What Is a Next-Generation Firewall?

NGFW Features

Next-generation firewalls are still in use today, and they offer a host of benefits that place them above their predecessors for on-premises network and application security.

• Application control: NGFWs actively monitor which applications (and users) are bringing traffic to the network. They have an innate ability to analyze network traffic to detect application traffic, regardless of port or protocol, increasing overall visibility.
• IPS: At its core, an IPS is designed to continuously monitor a network, look for malicious events, then take careful action to prevent them. The IPS can send an alarm to an administrator, drop the packets, block the traffic, or reset the connection altogether.
• Threat intelligence: This can be described as the data or information collected by a variety of nodes across a network or IT ecosystem that helps teams understand the threats that are targeting—or have already targeted—an organization. This is an essential cybersecurity resource.
• Antivirus: As the name suggests, antivirus software detects viruses, responds to them, and updates detection functionality to oppose the ever-changing threat landscape.
   

What Does an NGFW do?

When it comes to securing corporate networks, NGFWs go beyond the call of duty compared to traditional firewalls.

They dig deeper into network traffic to understand where it’s coming from. As a result, they’re able to collect a greater body of knowledge about malicious traffic and its embedded threats that are constantly trying to infiltrate the network perimeter, access corporate data, and ruin an organization’s reputation.

Where a traditional firewall only operates at Layers 3 and 4, NGFWs can operate all the way up to Layer 7—the application layer. This means app-level threats, which are some of the most dangerous and penetrative, are stopped before they breach, saving time and cost in remediation.

Why Do I Need an NGFW?

Today’s cyberthreat landscape demands robust threat protection, and traditional firewalls aren’t up to the task.

NGFWs can block malware, and they’re better equipped to thwart advanced persistent threats (APTs), such as Cozy Bear, responsible for the SUNBURST supply chain attack of 2020, and Deep Panda, who are notorious for exploiting the Log4Shell vulnerability.

Plus, with integrated threat intelligence and options for networking and security automation, NGFWs have given organizations the opportunity to not only simplify security operations but also take the first step toward a fully realized security operations center (SOC).

All of this potential upside, however, comes with a set of drawbacks.
 

Challenges for NGFWs

While NGFWs can provide a great deal of benefit, they lack the required functionality to serve today’s distributed workforces.

For example, backhauling traffic to an NGFW made sense when applications resided in the data center and when the most—and therefore endpoints—were in corporate or regional offices.

But today’s applications have been moved to the cloud to support work-from-anywhere, a trend that’s rendered traditional networking and security tools, including NGFWs and VPNs, insufficient due to their lack of scalability.

The most commonly used cloud applications, such as Microsoft 365, were designed to be accessed directly via the internet. To establish such connections, companies must route internet traffic locally to deliver a fast user experience, meaning routing traffic back to NGFWs in corporate data centers to egress to the internet no longer makes sense.

If you wanted to secure local internet breakouts with NGFWs, you would need to replicate the corporate security stack at every location. Namely, you would need to deploy NGFWs or stacks of security appliances in every branch office, which is unviable due to the cost and complexity of deploying and managing so many firewalls.

Additionally, NGFWs were never designed to support cloud applications. They’re easily overwhelmed by cloud apps because they can’t scale to support the high volume of long-lived connections the apps create, which denies them cloud application awareness by default.

What’s more, they can’t natively handle SSL-encrypted traffic, which has become increasingly important as almost all of today’s web traffic is encrypted. To execute SSL inspection, NGFWs must bolt on proxy capabilities that execute SSL inspection in software, rather than at the chip level. This not only impacts performance and hampers user experience, but also allows new security threats such as advanced malware through.

Why Cloud Firewalls are the Future

The next-generation firewalls (NGFWs) in use today were architected more than a decade ago. Today’s enterprises are cloud-first, and they need more dynamic, modern capabilities to establish security and access controls to protect their data—capabilities that NGFWs were not designed to deliver.

Companies do still need enterprise firewall capabilities across their local internet breakouts, especially as they continue to leverage cloud providers such as AWS and Azure. Unfortunately, NGFWs weren’t designed to support cloud applications and infrastructure, and their virtual firewall counterparts are equally limited and present the same challenges as traditional NGFW appliances.

It makes sense, then, that as your apps move to the cloud, your firewalls follow suit.