+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

What is a Next Generation Firewall?

What is a Next Generation Firewall and how can it help keep your network secure?

The phrase ‘next generation firewall’ is increasingly being used by security vendors to describe their network security products. However, the definition of precise capabilities required to call a firewall next generation (or not) are far from universally agreed.

This article will explain how a traditional firewall works, how so-called next generation firewalls generally differ and how the new capabilities these devices bring can enhance your network security.

How do firewalls work?

First created in the late 1980s, a firewall is a device that limits the communication between two different networks (or network segments).

The original firewalls were simple packet filters and able only to manage connections based on TCP/IP port numbers and IP addresses.  Since TCP operates a convention of using well know port numbers for certain services (HTTP is on port 80 for example) then the firewall could block access to an FTP server by not accepting traffic incoming for FTP’s well-known port 21.

Technology developed during the 1990s made it so that the firewall became able to monitor the communication between specific hosts on either side of the firewall – known as stateful filters.  This meant the firewall could keep track of a conversation between two hosts on a certain port and not be limited to pre-configured well know port numbers.  Around the same time NAT (Network Address Translation) become popular meaning when a firewall sat between two different networks, all outbound traffic appeared to come from the firewall itself.  This was a crucial technology that enabled the growth of secure internet communications as it hid the details of the internal network from devices on the internet.

The final evolution of the traditional firewall was the development of the application layer firewall.  By monitoring individual socket connections to each TCP port, data flow can be controlled based not just on the server behind the firewall, or the port number being used for a given protocol but also which application running on the server that is listening on a given port

A very simplified analogy would be to think that a corporate firewall is like the mail room in the basement of a business’s headquarters building.

Basic firewalls can implement rules such as: people can send letters to the accounts department, but not parcels. Or, no-one can send letters to the HR department, but they can send letters out to anyone they like.

More sophisticated firewalls implement allow lists based on the sender’s address found on the back of the envelope. For example, people in the UK can send a letter to the accounts department, but people in Russia cannot.  Or even, the accounts department at Microsoft may send letters to our accounts department, but not anyone who works for Cisco.

The point of the analogy is this – when we consider what a next general firewall is, it is like the mail room opening and reading every letter and then deciding whether to deliver it or not:  This letter addressed to the CEO reads like it is a scam, put it straight in the bin.

Traditional firewalls are primarily focused on protocol and addressing information found in the header of the incoming data.  They deal with rules that control which IP address and port may send or receive from another IP address, port, protocol or even socket.

A next generation firewall does all this with the header information, but then goes on to read and ‘understand’ the data payload as well in order to make decision about whether to allow the transmission to enter or leave the network.

How is a next generation firewall different?

A next generation firewall seeks to improve network security by inspecting more layers of the OSI model and looking at the contents of the data packets in order to make filtering decisions.

In essence, a next generation firewall consolidates various established security mechanisms into a single device with the aim of making the security easier to manager and so make it more effective.

Gartner defines a Next Generation Firewall as a:

“deep-packet inspection firewall that moves beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.”

Since ‘next generation firewall’ is more of a marketing moniker than a technical standard, different vendors include different services and facilities in their devices.  However, you are likely to see many of the following included:

  • TLS/SSL decryption to spot data exfiltration
  • Web content filtering
  • Monitor or block use of cloud sharing platforms and redirect users to approved solutions
  • Intrusion Detection and Intrusion Prevention
  • Malware scanning and detection

Perhaps the most interesting feature of the next-gen firewall is its use of external intelligence to dynamically and continuously update its rules.  (This is the ‘intelligence from outside the firewall’ Gartner refers to in their definition).  In this scenario, for example, the firewall receives ongoing updates from its vendor. These updates include a list of IP addresses and domain names observed being used by malware or other attacks.  Because the vendor is receiving constant updates and observing malware behaviour from around the globe, they are in a position to identify trends and pinpoint the source of malware command and control servers – and automatically block access to them from your network. So even if malware does make it into your network, it will find itself unable to ‘phone home’ for instructions.

Defence in depth is still important

While the idea of a Next Generation Firewall may sound attractive to overworked, budget constrained security managers looking for more value from their security spending – a note of caution.  The appeal of the Next Generation Firewall – integrated management, simplicity of configuration, more levels of protection – is also potentially its Achilles heel.  Defence in depth is still important – we need more than one layer of security in order to protect our networks and the ‘one device to rule them all’ approach of the next generation firewall could dilute the security depth of your network. All software contains bugs and vulnerabilities – and if you only have one device for the attackers to defeat then you may not be as defended as you had hoped.

The answer may be to adopt vendor diversity – network edge firewalls from one vendor and internal core firewalls from another, for example. Then any deficiency or defect in one can be blocked by the other.

The speed with which vulnerabilities are discovered and then start to be exploited is increasing and will only keep on increasing. This means security managers will have to respond ever more quickly to security threats – and the ‘intelligence from outside the firewall’ is going to become an even more important to the security of every network.

 

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.