Image source |
This site may possibly earn a commission from affiliated
partners for qualifying purchases should you choose to buy through our links.
Overview
Gartner defines Next-Generation Firewall (NGFW) as a “deep-packet inspection firewall that moves beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall. In this time of worldwide pandemic caused by COVID-19, workforce mobilization has resulted in more demand for anytime-anywhere access to organization’s technology resources that led today’s businesses vulnerable to more threats. Next-generation firewall delivers comprehensive visibility, better security effectiveness, and more control to your traffic-based network applications, content, and users and at the same time allowing you to take hold and tackle your business needs.
Deperimeterization
The emergence of more smart devices, more applications, more advanced threats, more culturally diverse network users, and more varied web traffic have consistently eroded the protection that the conventional firewall provided. Furthermore, the ever-expanding number of users like clients and partners interconnecting to business networks from the outside leads to deperimeterization of the business networks resulting in loss of security dominance of businesses over their networks. Since a lot of concerns over cyber-attacks are increasing, your business is now more than ever in need of a secured network while continuing to enable your business operations. There are several firms out there professing the next-generation firewall for your business and all of them only need a better understanding of what’s the best fit for your business.
Today’s users are expecting to work from any location possible - from the office, their home, or in a coffee shop - becoming obsolete the conventional perimeter concept. Moreover, applications traditionally bypass port-based firewalls, jumping ports, creeping across port 80, using SSH and SSL, or using aberrant ports. Several attempts of restoring visibility and control give rise to identical security policies particularly for remote policy users delivered through parallel end-point and local policy that includes the so-called “firewall helpers” deployed as stand-alone. These procedures will instill inconsistencies in policy and will not solve the visibility and control issue due precisely to unfinished or incorrect web traffic categorization, unwieldy management practices, and multiple latency-prompting scanning methods. Requiring a new, fresh from-the-ground-up in restoring visibility and control is the best approach. What is needed is a next-generation firewall that will unify all applications both local and remote and all security policies for all users.
NGFW Visibility and Control
Next-generation
firewalls grant groundbreaking visibility and control over programs, contents,
and users. In addition to just ports, Ips, and packets of data by using three
distinctive recognition technologies namely, User-ID, App-ID, and Content-ID.
The recognition technologies enable organizations to welcome with open
arms Web
2.0 thus maintaining complete visibility and control, while at the
same time reducing significantly overall ownership costs of devices through
consolidation.
User-ID Overview | Source: Palo Alto Network
User-ID perfectly integrates next-generation firewalls with the broadest array of company directories on the market in the likes of eDirectory, Active Directory, Citrix, Open LDAP, XenWorks, and Microsoft Terminal Server. Rounding this up are the Captive Portal and XML API mechanisms that allowed organizations to incorporate user data into their security strategies. A system-based User-ID agent interfaces with the domain administrator, plotting user data to the IP address they are using at any given time.
App-Id: Identifying any application on any port | Source: Palo Alto Networks |
App-ID takes cognizance of classified traffic visibility limitations that are plaguing conventional firewalls by applying several classification instrumentations to the traffic stream at the moment a device sees it and establish exactly the identity of programs traversing through the system. App-ID continuously classifies traffic using established identification tools steady and precise program identification through all ports, for all traffic, all the time, and in many cases down to the function level.
How Content-ID works | Source: Palo Alto Networks |
Content-ID uses a stream-based scanning mechanism and a consistent, uniform signature format for searching and blocking broad scope of attacks and incursions to the system including exploitation of vulnerabilities, spyware, viruses, and worms. Stream-based scanning means that the threat prevention starts the moment the first packet is being scanned while at the same time the uniform signature format is getting rid of redundant operation usual to many scanning mechanisms solutions in the likes of policy lookup, TCP reassembly, mode of inspection, etc. resulting in latency reduction and better performance.
The tightly packed integration of application control is largely based on groups and users. Combined with its ability to scan many allowed traffic for a broad range of threats, enables organizations to considerably break down the number of policies deployed in the system. Additionally, all along with the number of employees, it adds, moves, and changes that might occur daily.
NGFW Key Requirements
As much as possible, a next-generation firewall should bear the following key requirements, to wit.
1. Organizations should pinpoint programs, not only ports-
> Identifying precisely what programs are, irrespective of ports, protocols, SSH or SSL encryption, or any evasive tactics. Identification of these programs becomes the basis for the organization’s security strategy.
2. Organizations should identify users, not just IP’s –
> Utilize user and group information coming from company directories for visibility,
reporting, forensic inquiry, and strategy establishment regardless of where the user is located.
3. Scrutinize content in real-time –
> Safeguard the system for any exploitation of vulnerabilities and embedded malware in programs, no matter where the original came from.
4. Make simple management policy –
> Enable programs securely with straightforward and simple-to-use graphical devices that bind them up in conjunction with a unified strategy.
5. Enable logical perimeter –
> Secure users with steady and sustained security extending from physical to logical perimeter, including telecommuters and traveling users.
6. Throughput multi-gigabit delivery –
> Integrate purpose-built hardware-software programs to enable low-latency, multigigabit accomplishment together with all enabled services.
For more about firewalls, read Web Application Firewall (WAF) vs. Intrusion Prevention Systems (IPS).
References:
1. Palo Alto Networks | Next-generation firewall feature overview
2. Fortinet | Next-Generation Firewall (NGFW/NGIPS)
3. Network Computing | Next-Generation Firewalls 101
4. Cisco | Cisco Application Visibility and Control