What is an NGFW?
A typical Next Generation Firewall (NGFW) offers much more than the examination of data traffic on the basis of ports and protocols. In the past, it was common for firewall configuration to create rule sets that told the security solution which protocols were allowed to be transmitted in which direction and which ports were allowed for those transmissions. These rules usually looked like this: “Allow incoming traffic using SSH on port 22 to Server One,” “Allow data transfers using the SMTP and POP3 protocols to the Exchange server in the DMZ,” or even “Allow all traffic from the LAN to the Internet.” The firewall then worked through these rules in the form of a list, and in the event of conflicts, the rule at the top of the list usually took effect.
This approach is no longer sufficient to protect corporate networks against modern threats. One reason for this is modern attack scenarios, such as encrypted data transfers and APTs (Advanced Persistent Threats), which work with attack tools specially adapted to the respective environments.
Another reason is that today, the majority of data transfers are handled via HTTP over port 80 or via HTTPS over port 443. This is used both for browsing the Internet and for transferring data to cloud services such as Dropbox, for social networking, for communicating via WhatsApp and Skype, or even for accessing Office 365. These data transfers all serve completely different purposes, but all look the same to a traditional firewall: If the rule exists to allow data transfers via HTTPS and port 443, the firewall will allow everything, including the transfer of infected content.
This is where Next Generation Firewalls come into play. These not only examine the protocol and port used, but also take a close look at the content of the data stream, detect unusual behavior, filter out infected files, and so on. As a rule, they also detect the activities of the users present in the network and, depending on policies, decide what they are allowed to do and what they are not. The packet filter is thus closely combined with an intrusion protection system (IPS) in a next generation firewall.
In addition, they usually have other functions, such as antivirus and antispam functions, a content filter and the like. As a result, they integrate a significant additional benefit into the firewall product and often make other security solutions such as mail security gateways, special IPS systems, proxies, and the like superfluous.
Technologies currently integrated in Next Generation Firewalls
Currently, as mentioned, it is standard for Next Generation Firewalls to integrate various other functionalities into the product in addition to the packet filters and IPS solutions already mentioned, which work closely together to monitor and secure network traffic at the application level. These are often optional and must be licensed separately.
First and foremost in this context are VPN features that enable external employees and remote offices to access the corporate network via encrypted data connections. Licensing here is usually based on the number of simultaneous connections allowed, and most products support both IPSec and SSL VPNs.
VPNs are important for small and medium-sized businesses, as well as for large environments. Almost all next-generation firewall vendors have products in their portfolios that support VPN connections, including Check Point, Fortinet, and Palo Alto Networks, which Gartner ranks as leaders in “enterprise network firewalls.”
In addition, as already mentioned, typical next-generation firewalls include anti-virus and anti-spam functions to rid data transmissions of viruses and spam and to prevent phishing. These are usually deployed on a subscription basis, meaning users must renew their licenses regularly. These functionalities are also relevant to all sizes of businesses.
Next generation firewall vendors do not usually develop their own antivirus products for this purpose, but instead partner with antivirus vendors such as Avira and Kaspersky to integrate their solutions into their firewalls. The open-source antivirus ClamAV is often also included in the scope of services of the firewall products.
Special protection functions against DoS attacks, cross-site scripting, SQL injections, malicious web code, and scripts increase the level of security in daily operations, as the firewalls can simply filter out such components after analysis. In this context, the products often also detect Trojans and interactive connections, such as those used in botnets. The firewalls from Stormshield, for example, offer this scope of services. Stormshield, just like Ahnlab, Hillstone, and Juniper, is one of the companies that Gartner classifies as a niche player in its Magic Quadrant.
The features just mentioned are currently found primarily in enterprise firewalls, but they are increasingly moving into “smaller” solutions as well. The reason for this is that powerful hardware is becoming increasingly affordable and it is therefore no longer a problem to offer the complete range of functions of a security solution even on the smallest appliance in the series. Sonicwall, another company that Gartner classifies as a niche player, even makes this approach – that is, providing the protection mechanisms of large environments to small companies – part of its business policy.
Many products also have functionality on board to handle fragmented packages. Sandboxing technologies, functions for decrypting and analyzing SSL and SSH connections, and features for protecting VoIP transmissions are also often part of the scope of Next Generation Firewalls. VoIP protection is currently gaining in importance as VoIP telephony increasingly displaces traditional voice connections.
Powerful products also offer URL filtering (usually also on a subscription basis) or Advanced Threat Detection, which is capable of scanning downloaded files before or during delivery to users. Application control, which can allow or block certain actions of certain applications, is often part of the functional scope of a next generation firewall, just like network access control (NAC) functions.
These functionalities are offered by Barracuda Networks, for example, just like the New H3C Group, Sangfor, and Watchguard, according to Gartner, another niche player in the enterprise firewall market. Again, the features mentioned are currently available mainly in firewalls for large environments but are increasingly finding their way into smaller appliances as well.
At this point, let’s take a brief look at the application control just mentioned. Since a Next Generation Firewall examines data traffic at the application layer, it can monitor the data flows of specific applications and trigger actions based on rules and events. For example, scenarios are conceivable in which administrators create policies that become active when files with a certain name are to be transferred, or when a user attempts to execute certain FTP commands on an external server.
If the firewall appliance finds a match to such a rule in the data stream, it is capable of performing actions such as “drop” or “monitor” – as some Sonicwall products do – which significantly increases the security level of corporate data.
There are even firewalls that can detect which applications and operating systems are being used in the local network based on the data transmitted through them, and immediately identify their vulnerabilities. If these systems detect a vulnerability on one of the protected computers, they immediately inform the administrators, enabling them to remove the threat in a timely manner, which can have major advantages in enterprise networks. This feature is provided by some products from Stormshield, for example. Some solutions also bring quality-of-service features that are capable of prioritizing specific data streams, such as VoIP traffic.
Reports and analysis
However, all of the above features are of limited use if administrators do not receive information about the actions performed by the security solution. That is why the available reporting and analysis functions also play a very important role in the practical use of the products. Powerful next generation firewalls are not only capable of creating clear information pages on the top applications in the network, the blocked URL categories and websites, and the top talkers present in the LAN, but can also accurately display the activities of specific users or stations in the network. For data protection reasons, the source IP addresses must be anonymized at all times, as is the case with Barracuda Networks’ products, for example.
Finally, as examples of relevant manufacturers of Next Generation Firewalls, we would like to mention the companies from the Gartner Magic Quadrant for Enterprise Network Firewalls that have not yet been mentioned. These are the “challengers to the market leaders” Cisco and Huawei and the “visionaries” Forcepoint and Sophos. Of course, there is a whole range of other firewall vendors, but for this overview, we have deliberately limited ourselves to the Magic Quadrant mentioned.
About the author: Dr. Götz Güttich is the director of the Institute for the Analysis of IT Components (IAIT) and has more than fifteen years of industry experience as an IT consultant and specialist or editor-in-chief in the IT environment. Due to his many years of extensive testing activities for leading German network magazines, his skills are not limited to the theory of the IT business.