A next-generation firewall (NGFW) (as the name implies) is the latest evolution in firewall technology. It can address advanced security threats at an application level thanks to a combination of traditional firewall capabilities (like packet filtering) with intelligent and more context-aware features to make better decisions about which traffic to allow.
Forms/Types of Next-Generation Firewall
There are different types of Next-Generation Firewall to consider:
- Hardware-based NGFWs: These are physical appliances that sit at the network perimeter and handle all traffic inspection. It’s most often used by large companies with high network traffic volume, like data centers, enterprises with thousands of employees, and critical infrastructure providers. While it offers dedicated resources and high performance, it is expensive to set up and maintain and is difficult to scale.
- Software-based NGFWs: Software-based NGFWs are installed on existing hardware, offering flexibility and cost-effectiveness compared to dedicated appliances. It’s suitable for smaller organizations or even in specific departments of larger companies, e.g., branch offices and remote access setups. It’s easier to deploy on existing infrastructure, but performance can vary.
- Cloud-based NGFWs: With this product, the NGFW is delivered as a service from a cloud provider, eliminating on-premises hardware and software management. It’s best for organizations with distributed networks, limited IT resources, or needing quick scalability. Examples include companies with remote workers, multi-cloud environments, or rapid business growth.
- Firewall as a Service (FWaaS): FWaaS refers to a specific type of cloud-based NGFW where the provider manages the entire infrastructure and delivers it as a subscription. It’s used in a similar way to cloud-based NGFWs but ideal for organizations that want a completely managed security solution and expertise. It’s convenient and often comes with additional security features offered by the provider, but costs may be higher compared to self-managed options.
- Ruggedized NGFWs: NGFWs are designed for harsh environments like industrial settings or outdoor deployments, featuring extreme temperature tolerance, vibration resistance, and dust proofing. It’s used in factories, on oil and gas rigs, and in powerwalls. It’s a higher cost, and its specialized features are designed for very specific applications.
- Network Function Virtualization (NFV) NGFWs: These software-based NGFWs are designed to run on virtualized network infrastructure, offering flexibility and scalability in cloud and hybrid environments. They are best for companies looking for cloud-native deployments and require more expertise.
Imagine the internet as the postal system and your computer as an important facility like the White House. The mail arrives in envelopes, each with a destination address (IP address) and a general idea of what’s inside (data).
Now, think of the traditional firewall as a mailroom employee. This employee checks the envelopes’ addresses (IP headers) and allows or blocks them based on that information, e.g., throwing out junk mail. A regular mailroom employee can provide some security, but you probably want a little more protection, considering the way the world has changed.
The next-generation firewall is like the security detail at the White House. It not only checks the addresses (IP headers) but also opens the envelopes to inspect the actual content inside (data). This security detail can understand what kind of information is being sent, whether it’s a letter, a picture, or something else. This way, it can make more informed decisions about whether to allow or block the mail based on its content.
In technical terms, the traditional firewall operates up to level 4, which is like just checking the destination addresses (IP headers). The next-generation firewall goes a step further and operates up to level 7, which involves understanding and analyzing the content of the data, like looking inside the envelopes.
Just like in the real world, where some harmful things may be hidden inside letters, there are cyber threats that hide in the data being sent over the internet. Attacks that occur at levels 4-7 of the OSI model are on the rise, so having a next-generation firewall that can thoroughly inspect and understand the content helps to better protect your computer (White House) from potential dangers hiding in the data packets (mail).
Why Should Businesses Care About an NGFW?
So, why should your business – particularly a smaller business – care about having a next-generation firewall in place?
Reason #1: Better Protection
NGFWs go beyond traditional firewalls by inspecting traffic at the application layer (Layer 7), not just ports and addresses. This allows them to identify and block malicious content, malware, and unauthorized applications hidden within data packets, providing a stronger defense against modern cyber threats. NGFWs can identify and block suspicious activity even before it becomes a full-blown attack, potentially saving your business from data breaches, financial losses, and reputational damage.
Reason #2: More Efficiency
Many NGFWs offer centralized management consoles, simplifying security policy configuration and monitoring for multiple users and devices, saving time and resources.
NGFWs can automate tasks like threat detection, reporting, and updates, freeing up your IT staff to focus on other critical tasks.
Reason #3: Cost savings
While there is an initial investment in an NGFW, the potential cost savings from preventing cyberattacks can be significant. Data breaches, ransomware attacks, and downtime can be incredibly expensive, making proactive security a worthwhile investment. Many vendors offer managed NGFW services, eliminating the need for in-house security expertise and reducing overall IT management costs.
Reason #4: Compliance
Depending on your industry, you may be required to comply with specific data security regulations. NGFWs can help you meet these compliance requirements by providing robust security controls and audit trails.
Reason #5: Peace of Mind
Knowing you have a strong security solution in place can give you and your employees peace of mind. You and your team can focus on running your business without constantly worrying about cyber threats.
Next-Generation Firewall and Your Broader Cybersecurity Program
Next-generation firewalls are often mentioned in relation to broader cybersecurity frameworks:
NGFWs can help mitigate various tactics and techniques outlined in the MITRE ATT&CK framework, particularly those that fall under the “Lateral Movement,” “Command and Control,” and “Data Exfiltration” phases of an attack. By inspecting traffic at the application layer and identifying malicious applications or protocols, NGFWs can hinder attackers’ ability to move laterally within your network, establish communication channels, and exfiltrate sensitive data.
National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
NGFWs can support various functions and categories within the NIST CSF, such as:
- Identify: NGFWs can help identify assets, threats, and vulnerabilities related to network traffic.
- Protect: NGFWs offer various protective measures like filtering, inspection, and intrusion prevention.
- Detect: NGFWs can detect suspicious activity and potential attacks through deep packet inspection and anomaly detection.
- Respond: NGFWs can facilitate incident response by providing logs and forensic data for analysis.
- Recover: NGFWs can aid in recovery by helping to isolate infected systems and prevent further damage.
CIS Controls
The Center for Internet Security (CIS) Controls includes several recommendations directly related to NGFWs, such as:
- Control 3: Implement Network Segmentation: NGFWs enable granular segmentation by filtering traffic based on applications, users, and destinations, isolating sensitive systems, and reducing the attack surface.
- Control 4: Harden Network Devices and Systems: NGFWs themselves benefit from hardening practices like strong passwords, disabled unused ports, and regular updates, ensuring their own security.
- Control 5: Continuously Monitor and Log Network Activity: NGFWs generate detailed logs on network traffic, enabling continuous monitoring for suspicious activity and incident response.
- Control 6: Implement a Security Information and Event Management (SIEM) System: NGFW logs can be integrated with SIEM systems for centralized analysis and correlation with other security events.
Related Systems or Technologies
Next-generation firewalls come with a mix of the following features, though the exact list depends on the provider:
- Application awareness: Application awareness means being able to filter data and set complex rules based on the application itself, not just the port it’s on. One important thing about next-generation barriers is this: In addition to having more control over individual apps, they can block data from certain ones.
- Deep-packet inspection: Deep-packet inspection looks at the data that is sent in packets. Deep-packet inspection is better than older firewall technology, which only looks at the IP header of a message to figure out where it came from and where it was going.
- Intrusion Prevention System (IPS): IPS checks the network for bad behavior and stops it when it happens. This tracking can be based on signatures (comparing activity to known threat signatures), policies (stopping activity that breaks security rules), or anomalies (looking for strange behavior).
- External threat intelligence: External threat intelligence means talking to a threat intelligence network to get the most up-to-date information on threats and find bad actors.
Along with these basic features, next-generation firewalls might also have extra ones, like antivirus and malware defense. They can also be set up as a Firewall as a Service (FWaaS), which is a cloud-based service that makes it easier to maintain and allows for more growth.
With FWaaS, the service provider takes care of the firewall software, and resources grow or shrink automatically to meet processing needs. This frees up corporate IT teams from having to deal with upgrades, patches, and sizing.
Related Regulations and Compliance Goals
Having an NGFW can help companies comply with regulations and compliance frameworks, including:
NGFWs assist in GDPR compliance by monitoring and controlling the flow of data. They can inspect traffic to ensure that personal data is handled securely, implementing features like data loss prevention (DLP) and encryption to protect sensitive information.
California Consumer Privacy Act (CCPA)
Similar to GDPR, NGFWs contribute to CCPA compliance by regulating data access and preventing unauthorized transmission of sensitive information. They help in securing personal data, aligning with the principles of data protection.
NGFWs are instrumental in meeting PCI DSS requirements. They secure network perimeters, filter out malicious traffic, and prevent unauthorized access to credit card data, thus ensuring the protection of cardholder information.
In the healthcare sector, NGFWs aid HIPAA compliance by safeguarding patient data. They help prevent unauthorized access, breaches, and disclosures of sensitive health information.
National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
NGFWs align with NIST CSF by supporting various functions and categories within the framework. They contribute to securing sensitive information and demonstrating adherence to cybersecurity best practices.
