Next-Gen Firewalls


Using a traditional firewall against modern security threats is like playing professional football in the 21st century with an old leather helmet from the 1930s. It may provide some very basic protection, but it isn’t strong enough to prevent serious or even permanent damage.

Traditional firewalls provide security by inspecting and controlling traffic according to specific ports, protocols and IP addresses. That was effective when most network threats involved hackers scanning for open ports on network firewalls to attack. Today’s threats are far more stealthy and sophisticated.

Many modern cyber threats are designed to piggyback on legitimate application-layer network traffic, which allows their malicious payloads to bypass stateful packet inspection mechanisms. More than viruses and spyware, modern security threats include zero-day exploits, advanced malware and stealth bots that are smart enough to not only disable security protections and steal data, but hide in the network while awaiting further instructions.

Just like football gear, however, firewalls have evolved. Next-generation firewalls (NGFW) offer a much more robust line of defense.

Understanding Apps

Along with traditional firewall capabilities such as packet filtering, network address translation and URL blocking, NGFW integrate many more robust features. These include intrusion prevention, Secure Socket Layer (SSL) and Secure Shell (SSH) inspection, deep-packet inspection and reputation-based malware detection.

However, the key distinction is that an NGFW is application-aware, meaning it can distinguish one application from another and enforce granular security policies at the application layer. With the ability to understand details of web application traffic, the NGFW can make smarter blocking decisions based upon very specific criteria. That is a critical capability, considering that security experts estimate that 80 percent of attacks today happen at the application layer.

“Big security news stories are a daily event as the threats facing enterprises are getting more pervasive and sophisticated,” said Jeff Wilson, principal security analyst with Infonetics Research. “Organizations need to implement protections against advanced application-layer threats throughout their networks – not just at the edge.”

The change in business environment due to the Bring Your Own Device (BYOD) model, cloud-based services and wireless communication has also created new threat vectors. Employees today expect to gain network access with their mobile devices and use cloud-based solutions to work with company data. According to a recent Network World study, 48 percent of respondents said that supporting increasing numbers of mobile devices is their organizations’ top security challenge.

Although mobile devices connect to the Internet from outside the corporate firewall, it is possible to backhaul remote and mobile traffic to a corporate site for NGFW inspection. Even without taking this step, organizations gain some essential security measures for the mobile/cloud environment. For instance, an NGFW decrypts and removes hidden threats from mobile traffic tunneled over SSL VPNs before they enter the network. NGFW appliances can also be configured to limit general access to cloud file transfer applications.

Be Prepared

An NGFW is sometimes confused with a unified threat management (UTM) system, which combines various security functions — firewalls, antimalware software, intrusion protection, content filtering, reporting and more — in a single security appliance. Truly comprehensive network security can be achieved when employing both of these complementary systems.

When choosing an NGFW, organizations must evaluate the architecture, performance impact and manageability. Whether choosing a hardware- or software-based solution, it is important to understand how the product is engineered and how it will be integrated with existing infrastructure.

The additional features and options offered by an NGFW could eliminate the need for some individual security devices, which could reduce operational expenses. However, those additional features also require very specific policies and rules, so the best NGFW is one that is intuitive and easy to configure, implement and maintain. Simple, centralized management is critical.

Next-generation firewalls are the logical evolution in network security and access control. Organizations that have not already done so should make plans to migrate to NGFW technology. It’s the best way to avoid the risk of game-changing security threats due to substandard protection.