What is a Next Generation Firewall and how can it help keep your network secure?

The phrase ‘next generation firewall’ is increasingly being used by security vendors to describe their network security products. However, the definition of precise capabilities required to call a firewall next generation (or not) are far from universally agreed.

This article will explain how a traditional firewall works, how so-called next generation firewalls generally differ and how the new capabilities these devices bring can enhance your network security.

How do firewalls work?

First created in the late 1980s, a firewall is a device that limits the communication between two different networks (or network segments).

The original firewalls were simple packet filters and able only to manage connections based on TCP/IP port numbers and IP addresses.  Since TCP operates a convention of using well know port numbers for certain services (HTTP is on port 80 for example) then the firewall could block access to an FTP server by not accepting traffic incoming for FTP’s well-known port 21.

Technology developed during the 1990s made it so that the firewall became able to monitor the communication between specific hosts on either side of the firewall – known as stateful filters.  This meant the firewall could keep track of a conversation between two hosts on a certain port and not be limited to pre-configured well know port numbers.  Around the same time NAT (Network Address Translation) become popular meaning when a firewall sat between two different networks, all outbound traffic appeared to come from the firewall itself.  This was a crucial technology that enabled the growth of secure internet communications as it hid the details of the internal network from devices on the internet.

The final evolution of the traditional firewall was the development of the application layer firewall.  By monitoring individual socket connections to each TCP port, data flow can be controlled based not just on the server behind the firewall, or the port number being used for a given protocol but also which application running on the server that is listening on a given port

A very simplified analogy would be to think that a corporate firewall is like the mail room in the basement of a business’s headquarters building.

Basic firewalls can implement rules such as: people can send letters to the accounts department, but not parcels. Or, no-one can send letters to the HR department, but they can send letters out to anyone they like.

More sophisticated firewalls implement allow lists based on the sender’s address found on the back of the envelope. For example, people in the UK can send a letter to the accounts department, but people in Russia cannot.  Or even, the accounts department at Microsoft may send letters to our accounts department, but not anyone who works for Cisco.

The point of the analogy is this – when we consider what a next general firewall is, it is like the mail room opening and reading every letter and then deciding whether to deliver it or not:  This letter addressed to the CEO reads like it is a scam, put it straight in the bin.

Traditional firewalls are primarily focused on protocol and addressing information found in the header of the incoming data.  They deal with rules that control which IP address and port may send or receive from another IP address, port, protocol or even socket.

A next generation firewall does all this with the header information, but then goes on to read and ‘understand’ the data payload as well in order to make decision about whether to allow the transmission to enter or leave the network.

How is a next generation firewall different?

A next generation firewall seeks to improve network security by inspecting more layers of the OSI model and looking at the contents of the data packets in order to make filtering decisions.

In essence, a next generation firewall consolidates various established security mechanisms into a single device with the aim of making the security easier to manager and so make it more effective.

Gartner defines a Next Generation Firewall as a:

“deep-packet inspection firewall that moves beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.”

Since ‘next generation firewall’ is more of a marketing moniker than a technical standard, different vendors include different services and facilities in their devices.  However, you are likely to see many of the following included:

• TLS/SSL decryption to spot data exfiltration
• Web content filtering
• Monitor or block use of cloud sharing platforms and redirect users to approved solutions
• Intrusion Detection and Intrusion Prevention
• Malware scanning and detection

Perhaps the most interesting feature of the next-gen firewall is its use of external intelligence to dynamically and continuously update its rules.  (This is the ‘intelligence from outside the firewall’ Gartner refers to in their definition).  In this scenario, for example, the firewall receives ongoing updates from its vendor. These updates include a list of IP addresses and domain names observed being used by malware or other attacks.  Because the vendor is receiving constant updates and observing malware behaviour from around the globe, they are in a position to identify trends and pinpoint the source of malware command and control servers – and automatically block access to them from your network. So even if malware does make it into your network, it will find itself unable to ‘phone home’ for instructions.

Defence in depth is still important

While the idea of a Next Generation Firewall may sound attractive to overworked, budget constrained security managers looking for more value from their security spending – a note of caution.  The appeal of the Next Generation Firewall – integrated management, simplicity of configuration, more levels of protection – is also potentially its Achilles heel.  Defence in depth is still important – we need more than one layer of security in order to protect our networks and the ‘one device to rule them all’ approach of the next generation firewall could dilute the security depth of your network. All software contains bugs and vulnerabilities – and if you only have one device for the attackers to defeat then you may not be as defended as you had hoped.

The answer may be to adopt vendor diversity – network edge firewalls from one vendor and internal core firewalls from another, for example. Then any deficiency or defect in one can be blocked by the other.

The speed with which vulnerabilities are discovered and then start to be exploited is increasing and will only keep on increasing. This means security managers will have to respond ever more quickly to security threats – and the ‘intelligence from outside the firewall’ is going to become an even more important to the security of every network.