As the threat landscape continues to expand and evolve, especially in the cloud, traditional firewalls are falling behind and are unable to deliver protection at a scale companies and individuals need.
Users working with sensitive data need specialized firewalls that can be multifunctional, programmable, work together with antivirus software, and be intelligent when scanning through data. So are next-generation firewalls the answer?
What Is a Next-Generation Firewall?
A Next-Generation Firewall (NGFWs) screens network traffic to safeguard an organization from any threat, external or internal.
An NGFW is a firewall capable of applying access control at level 7. A level 7 firewall is merely a type of firewall that operates on the application layer, allowing advanced traffic-filtering policies. This also means that these types of firewalls understand the different applications that generate traffic that passes through them. NGFWs accomplish this by using several techniques that in the past were done by numerous programs.
An NGFWs not only block malware and scan packages going through your devices and the cloud (which is increasingly infected with cloud apps carrying viruses), but they also think, analyze, and update paths to give you the flexibility to evolve with cyber threats and keep your network secure.
Is an NGFW Hardware- or Software-Based?
NGFW technology is dynamic in how it can be implemented in a system or a cloud infrastructure. Some NGFWs can be installed as hardware or be implemented as software.
It is important to note that an NGFW can also be a cloud service, and are therefore sometimes referred to as a cloud firewall or (mistakenly) as Firewall-as-a-Service (FWaaS).
FWaaS vs. NGFW vs. Cloud Firewalls
A cloud firewall is a marketing term, which has caused a lot of confusion since there are many different types of cloud firewalls. A cloud firewall could be considered a blanket term for products that serve as cloud firewalls, such as with an NGFW or an FWaaS.
So what is an FWaaS, and how does it rely upon an NGFW? FWaaS is a service that provides a cloud firewall, among other cloud security services. So where does the NGFW fit in? An FWaaS is a cloud-hosted security solution part of an IT infrastructure that can include a next-generation firewall feature, which is basically an NGFW. An FWaaS is cloud-hosted so that’s why they are both mainly associated with cloud security.
However, while an FWaaS is hosted in the cloud, an NGFW can be hosted anywhere.
Many software and services overlap in capabilities and functions. This is particularly true when it comes to cloud security, for example with Cloud Workload Protection Platforms (CWPP) and Cloud Access Security Broker (CASS): both protect the cloud, and both provide cloud firewall services.
Cloud cybersecurity is so complex that there is now a tailored solution for every problem; that is why there are so many types of firewalls and antiviruses with different names that seem to do the same.
What Modules Make Up an NGFW?
Within NGFW, several functionalities are included. The most important are:
This includes basic firewall functionality, which in this case is usually associated with the ability to set up VPN tunnels (IPSec, GRE) or allow remote access through a VPN client.
Application control is a way to help organizations define and apply security and routing policies to traffic based on the source of the flow.
Deep Packet Inspection (DPI)
A DPI inspects all packets going through your network for source, IP address destination, destination port, etc.
Intrusion Prevention System (IPS)
This functionality allows the firewall to detect attacks by constantly scanning all traffic information and comparing to known threats. This detection is based on signatures, in which the manufacturer releases attack patterns as new cyberattacks are detected. Generally, these signatures are updated automatically, so the computer is usually always up to date with the latest versions.
The WebFilter is aimed at controlling URLs accessed by users. Usually, the firewall manufacturer will maintain a database where URLs are categorized into different sections, such as social sites, news sites, personal bank sites, adult sites, etc. These categories can allow or deny traffic to the pages that belong to that category.
Some firewalls, like Tinywall, will let you personalize lists and create a blacklist. An NGFW will always include this function since every company and individual will need to tailor its approach to web filtering based on their security concerns.
An identity awareness feature will help the NGFW identify a user behind an IP generated by a connection. Usually, it is done by integrating it with a user directory. Such a feature will also make more complex access rules instead of allowing a specific IP or network.
What Other Things Can an NGFW Do?
While the features mentioned above are the primary functions of an NGFW, some also include:
- Antivirus: Because an NGFW constantly scans everything, if it detects a virus from a trusted site or application, it will block the file. A typical firewall will not do this unless it’s paired with an antivirus. Not all NGFWs will include an antivirus feature so be sure to look for it as it might save you money on the long run.
- Anti-spam: If your email server is behind the NGFW, it will work as anti-spam protection too.
- Quality of service (QoS): The NGFW can apply QoS rules, like max and guaranteed bandwidth, rate control, etc.
- SSL Inspection: With this functionality, you can break the SSL tunnel of protocols such as HTTPS and inspect encrypted traffic.
What Is the Future of NGFWs?
More and more companies run some sort of workload in the cloud, which means the type of firewalls an organization needs must be tailored to its specific security needs. NGFW (or FWaaS with next-generation firewall capabilities) do exactly that: they can be programmed to fulfill any requirement a company might have. Naturally, all new firewall features that work in the cloud will work for non-cloud users.