- What is Next Generation Firewall (NGFW) ?
- Features to look for in NGFW
- Best NGFWs on the market
What is Next Generation Firewall (NGFW) ?
A Next Generation Firewall or NGFW is an integrated network platform that combines a traditional firewall with other security system functionalities like an application firewall, Intrusion Prevention System or IPS, SSL/SSH interception, QoS/bandwidth management, malware inspection etc. An NGFW includes the typical functionalities of a traditional firewall, yet it is much more powerful than a traditional firewall in detecting and preventing attacks and enforcing security.
Features to look for in NGFW
While buying NGFW for enterprises, one should look for the following features :
1. Application Awareness
Traditional firewall filter traffic based on IP address, port, protocols used etc. As a result, it becomes difficult to properly monitor various applications running within the organization network. A Next Generation Firewall should be able to filter traffic per application basis which can provide better visibility into various applications running within the organization network. With NGFW you should be able to create detailed policies based on specific aspects of a web application. NGFW should also be able to provide detailed information like application usage etc in logs, reports and statistics.
2. User Identity Awareness
NGFW should be able to provide granular control of applications based on identity of users, group of users, devices that the users are using etc. A good NGFW should also provide an advanced user and application control.
3.Deep Packet Inspection
Deep Packet Inspection or DPI is a technology using which one can examine the data part of the network packets and search for protocol non-compliance, virus, spam, intrusions and other statistical information and decide whether the packet should be passed or dropped or should be routed to a different destination for further processing. A device with Deep Packet Inspection capability can monitor the payload of each packet passing through it and detect protocols, application, inappropriate URL’s, intrusion attempts and even malware present in the data packet.
A traditional firewall can examine the packet headers and only limited amount of payload of the packet. As a result it can have only limited application awareness. NGFW with Deep Packet Inspection can monitor the payload of each network packet and can handle the packets based on specific patterns present in the payload. That is why Deep Packet Inspection is a must have feature in NGFW. NGFW should be able to quickly identity and block malware or other intrusion attempts in the network using Deep Packet Inspection.
4. Centralized Management
NGFW should be able to provide a centralized management system that aggregates data from various security defenses and give an overview on overall security health of the network. It should provide a dashboard to control all firewall activities as well as automate routinely tasks.
5. Ability to monitor SSL traffic
NGFW should be able to monitor encrypted traffic. It should be able to decrypt inbound and outbound SSL and other encrypted traffic and look for malware, intrusions or other threats.
6. Integrated IPS
NGFW should provide an integrated IPS also. Usually, an IDS and IPS system is fully integrated with NGFW and it can be enabled or disabled when required.
7. AET Defense
Many malware use Advanced Evasion Techniques (AET) to bypass security solutions. They can use several protocol layers to deliver malware, change dynamically during attacks and even combine with other attacks. NGFW should have the ability to thoroughly inspect traffic across all protocol layers and do analysis and normalization without affecting the network performance. If AET protection is built into the core of the NGFW, then it should not affect network performance for preventing advanced threats.
8. Basic URL Filtering
NGFW should provide the ability to basic URL filtering. Using that one can control users from visiting undesirable websites. For example, watching cricket match in peak hours can degrade network performance and affect user productivity. One can also control usage of social media or other websites using this feature.
9. Integration with other security solutions
NGFW should be able to integrate fully with other security solutions used in the enterprise, such as network monitoring tools, SIEM, authentication servers, email security solutions etc. This will help in enhancing the overall security of the enterprise.
10. Stateful Inspection
Though traditional firewall can filter network packets based on certain information on connection state, they can mostly operate from layer 2 to layer 4 of the OSI Model. NGFW can operate from layer 2 to layer 7 of the OSI Model. As a result, it can provide the ability to enforce much more granular policies and provides better control.
11. Bridged and Routed Modes
Another good feature of NGFW will be the ability to operate in both bridged mode and routed mode. In bridged mode or transparent mode, a device is shown as an L2 device. So, you can insert a transparent firewall in a network without requiring to change IP addresses of other devices. This may be useful in certain scenarios. For example, suppose you have a VLAN with one IP subnet. And, now you want to protect some of the servers from other servers using a firewall. You can use the transparent mode to do so without changing IP address of any of the servers. But, this may have limitations on the number of interfaces you can use. In routed mode, you can easily set up multiple DMZs on the same firewall.
Both have their pros and cons. The ability of the NGFW to operate on both bridged and routed mode will make the transition from traditional firewall to NGFW easier.
12. Cloud based Malware Sandbox
NGFW should be able to look for unknown threats and create corresponding IPS signature within the NGFW. For that purpose a Cloud based Malware Sandbox is a good feature to have in the NGFW. That would help in preventing zero day attacks and Advanced Persistent Threats or APT in a better way.
13. High Availability
It is better to look for active-active clustering for your NGFW. In active-active clustering, as two nodes run actively at a given time, it can better ensure uninterrupted services especially especially when updating the services or in maintenance.
14. Capacity
One should buy NGFW not only with enough capicity to handle network load today but also with the capacity of handling network load five or six years in future. Please note that IPS or application filtering can reduce throughput. So, one should buy NGFW keeping that in mind.