Table of Contents
- Introduction
- What is a next generation firewall (Nextgen or NGFW)?
- What does a next gen firewall do?
- Next Generation Firewall Diagram
- Next Generation Firewall Features & Benefits
- What is the difference between a traditional firewall and a next-generation firewall?
- NGFW vs UTM
- What are Next-Generation Firewall Disadvantages?
- Next Gen Firewall Companies / Vendors
- Why do I need a next-generation firewall? Are they worth it?
- Intrusions are Expensive
- Compromises Damage the Reputation of Your Business
Next Generation Firewalls: Introduction
Do you need a next generation firewall (NGFW)? If you’re a business that is connected to the internet (that’s everyone, right?), we always recommend better next generation firewalls over a traditional firewall. Learn more about how NGFWs work to block threats and why they are really the least expensive option in the end.
What is a next generation firewall (Nextgen or NGFW)?
Firewalls that operate higher in the network protocol stack are typically called next generation firewalls, and traditional firewalls, often called stateful firewalls, operate lower in the network protocol stack. While a traditional firewall typically provides stateful inspection of incoming and outgoing network traffic at the TCP (transmission control protocol) and IP (internet protocol) levels, a next-generation firewall goes deeper to inspect more details within the data stream at the application level of the protocol stack. This is often called deep-packet inspection.
As part of the deep-packet inspection, NGFWs provide an intrusion detection system (IDS), intrusion prevention system (IPS), advanced malware & virus detection, application control, and SSL/encrypted traffic inspection.
What does a next gen firewall do?
Let’s use an analogy to help understand this concept. The analogy we will use is mailing a letter through the postal system (I know, not done much anymore). A traditional firewall could be configured so that no one from China could get a letter through to the United States. But a NGFW could be configured so that anyone could mail a letter into the United States if it did not have improper content. In other words, the NGFW will open the letter and review the contents before approving release.
This NGFW concept applies to emails, webpage traffic, streaming traffic, etc., inspecting deep into the traffic for malicious content, then blocking or cleaning before releasing it to the user, thus protecting the user and the business.
Next Generation Firewall Diagram
Review the below depiction showing a network packet broken in sections for website traffic.
IP is the main protocol for internet traffic. It has a header section and a data (or payload) section. But inside the IP data section is where another protocol (TCP) is embedded, and it also has both a header and a data section. Then again, another level down, an application layer protocol (HTTP or HTTPS) is embedded inside the TCP data section, and this is where the website data content resides.
A stateful firewall would typically just review the IP and TCP sections of the data packet to check the source and destination internet addresses (IP) and the source and destination ports (TCP) and allow or disallow the packet depending on the configuration of the rules on the firewall.
However, a next-generation firewall will look deeper into the packet and break open the HTTP section (Webpage Content) to review the webpage data and check for any malicious content. Perhaps the website visited has malware and the NGFW blocks it from getting through.
This concept is true for the many other application layer protocols that can be embedded into the transport layer protocols (TCP or UDP) such as SMTP, FTP, TELNET, DNS, RTSP, and others. The next-generation firewall can inspect the application layer data for malicious content whereas the stateful firewall stops at the transport layer and does not look deeper.
Next Generation Firewalls: Features & Benefits
Next Generation Firewall Features | Next Generation Firewall Benefits |
Deep Packet Inspection | Deeper look for findmg embedded threats |
Application Awareness | Ability to identify, allow, block or limit applications regardless of port, protocol etc. |
Application & User Control | Enforces granular, zero-trust access controls |
Identity Awareness | Provides granular control of applications by specific users,group of users, and machines |
Antivirus & Anti-Bot solution | Advanced malware detection capabilities able to inspect traffic on the fly to block malicious content |
Threat intelligence via Intrusion Protection System (IPS) | Awareness & blocking of ever-changing attack techniques and mabware strains |
Threat intelligence via IP reputation | Aareness of traffic source reputation based on historical behavior |
Encrypted Traffic Inspection | Decryption and inspection of HTTPS encrypted tunnets to overcome the use of encryption to hide malicious content |
Sandboxing | An isolated “box” where suspicious files or applications can be executed and examined for malware before releasing |
What is the difference between a traditional firewall and a next-generation firewall?
Traditional firewalls, often called stateful firewalls, operate lower in the network protocol stack, whereas next-generation firewalls operate higher in the network protocol stack. A traditional firewall typically provides stateful inspection of incoming and outgoing network traffic at the TCP/IP levels, but a next-generation firewall goes deeper to inspect more details within the data stream at the application level of the protocol stack.
NGFW vs UTM
Depending on who you ask, you may get different opinions on the differences between a Unified Threat Management (UTM) firewall and a next-generation firewall (NGFW). I would say there is very little difference between them, and much of the names comes from marketers vs. technologists. However, a UTM firewall generally means all security functions are centralized in a single appliance vs. spread across multiple systems. This sounds very much like what we call today a next-generation firewall. Some say a UTM firewall has more security features than a Nextgen firewall, but I am not so sure that is typically the case today.
What are Next-Generation Firewall Disadvantages?
Next-generation firewalls do more, so they cost more.
They have more and better resources (CPU, memory, etc.) to handle the extra work it takes to inspect deeper into the data packets and dissect what is there to determine if it is good or bad. As you may realize by now, there are security features on a NGFW that require constant updating. Like your computer’s anti-virus or EDR software, updates are constantly needed to the firewall’s security features to keep it up to date for finding and blocking the ever-changing attack threats. This is called a firewall security subscription and it must be renewed periodically like your computer’s security software. So, this also adds another cost above a traditional stateful firewall.
As mentioned, because a NGFW works harder, it needs more processing power.
This means you may be more likely to have performance issues if the firewall is not to proper specifications for your needs. It is important to properly size your firewall for the speed of your internet circuit and the number of users behind the firewall. The encrypted traffic inspection feature (or SSL inspection) in particular needs a lot of firewall resources, but it is an important feature because the vast majority of web traffic today is encrypted. It must be decrypted to inspect the contents. Sometimes people find they have to turn off some security features in order to get the speed and performance they need. You don’t want to be in that situation. This potential performance issue is not as likely with the traditional stateful firewall but is it possible.
Because a NGFW does more, it is more complex than a traditional stateful firewall.
While the stateful firewall does require a quality technical resource to properly configure and maintain, the NGFW requires even more. But on the other hand, many companies that used a traditional firewall had separate systems to perform some of the other security features, like an intrusion prevention system (IPS), which is now part of the NGFW. So, the complexity can be lower or at least consolidated. But a NGFW does require more on-going configuration and maintenance than a traditional stateful firewall.
Who makes Next Generation Firewalls?
Next Gen Firewall Companies / Vendors
There are many companies who design and manufacture next-generation firewalls.
Gartner Magic Quadrant
Gartner, Inc. is an organization that provides reviews and ratings on many things including network firewalls. Their reports are insightful and can help business owners make decisions. Their Magic Quadrant report is quite useful where they rank the firewalls into a quadrant that shows the ability to execute and the completeness of vision. The four quadrants are Niche Players, Challengers, Visionaries, and Leaders. The Leaders quadrant is the upper right quadrant and where firewall vendors want to be. I will mention three firewall vendors here which have been consistently in the Leaders quadrant.
Fortinet/Fortigate
United States based manufacture Fortinet is a leader in the firewall market with their Fortigate next-generation firewall. They manufacture different models for different resources needs and offer the ability to purchase base features all the way to full features. We find them to be a very good fit for small and medium-sized businesses. They are a top performing firewall with great value pricing. We (IntegriCom) are a Fortinet partner and consistently sell their firewalls and provide design, installation, configuration, and support services.
Check Point Software Technologies
Israel based manufacture Check Point Software Technologies is also a leader in the firewall market, and their technology is also very good. They have historically produced firewall models for enterprise companies and not so much for the small to medium-sized business, however, they did add firewall models for the SMB market a few years back. Their SMB models have improved over time. They have top performing technology with a matching price tag. We (IntegriCom) are a Check Point partner and sell their firewalls and provide design, installation, configuration, and support services.
Palo Alto
United States based manufacture Palo Alto Networks is a top next-generation firewall producer with very good technology. They have historically targeted larger companies but do have models for smaller branch offices. Their pricing is not the lowest for sure, but their quality is high. We (IntegriCom) have configured and installed Palo Alto firewalls for our clients.
Why do I need a next-generation firewall? Are they worth it?
Because of today’s threat landscape, having a quality firewall is imperative. Breaches are very costly, and many times unprepared businesses never recover. And data shows that small businesses are just as vulnerable to threats as larger companies – don’t think you are not an important target. A next-generation firewall is a good way to protect your business, and it is worth it.
Intrusions are Expensive
A traditional stateful firewall is a one-time purchase of the hardware and the services to configure and install. Then you will not need to spend much more other than occasional updates to the operating code and perhaps some occasional configuration changes. That sounds like good value, but you are vulnerable. You are vulnerable because there are too many open doors to your network. Too many bad things can be in the data traffic that this type of firewall cannot see. While it could be where you go on the internet or the things you click on, it can also be because of what your employees do. And it is not limited to bad behavior only because good websites can be compromised.
So, you need to invest in a next-generation firewall to lower your exposure and quite possibly your overall spending. It is always better to pay a little more now vs. a whole lot later. Network instructions can be very expensive in disruptions and data loss, which both lead to loss of clients, business, and sales.
Hire an IT Managed Services Provider (MSP) to help you get the proper next-generation firewall for your business and to get it properly configured and maintained.
Compromises Damage the Reputation of Your Business
No doubt you have seen in the news many compromises that have happened to many businesses. This publicity is not good for business and tarnishes the company’s reputation. Good business leaders implement the proper and reasonable security measures to protect their company’s network, data, and reputation. And it does not mean you have to overspend, but you do have to properly spend. A quality IT MSP can help you with the proper investment. Don’t have your world turned upside down from a security breach.
Secure Your Business with IntegriCom Managed IT Services
IntegriCom is a strong security company with a Certified Information Systems Security Professional (CISSP) on staff. Not only are we strong in local networks but also for cloud and remote networks that are prevalent in today’s decentralized workforce. We have helped countless businesses solidify their security posture and we help maintain it going forward for most. While you do what you do best, we can take care of the technology side of your business, allowing you to breathe easier. We can be part of your team, providing on-going updates and reports on where things are and where things need to be in the future. Contact us to schedule a consultation. We start by listening, then ask questions, perform assessments, and provide the proper solutions proposal to meet your needs.
Contact Us or call 678-507-0700