Still relying on legacy NGFWs? Is your organization as secure as it should be? Request a demo to learn how a cloud firewall can provide greater security than an NGFW.
Traditional firewalls only operate on Layers 3 and 4 of the Open Systems Interconnection (OSI) model to inform their actions, managing network traffic between hosts and end systems to ensure complete data transfers. They allow or block traffic based on port and protocol, leverage stateful inspection, and make decisions based on defined security policies.
As advanced threats such as ransomware began to emerge, these stateful firewalls were easily bypassed day in and day out. Needless to say, an enhanced, more intelligent security solution was in high demand.
Enter the NGFW, introduced by Gartner more than a decade ago as a “deep-packet inspection firewall that moves beyond port/protocol inspection and blocking to add application-layer inspection, intrusion prevention, and bringing intelligence from outside the firewall.” It touted all the features one would expect from a traditional firewall, but with more granular capabilities that allow for even tighter policies for identity, user, location, and application.
Ken Athanasiou, CISO and Vice President, AutoNation
Next-generation firewalls are still in use today, and they offer a host of benefits that place them above their predecessors for on-premises network and application security.
When it comes to securing corporate networks, NGFWs go beyond the call of duty compared to traditional firewalls. They dig deeper into network traffic to understand where it’s coming from. As a result, they’re able to collect a greater body of knowledge about malicious traffic and its embedded threats that are constantly trying to infiltrate the network perimeter, access corporate data, and ruin an organization’s reputation.
Where a traditional firewall only operates at Layers 3 and 4, NGFWs can operate all the way up to Layer 7—the application layer. This means app-level threats, which are some of the most dangerous and penetrative, are stopped before they breach, saving time and cost in remediation.
Today’s cyberthreat landscape demands robust threat protection, and traditional firewalls aren’t up to the task. NGFWs can block malware, and they’re better equipped to thwart advanced persistent threats (APTs), such as Cozy Bear, responsible for the SUNBURST supply chain attack of 2020, and Deep Panda, who are notorious for exploiting the Log4Shell vulnerability.
Plus, with integrated threat intelligence and options for networking and security automation, NGFWs have given organizations the opportunity to not only simplify security operations but also take the first step toward a fully realized security operations center (SOC).
All of this potential upside, however, comes with a set of drawbacks.
While NGFWs can provide a great deal of benefit, they lack the required functionality to serve today’s distributed workforces.
For example, backhauling traffic to an NGFW made sense when applications resided in the data center and when the most—and therefore endpoints—were in corporate or regional offices. But today’s applications have been moved to the cloud to support work-from-anywhere, a trend that’s rendered traditional networking and security tools, including NGFWs and VPNs, insufficient due to their lack of scalability.
The most commonly used cloud applications, such as Microsoft 365, were designed to be accessed directly via the internet. To establish such connections, companies must route internet traffic locally to deliver a fast user experience, meaning routing traffic back to NGFWs in corporate data centers to egress to the internet no longer makes sense.
If you wanted to secure local internet breakouts with NGFWs, you would need to replicate the corporate security stack at every location. Namely, you would need to deploy NGFWs or stacks of security appliances in every branch office, which is unviable due to the cost and complexity of deploying and managing so many firewalls.
Additionally, NGFWs were never designed to support cloud applications. They’re easily overwhelmed by cloud apps because they can’t scale to support the high volume of long-lived connections the apps create, which denies them cloud application awareness by default.
What’s more, they can’t natively handle SSL-encrypted traffic, which has become increasingly important as almost all of today’s web traffic is encrypted. To execute SSL inspection, NGFWs must bolt on proxy capabilities that execute SSL inspection in software, rather than at the chip level. This not only impacts performance and hampers user experience, but also allows new security threats such as advanced malware through.
The next-generation firewalls (NGFWs) in use today were architected more than a decade ago. Today’s enterprises are cloud-first, and they need more dynamic, modern capabilities to establish security and access controls to protect their data—capabilities that NGFWs were not designed to deliver.
Companies do still need enterprise firewall capabilities across their local internet breakouts, especially as they continue to leverage cloud providers such as AWS and Azure. NGFWs weren’t designed to support cloud applications and infrastructure, and their virtual firewall counterparts are equally limited and present the same challenges as traditional NGFW appliances.
It makes sense, then, that as your apps move to the cloud, your firewalls follow suit.
Only a handful of providers can implement a full suite of cloud firewall capabilities, and only one can offer it as a part of a comprehensive, proven cloud security platform.
The Zscaler Cloud Firewall delivers more power than NGFW appliances without the cost and complexity. Part of the integrated Zscaler Zero Trust Exchange™, it brings next-gen firewall controls and advanced security to all users, in all locations, for all ports and protocols. It enables fast and secure local internet breakouts and, because it’s 100% in the cloud, there’s no hardware to buy, deploy, or manage.
NGFWs leave you bolting on countless security capabilities, making for a rigid and weak posture overall. Zscaler Cloud Firewall allows you to:
Still relying on legacy NGFWs? Is your organization as secure as it should be? Request a demo to learn how a cloud firewall can provide greater security than an NGFW.
AutoNation’s Drive to the Cloud
Simplify Network Transformation with Zscaler Cloud Firewall
Read the ebookZscaler Next-Generation Cloud Firewall
Zscaler Cloud Firewall: A Guide for Secure Cloud Migration
Read the white paperSD-WAN without a cloud firewall? Don’t even think about it!
Read the blogGartner | The Future of Network Security Is in the Cloud
Read the report