What Is a Next-Generation Firewall?

Next-Generation Firewall vs. Traditional Firewall

Traditional firewalls operate on Layers 3 and 4 of the Open Systems Interconnection (OSI) model to inform their actions, managing network traffic between hosts and end systems. They allow or block traffic based on port and protocol, leverage stateful inspection, and make decisions based on defined security policies.

As advanced threats such as ransomware began to emerge, stateful firewalls were easily bypassed, creating high demand for an enhanced, more intelligent security solution.

Enter the NGFW, introduced by Gartner (circa 2007) as a “deep-packet inspection firewall that moves beyond port/protocol inspection and blocking to add application-layer inspection, intrusion prevention, and bringing intelligence from outside the firewall.” It touted all the features of a traditional firewall, but with more granular capabilities that allow for policies based on identity, location, application, and content.

How Do NGFWs Work?

Compared to traditional firewalls, NGFWs dig deeper into network traffic to understand where it’s coming from. They’re able to collect a greater body of knowledge about malicious traffic and embedded threats trying to infiltrate the network perimeter and access corporate data.

While a traditional firewall only operates at OSI Layers 3 and 4, NGFWs can operate at Layer 7—the application layer. This means app-level threats, which are some of the most dangerous and penetrative, are stopped before they breach, saving time and cost in remediation.

What Are the Capabilities of an NGFW?

NGFWs, like their stateful inspection predecessors, provide basic firewall functions such as URL filtering, antivirus, and support for remote access VPNs, but they stand above stateful inspection firewalls with a number of advanced security features:

• Application awareness allows for granular policy enforcement and application control based on specific applications, their content, traffic source and destination, and more, rather than being restricted enforcement by port, protocol, and IP address.
• Deep packet inspection (DPI) analyzes the content of network packets to identify application-level details and pinpoint threats hiding in otherwise legitimate traffic.
• Intrusion prevention system (IPS) functionality detects and blocks both known and unknown threats by inspecting traffic for suspicious patterns and behaviors.
• User identification enables the NGFW to associate network activity with specific users, not just the places they connect, for use in user-based policies and monitoring.
• TLS/SSL inspection deciphers and inspects TLS/SSL-encrypted traffic—the overwhelming majority of traffic today—to find hidden threats. (However, inspection is highly processor-intensive, hampering performance on hardware-constrained firewalls.)
• Threat intelligence integration enables an NGFW to update protections based on newly discovered threats across multiple sources, including the organization’s own network nodes as well as public and third-party feeds.

Why Do I Need an NGFW?

Today’s cyberthreat landscape demands robust threat protection, and traditional firewalls aren’t up to the task. NGFWs can block advanced malware, and they’re better equipped to thwart advanced persistent threats (APTs), such as Cozy Bear, responsible for the SUNBURST supply chain attack of 2020, and Deep Panda, who are notorious for exploiting the Log4Shell vulnerability.

Plus, with integrated threat intelligence and options for networking and security automation, NGFWs have given organizations the opportunity to not only simplify security operations, but also take the first step toward a fully realized security operations center (SOC).

All of this potential upside, however, comes with some challenges.

Challenges for NGFWs

Limited by their hardware, there are many cases where physical NGFW appliances can’t effectively perform to meet the needs of today’s modern environments, introducing multiple issues.

Backhauling Traffic for Security

Backhauling to an NGFW made sense when data centers, endpoints, and resources were mostly on-premises. But now, as user mobility and cloud adoption continue to trend upward, NGFW hardware in a traditional data center just can’t keep up.

Cloud apps like Microsoft 365 are designed to be accessed directly via the internet. But for VPNs and NGFWs in an organization’s data center to provide access and security, all traffic needs to go through that data center, slowing everything down. To deliver a fast user experience, organizations need to route internet traffic locally.

Securing Local Internet Breakouts

You can secure local internet breakouts with NGFW hardware, but to do so, you need a separate security stack in each location—NGFWs and potentially more appliances in every branch office, all of which need to be manually deployed, maintained, and eventually replaced, which can quickly get prohibitively complex and expensive.

Inspecting TLS/SSL-Encrypted Traffic

Almost all of today’s web traffic is encrypted. To perform SSL inspection, most NGFWs use bolt-on proxy capabilities that execute the inspection in software, rather than at the chip level. This heavily impacts performance, which hurts the user experience—but without inspection, you’re blind to more than 85% of attacks.

Types of NGFW

By definition, NGFWs are deep-packet inspection firewalls that operate at the application level and include intrusion prevention as well as threat intelligence integration. Core functionality aside, NGFWs come in three distinct form factors:

• Hardware NGFWs are physical appliances built for on-premises deployment. As dedicated security hardware, these NGFWs are used mostly in data centers or for other use cases that call for physical appliances.
• Virtual NGFWs are software-based and run on virtual machines (VMs). They're flexible and scalable enough to be better suited for virtualized and cloud-based apps and services than hardware-only NGFWs, but they still rely on their organization’s own infrastructure, and are constrained by the processing power of the hardware from which they’re partitioned.
• Cloud-based NGFWs deliver third-party firewall services from the cloud, enabling them to secure traffic that doesn't pass through a traditional data center. They're designed for securing cloud native environments, distributed networks, and remote users, offering increased scalability and centralized security management.

Why Cloud Firewalls Are the Future

Today’s enterprises are cloud-first, and they need more dynamic, modern capabilities to establish security and access controls to protect their data—capabilities that NGFWs weren’t built to deliver.

Companies do still need enterprise firewall capabilities across their local internet breakouts, especially as they continue to leverage cloud providers such as AWS and Azure. NGFWs weren’t designed to support cloud applications and infrastructure, and their virtual firewall counterparts are equally limited and present the same challenges as traditional NGFW appliances.

It makes sense, then, that as your apps move to the cloud, your firewalls follow suit.

4 Core Benefits of Cloud Firewalls

• Proxy-based architecture: This design dynamically inspects network traffic for all users, applications, devices, and locations. It natively inspects SSL/TLS traffic at scale to detect malware hidden in encrypted traffic. Plus, it enables granular network firewall policies spanning multiple layers based on network app, cloud app, fully qualified domain name (FQDN), and URL.
• Cloud IPS: A cloud-based IPS delivers always-on threat protection and coverage, regardless of connection type or location. It inspects all user traffic on and off network, even hard-to-inspect SSL traffic, to restore full visibility into user, app, and internet connections.
• DNS security and control: As the first line of defense, a cloud firewall protects users from reaching malicious domains. It optimizes DNS resolution to provide a better user experience and cloud application performance, which is especially critical for CDN-based apps. It also provides granular controls to detect and prevent DNS tunneling.
• Visibility and simplified management: A cloud-based firewall delivers real-time visibility, control, and immediate security policy enforcement across the platform. It logs every session in detail, and uses advanced analytics to correlate events as well as provide insight into threats and vulnerabilities for all users, applications, APIs, and locations from a single console.

Only a handful of providers can implement a full suite of cloud firewall capabilities, and only one can offer it as a part of a comprehensive, proven cloud security platform.

Zscaler Cloud Firewall

Zscaler Firewall delivers more power than NGFW appliances without the cost and complexity. Part of the integrated Zscaler Zero Trust Exchange™, it brings next-gen firewall controls and advanced security to all users, in all locations, for all ports and protocols. It enables fast and secure local internet breakouts and, because it’s 100% in the cloud, there’s no hardware to buy, deploy, or manage.

NGFWs leave you bolting on countless security capabilities, making for a rigid and weak posture overall. Zscaler Firewall allows you to:

• Define and immediately enforce granular firewall policies
• Go from overall visibility to actionable information in real time
• Deliver always-on IPS to all your users