Next-Generation Firewall Guide

“The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.”

Dewdney, A. K. (1989, March). Computer Recreations: Of Worms, Viruses and Core War. Scientific American, pp. 110

The moment an electronic device goes online it becomes susceptible to hacks and infections. No matter how much security is put in place around it, there will always be that one weak spot that hackers sniff out and take advantage of. That’s a fact of life in a highly-connected digital world.

But, although it happens to even the best of them, it doesn’t mean that you have to sit arms-crossed and do nothing about attacks aimed at your network. For one thing, you can drastically increase the security around your boundaries with the help of next-generation firewalls or NGFW – also known as Unified Threat Management solutions or UTMS.

Here is a composite diagram that shows all the tasks and processes performed by an NGFW and of which we will be seeing in-depth in this article:

Next-generation firewall diagram

Image source

Definition of next-generation firewalls (NGFW)

Basically, a next-generation firewall (NGFW) is an advanced version of the traditional firewall.

Like its older counterpart, an NGFW is a software or hardware security solution that protects a network via:

  • Stateful inspection of network traffic where it monitors the state of active connections to help it determine what packets can pass through
  • Determining the access (or denial) of traffic based on its state, port, and protocol
  • Application of administrator-set rules and policies that determine what type of network traffic is allowed through and what is not

Traditional firewall

Image source

An NGFW takes the network-protection job a step further with additional features like:

  • An integrated intrusion detection and prevention system (IDS, IPS) – it acts against threats before they gain access to the network.
  • Application control – depending on the set configuration, an NGFW will block applications from being run on the network.
  • Web content filter – users on the network can be protected from malicious sites or they can be restricted from accessing certain content during office hours, for example.
  • Anti-virus protection – an NGFW also has the capability of thwarting attacks from within by stopping malicious packets and loads while ensuring incoming attacks are stopped before they enter the network.
  • Reputation-based defense – with malware distribution becoming ever more sophisticated it became necessary to change the way they are detected; with an NGFW you get this preemptive defense capability that was first conceived by Norton Internet Security 2010.

These extra capabilities are made possible because an NGFW goes deeper to inspect the payload of each packet and match the signatures for harmful activities like vulnerabilities, exploits, viruses, and malware.

This video presents these points in a more fun way:

Why were NGFWs created?

The need for NGFWs arose out of the need to enhance the protection capabilities of the traditional firewalls which were falling behind the advancements of threats and their delivery methods. As attacks became more sophisticated, specifically by hiding malicious payloads in packets, it demanded the creation of a more effective defensive technology that could sniff them out.

NGFW - security services

Image source (PDF)

CrowdStrike Falcon Firewall Module (FREE TRIAL)

CrowdStrike Falcon Firewall - detections view

CrowdStrike Falcon is a good example of this multi-tasking platform approach for system security. CrowdStrike built a cloud-based endpoint protection system that is implemented on the defended device through an agent program.

This next gen platform combines all of the tasks traditionally performed by separate software instances – AV, firewall, intrusion detection, spam filter, etc. Rather than operating as a block to traffic at the network’s gateway, or analyzing traffic, like a network-based intrusion detection system, CrowdStrike Falcon focuses all cyber defenses on data that reaches all of the endpoints on the network. CrowdStrike offers a 15-day trial of the Falcon platform for those who are interested in seeing how this cloud-based next-generation system operates.

CrowdStrike Falcon Start 15-day FREE Trial

Advantages of having an NGFW on your network

Anyone who seeks to keep their network safe requires an NGFW because:

  • It is a many-in-one solution that performs the tasks of multiple software and hardware security solutions – why muck about with multiple security solutions when all you need to do is configure one NGFW?
  • It is cost-effective, again, because you won’t have to buy multiple security solutions, administer them, keep track of updates, upgrades, and licenses – when you can have just one big solution to worry about.
  • It is a big leap from the traditional firewall – if you are using one – and it makes sense to move to a more modern method of network protection.
  • Also, an NGFW will not bite into your bandwidth as would a traditional firewall (and all the other supporting security solutions that usually come with it).

The big selling point here is: with an NGFW installed, you get a one-stop solution for all your network security issues.

What do you need to look out for in a NGFW?

For a NGFW to perform effectively, it will need to have a few features. Such important features to look out for in your new solution include:

Alerts and messages from malware

Advanced control console

Like all modern, efficient control consoles, your new NGFW should have one where:

  • Your network administrator can control it remotely.
  • It allows for advanced configuration of assets, policies, rules, roles, and security of both users and assets.
  • The admin is able to push out automated tasks and schedule jobs.
  • It captures events and saves logs for future forensic examination in case of a network failure or an attack.
  • Advanced reports can be extracted that are as comprehensive as they are easy to comprehend.

Deep packet inspection

This, of course, is a no-brainer; if there is one feature that makes an NGFW distinct from traditional firewalls, it is the capability to strip packets down and examine their contents.

It is deep packet inspection that protects the network from malware, viruses, Trojans, spamming, protocol non-compliance, and hacking attempts. It is also how an NGFW knows which roles and permissions apply to any particular packet.

Quality of Service management

Your new NGFW should be able to manage the Quality of Service (QoS) on a network. Whether it is prioritizing packets or managing bandwidth allotment, it assigns their sequences and sends them on their way once they reach its periphery (incoming traffic). It queues them up in the right order (outgoing traffic) as it transmits them. This helps to keep the network at optimal performance speeds and while avoiding packet loss.

At the very least, you should be able to implement clusters so you can use your NGFW for load balancing and as a failsafe for network crashes or congestions.

Antivirus and packet decryption capabilities

Although your network will almost certainly have a stand-alone antivirus solution, it must also be a part of your new NGFW’s feature. It should be able to stop attacks before they enter the network, thus augmenting the capabilities of the main antivirus solution.

Apart from being able to thwart attempts at passing malicious packets through the network’s peripheral defenses, an NGFW should be able to analyze all packets that are being transported within the network. Since they are already behind the defenses these packets could be just as exploitive as their “foreign” counterparts – if not even more so – and in an even sneakier way.

Identity control

A critical part of network security is keeping track of users. Everyone that accesses the network (from within or without) needs to do so according to the authority they have been granted. Each role and permission they are assigned is set by the administrator who should also be able to enforce these access policies via the NGFW or a third-party monitoring solution.

This means, an NGFW should always be able to work with other existing identity control applications – Active Directory, for example – that exist on the network. This brings us to…

Seamless integration

An NGFW, despite its multiple capabilities, still needs to work with other systems that are installed on the very network it is expected to protect. It should, therefore, be able to integrate seamlessly with other security systems on the network.

For example, the network could have a system that placed to help protect the NGFW itselfSolarWinds Network Firewall Security Management Software comes to mind here – and which needs to interact with it.

Another example could be that the detection of any malware packets by the NGFW should be able to trigger further scrutiny from Security Information and Events Management (SIEM) software solutions.

This way, the defense of the network, and the defender itself becomes an astute affair.

Price tag

Not all NGFW solutions are created equal and they all have different price tags. While there is no arguing that investing in this particular network security solution is a smart idea, a cost-benefit analysis still needs to be done when it comes to choosing brands, the quality of their products, and how much it costs.

Once a selection has been made, negotiations should then be considered to see if a discount can be arranged depending on the number of users or the size of the network that needs protection. Of course, the prices of additional remote monitoring and reporting tools shouldn’t be forgotten.

Available support

The final point that needs to be considered is the after-sales support. As perfect as its NGFW may be, the vendor should be able to provide round-the-clock support (at a reasonable price) because of the sensitive task their product is expected to undertake. They should be able to guarantee rapid response times to crisis situations and the expertise that is required to handle extreme and time-sensitive cases.

A point to be made here is that the amount of support you will need will be inversely proportional to the amount of in-house tech know how you have. So, calculate wisely.

Final thoughts on NGFWs and the future

As a final thought, it needs to be said that attacks on networks continue to be a fast-evolving phenomenon that makes it hard for any security solution to stay ahead of. For now, an NGFW is one of the best solutions available in keeping a network secure.

But, unfortunately, as more and more businesses adopt cloud technology the boundaries of their networks are slowly beginning to vanish. Also, cloud solution providers usually implement their own security solutions that make it redundant – and even a deterrent – to have non-cloud technologies protecting the network and its assets. And in some instances, it would make more economical sense to invest in SaaS solutions than to even consider implementing a network, thus making business reluctant to invest in the security they deem will soon go extinct.

And finally, with more and more employees working remotely, the boundaries have (in their cases, at least) actually completely vanished in their cases; their individual laptop becomes the boundary. It wouldn’t make sense to put an NGFW between them and their sources of data.

Therefore, our final advice would be: unless you have a well-established and large network, perhaps, you should consider moving to the cloud and staying ahead of the curve instead of going out to get a new, but rapidly becoming obsolete, technology.

Next-generation firewall FAQs

Which NGFW feature allows a network admin to restrict traffic generated by a specific game?

Application awareness is a key feature of NGFWs and it identifies the source application of traffic, even down to the software, such as a specific game.

What features distinguish an NGFW from traditional firewalls?

Stateful firewalls were once considered cutting edge. However, NGFWs are a rank above them and so stateful firewalls are now considered by many to be “traditional.” An NGFW must be at least able to examine traffic actress packets (which is stateful). They also need to be able to establish a baseline of activity so that they can spot anomalous traffic. This is an AI-based technique that uses machine learning and is called user and entity behavior analytics (UEBA). An NGFW should also be able to interact with other services that might be provided by different producers. This ability is called SOAR, which stands for security orchestration, automation, and response. 

What is a use case for deploying Palo Alto Networks NGFW in the public cloud?

Palo Alto produces its NGFW with a number of deployment options. Probably the best option for protecting Cloud-based assets, such as AWS and Azure accounts is the Cloud-delivered Security Services (CDSS) package. This is a Firewall as a Service (FWaaS)., which means that it is hosted by Palo Alto. This position enables the services to protect any asset anywhere, so it can include both on-site and cloud systems in a single firewall protection plan.