforces capabilities like machine learning based analysis and multi-factor authentication (MFA) to prevent credential theft and subsequent abuse – and preserve the user identity.
Application Usage, Visibility and Control: Users are accessing diverse types of apps, including SaaS apps, from varying devices and locations. Some of these apps are sanctioned, some tolerated and others unsanctioned. Security administrators want to have complete control over usage of these apps and set policy to either allow or control certain types of applications and deny others. An NGFW provides complete visibility into application usage, along with capabilities to understand and control their use. For example, understand usage of application functions, such as audio streaming, remote access, posting documents etc., and then enforce granular controls over usage, such as uploading and posting to Facebook, file sharing on Box and file transfer.
Secure Encrypted Traffic: Most enterprise web traffic is now encrypted, and attackers exploit encryption to hide threats from security devices. An NGFW allows security professionals to decrypt malicious traffic to prevent threats, while at the same time preserving user privacy – with predictable performance.
Detect and Prevent Advanced Threats: Today, most modern malware, including ransomware variants, leverage advanced techniques to transport attacks or exploits through network security devices and tools. An NGFW utilizes systems that can identify evasive techniques and automatically counteract them. For example, it uses multiple methods of analysis to detect unknown threats, including static analysis with machine learning, dynamic analysis and bare metal analysis. By using a cloud-based architecture, the threat detection and prevention can be supported at mass scale across the network, endpoint and cloud.
Architecture Matters: As the number of needed security functions continues to increase, there are two options: add another security device or add a function to an existing device. When the NGFW is built on the right architecture, it’s possible to add a function to a next-generation firewall, instead of adding another security device. This type of integrated approach offers benefits and advantages that discrete devices cannot.
Deployment Flexibility: NGFWs are available in both physical and virtual form factors to fit a variety of deployment scenarios and performance needs.
Shared Threat Intelligence: Organizations rely on multiple source of threat intelligence to ensure the widest possible visibility into emerging threats, but they struggle to aggregate, correlate, validate and share indicators across different feeds. An NGFW automatically transforms this information into actionable controls that prevent future attacks.