The network firewall was once the pillar of your data network security, protecting you from the evils of the outside world. It no longer seems as sexy.
A friend of mine recently quipped, “Do people still depend on firewalls for security?” I think he was alluding to the idea that the firewall plays a far lesser role in protecting your network as it once did. But it still does play a role.
The firewall is still your network’s first line of defence from outside threats. However, with security threats evolving, they are becoming harder to block at the firewall level. Even though a threat may not be advanced, it may be hard to discern from harmless activities. For example, how can a user determine a malicious PDF file from the harmless ones? The same goes for network traffic, how can a firewall determine malicious web traffic, from harmless ones? Intrusion detection and prevention systems (IDS/IPS) were developed to counter these attacks and were either additional devices or modules in firewalls.
But the IDS/IPS were always considered and configured separately from the firewall. Then enter the Next Generation Firewalls (NGFW). The NGFW was coined by Gartner Research and has a defining feature of the IDS/IPS features being integrated within the firewall and not as an add-on. Specifically, Gartner defines a NGFW as having the following minimum features:
- Standard first-generation firewall capabilities such as packet filtering, network address translation (NAT), stateful inspection, etc.
- Integrated IPS rather than co-located services. Someone configuring rules on the firewall should also be able to configure the IPS at the same time without going to another module.
- Application awareness and full stack visibility so that it’s able to discern the different services within an application regardless of the port that it operates on.
- Security intelligence whereby it may use an external database to help make optimal blocking decisions.
- Supports upgrade paths for new techniques to address future threats.
I don’t know why they call it the next generation firewall. What would they call the generation that comes right after? The next next generation firewall? Or perhaps NGFW2? Anyway, that’s beside the point.
I also buy into this view that this is where firewalls should be evolving. NGFWs don’t only have the ability to simply threat protection, but also to speed up inspection due to its single pass nature (traffic is inspected once, not inspected by the firewall, then passed to the IPS for inspection).
I got into a heated discussion with a Fortinet engineer about NGFW and UTMs (Unified Threat Management) devices. I said that while UTMs may have a place now, the NGFW is where enterprises should be heading. He said it sounds like I’ve been brainwashed by Palo Alto Networks. I haven’t, but I like the direction that they are heading.
Palo Alto has the advantage of not having a legacy product and starting with a fairly blank slate. They are disadvantaged by a lack of maturity. But they are a new kid, and I think the technology has a lot of promise.
With threats constantly evolving, and with such a large attack space for internal networks, we need to re-evaluate the ways we protect our data networks. We shouldn’t get rid of the firewall, but we need to alter the way it functions all together to protect us from new threats. NGFWs gives us new hope for the firewall and for protecting our perimeter.
Seriously consider NGFWs for your next firewall upgrade.
