What is next-generation firewall?
A next-generation firewall (NGFW) is a part of the third generation of firewall technology, combining a traditional firewall with other network device filtering functions, such as in-line deep packet inspection (DPI) and an intrusion prevention system (IPS).
The concept of the NGFW was introduced a decade ago by Gartner. According to Gartner, NGFWs are “deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.”
Traditional firewalls operated at Level 3 and Level 4, and allowed or blocked traffic based on port and protocol, leveraged stateful inspection, and made decisions based upon defined policies. As attacks evolved and became more sophisticated, attackers were able to bypass the stateful inspection firewalls, making enhanced security more critical.
NGFWs emerged to provide all the capabilities of a traditional firewall, and the additional capabilities of application control and integrated intrusion prevention. They also provided more granular capabilities to identity user, location, and application.
The next gen firewall capabilities are actually a core requirement. It was one of the primary considerations in selecting Zscaler. We hadn't found in any of the other cloud services that actually had a full protocol next gen capability.Ken Athanasiou, CISO and vice president, AutoNation
Challenges for NGFW
Backhauling traffic to a NGFW at a corporate or regional data center made sense when applications resided in the corporate data center, and the majority of workers were found in corporate or regional offices. However, applications began moving out of the data center and into the cloud, and organizations had increasing numbers of remote branches and workers. The workforce moved off the corporate network and began connecting from everywhere, making traditional approaches to networking and security, including the NGFW, insufficient.
Cloud applications, such as Salesforce and Microsoft Office 365, were designed to be accessed directly via the internet. Therefore, internet traffic must be routed locally to deliver a fast user experience. Routing traffic back to NGFWs in corporate data centers to egress to the internet no longer makes sense.
However, traditional security for local internet breakouts means organizations would need to replicate the corporate security stack at every location. This requires deploying NGFWs or stacks of security appliances in every branch office, an option that is simply not viable in terms of the cost and complexity of deploying and managing them all.
In addition, NGFWs were never designed to support cloud applications. NGFWs are easily overwhelmed by cloud apps, because they cannot scale to support the high volume of long-lived connections the apps create. They also cannot natively handle SSL-encrypted traffic. This has become increasingly important with the exponential growth in encrypted traffic during the past several years. To execute SSL inspection, NGFWs must bolt-on proxy capabilities that execute SSL inspection in software, rather than at the chip level. This has a significant impact upon performance, and results in a negative user experience.
Better in the cloud
The next-generation firewalls (NGFWs) in use today were architected more than a decade ago. But, providing security and access controls for the cloud-first enterprise requires dynamic capabilities that NGFWs were not designed to deliver.
As organizations embrace a cloud-first approach, they still need to deliver enterprise firewall capabilities across their local internet breakouts. Unfortunately NGFWs are not designed to support cloud applications, and their virtual firewall counterparts leave you with many of the same limitations and challenges as traditional NGFW appliances. It makes sense that as applications are moving to the cloud, your firewalls move to the cloud as well.
A cloud-based firewall provides multiple benefits over appliance-based NGFWs, including:
- Proxy-based architecture - This design dynamically inspects traffic for all users, applications, devices, and locations. It natively inspects SSL/TLS traffic—at scale—to detect malware hidden in encrypted traffic. And, it enables granular firewall policies spanning multiple layers based on network app, cloud app, domain name (FQDN), and URL. A proxy-based architecture is required to stop today's advanced threats.
- Cloud IPS - A cloud-based intrusion prevention system (IPS) delivers always-on threat protection and coverage, regardless of connection type or location. It inspects all user traffic on and off network, even hard-to-inspect SSL traffic, to restore full visibility into user, app, and internet connections.
- DNS security and control - As the first line of defense, a cloud firewall protects users from reaching malicious domains. It optimizes DNS resolution to provide a better user experience and cloud application performance, which is especially critical for CDN-based apps. And, it provides granular controls to detect and prevent DNS tunneling.
- Visibility and simplified management - A cloud-based firewall delivers real-time visibility, control, and immediate policy enforcement across the platform. It logs every session in detail, and uses advanced analytics to correlate events and provide insight into threats and vulnerabilities for all users, applications, and locations from a single console.
See the difference for yourself