What Is a Next-Generation Firewall? A next-generation firewall (NGFW) is the convergence of traditional firewall technology with other network device filtering functions, such as inline application control, an integrated intrusion prevention system (IPS), threat prevention capabilities, and antivirus protection, to improve enterprise network security.

Simplify Network Transformation with Zscaler Cloud Firewall

Next-Generation Firewall vs. Traditional Firewall

Traditional firewalls only operate on Layers 3 and 4 of the Open Systems Interconnection (OSI) model to inform their actions, managing network traffic between hosts and end systems to ensure complete data transfers. They allow or block traffic based on port and protocol, leverage stateful inspection, and make decisions based on defined security policies.

As advanced threats such as ransomware began to emerge, these stateful firewalls were easily bypassed day in and day out. Needless to say, an enhanced, more intelligent security solution was in high demand.

Enter the NGFW, introduced by Gartner more than a decade ago as a “deep-packet inspection firewall that moves beyond port/protocol inspection and blocking to add application-layer inspection, intrusion prevention, and bringing intelligence from outside the firewall.” It touted all the features one would expect from a traditional firewall, but with more granular capabilities that allow for even tighter policies for identity, user, location, and application.

The next-gen firewall capabilities are actually a core requirement. It was one of the primary considerations in selecting Zscaler. We hadn't found any of the other cloud services that actually had a full protocol next-gen capability.

Ken Athanasiou, CISO and Vice President, AutoNation

NGFW Features

Next-generation firewalls are still in use today, and they offer a host of benefits that place them above their predecessors for on-premises network and application security.

  • Application control: NGFWs actively monitor which applications (and users) are bringing traffic to the network. They have an innate ability to analyze network traffic to detect application traffic, regardless of port or protocol, increasing overall visibility.
  • IPS: At its core, an IPS is designed to continuously monitor a network, look for malicious events, then take careful action to prevent them. The IPS can send an alarm to an administrator, drop the packets, block the traffic, or reset the connection altogether.
  • Threat intelligence: This can be described as the data or information collected by a variety of nodes across a network or IT ecosystem that helps teams understand the threats that are targeting—or have already targeted—an organization. This is an essential cybersecurity resource.
  • Antivirus: As the name suggests, antivirus software detects viruses, responds to them, and updates detection functionality to oppose the ever-changing threat landscape.

What Does an NGFW Do?

When it comes to securing corporate networks, NGFWs go beyond the call of duty compared to traditional firewalls. They dig deeper into network traffic to understand where it’s coming from. As a result, they’re able to collect a greater body of knowledge about malicious traffic and its embedded threats that are constantly trying to infiltrate the network perimeter, access corporate data, and ruin an organization’s reputation.

Where a traditional firewall only operates at Layers 3 and 4, NGFWs can operate all the way up to Layer 7—the application layer. This means app-level threats, which are some of the most dangerous and penetrative, are stopped before they breach, saving time and cost in remediation.

Why Do I Need an NGFW?

Today’s cyberthreat landscape demands robust threat protection, and traditional firewalls aren’t up to the task. NGFWs can block malware, and they’re better equipped to thwart advanced persistent threats (APTs), such as Cozy Bear, responsible for the SUNBURST supply chain attack of 2020, and Deep Panda, who are notorious for exploiting the Log4Shell vulnerability.

Plus, with integrated threat intelligence and options for networking and security automation, NGFWs have given organizations the opportunity to not only simplify security operations but also take the first step toward a fully realized security operations center (SOC).

All of this potential upside, however, comes with a set of drawbacks.

Challenges for NGFWs

While NGFWs can provide a great deal of benefit, they lack the required functionality to serve today’s distributed workforces.

For example, backhauling traffic to an NGFW made sense when applications resided in the data center and when the most—and therefore endpoints—were in corporate or regional offices. But today’s applications have been moved to the cloud to support work-from-anywhere, a trend that’s rendered traditional networking and security tools, including NGFWs and VPNs, insufficient due to their lack of scalability.

The most commonly used cloud applications, such as Microsoft 365, were designed to be accessed directly via the internet. To establish such connections, companies must route internet traffic locally to deliver a fast user experience, meaning routing traffic back to NGFWs in corporate data centers to egress to the internet no longer makes sense.

If you wanted to secure local internet breakouts with NGFWs, you would need to replicate the corporate security stack at every location. Namely, you would need to deploy NGFWs or stacks of security appliances in every branch office, which is unviable due to the cost and complexity of deploying and managing so many firewalls.

Additionally, NGFWs were never designed to support cloud applications. They’re easily overwhelmed by cloud apps because they can’t scale to support the high volume of long-lived connections the apps create, which denies them cloud application awareness by default.

What’s more, they can’t natively handle SSL-encrypted traffic, which has become increasingly important as almost all of today’s web traffic is encrypted. To execute SSL inspection, NGFWs must bolt on proxy capabilities that execute SSL inspection in software, rather than at the chip level. This not only impacts performance and hampers user experience, but also allows new security threats such as advanced malware through.

Why Cloud Firewalls Are the Future

The next-generation firewalls (NGFWs) in use today were architected more than a decade ago. Today’s enterprises are cloud-first, and they need more dynamic, modern capabilities to establish security and access controls to protect their data—capabilities that NGFWs were not designed to deliver.

Companies do still need enterprise firewall capabilities across their local internet breakouts, especially as they continue to leverage cloud providers such as AWS and Azure. NGFWs weren’t designed to support cloud applications and infrastructure, and their virtual firewall counterparts are equally limited and present the same challenges as traditional NGFW appliances.

It makes sense, then, that as your apps move to the cloud, your firewalls follow suit.

4 Core Benefits of Cloud Firewalls

  • Proxy-based architecture: This design dynamically inspects network traffic for all users, applications, devices, and locations. It natively inspects SSL/TLS traffic at scale to detect malware hidden in encrypted traffic. Plus, it enables granular network firewall policies spanning multiple layers based on network app, cloud app, fully qualified domain name (FQDN), and URL.
  • Cloud IPS: A cloud-based IPS delivers always-on threat protection and coverage, regardless of connection type or location. It inspects all user traffic on and off network, even hard-to-inspect SSL traffic, to restore full visibility into user, app, and internet connections.
  • DNS security and control: As the first line of defense, a cloud firewall protects users from reaching malicious domains. It optimizes DNS resolution to provide a better user experience and cloud application performance, which is especially critical for CDN-based apps. It also provides granular controls to detect and prevent DNS tunneling.
  • Visibility and simplified management: A cloud-based firewall delivers real-time visibility, control, and immediate security policy enforcement across the platform. It logs every session in detail, and uses advanced analytics to correlate events as well as provide insight into threats and vulnerabilities for all users, applications, APIs, and locations from a single console.

Only a handful of providers can implement a full suite of cloud firewall capabilities, and only one can offer it as a part of a comprehensive, proven cloud security platform.

Zscaler Cloud Firewall

The Zscaler Cloud Firewall delivers more power than NGFW appliances without the cost and complexity. Part of the integrated Zscaler Zero Trust Exchange™, it brings next-gen firewall controls and advanced security to all users, in all locations, for all ports and protocols. It enables fast and secure local internet breakouts and, because it’s 100% in the cloud, there’s no hardware to buy, deploy, or manage.

NGFWs leave you bolting on countless security capabilities, making for a rigid and weak posture overall. Zscaler Cloud Firewall allows you to:

  • Define and immediately enforce granular firewall policies
  • Go from overall visibility to actionable information in real time
  • Deliver always-on IPS to all your users

Still relying on legacy NGFWs? Is your organization as secure as it should be? Request a demo to learn how a cloud firewall can provide greater security than an NGFW.

Suggested Resources

  • AutoNation’s Drive to the Cloud

    Watch the video
  • Simplify Network Transformation with Zscaler Cloud Firewall

    Read the ebook
  • Zscaler Next-Generation Cloud Firewall

    Watch the video
  • Zscaler Cloud Firewall: A Guide for Secure Cloud Migration

    Read the white paper
  • SD-WAN without a cloud firewall? Don’t even think about it!

    Read the blog
  • Gartner | The Future of Network Security Is in the Cloud

    Read the report