Next-generation firewalls (NGFWs) have been all the rage for a while now, but we often have clients asking how applicable they are for their specific environments.
The term next-generation implies an offering that uses the latest technology, replaces or makes obsolete an existing product, and represents a significant leap forward. In the context of firewalls, this shift is primarily descriptive of the change from stateful firewalls, to firewalls which provide additional features like Intrusion Prevention Systems (IPS) and Application Control. Click here to see the illustrated diagram.
Extending firewall capabilities to provide this functionality provides a more holistic approach to security and also simplifies the enforcement of policy for network traffic traversing the NGFW. It becomes less about which IPs are allowed across the network and more about who (which users or groups) is allowed to use specific resources (applications/websites).
The ’who’ becomes more contextually relevant to your organisation through integration with your directory management (e.g. Active Directory) and/or your IAM (Identity and Access Management) system. This translates to rules for people and systems – not rules for IP addresses.
These rules also become easier to manage. As an administrator, you no longer need to cross-reference IP addresses and ports with applications and websites. The NGFW features available at the application level enable inspection of your application traffic, allowing rules that are granular;no longer a binary permit or deny, but you can tailor your rules for web applications (e.g. allow Skype, but not any file transfer through Skype).
Instead of stating that a specific IP address is allowed to access a certain port, you can now ensure all LAN users are allowed to access the intranet server.
Over and above this, NGFWs also include additional intelligence in the form of reputation and threat feedsand, in certain cases, sandboxing. With more malware being driven through web and mobile applications, administrators now have access to curated reputation databases, which classify applications and websites into multiple categories that can then be used to filter content and remove malware.
Threat feeds further enhance this by identifying attack sources (e.g. advanced persistent threats, botnet command and control nodes) and providing signatures for intrusion prevention. These feeds are typically based on global data sources – your network can be pre-emptively protected from an attack which may have been detected in another country.
In certain cases, encryption may be used to hide malware or command and control traffic. NGFWs have the ability to decrypt traffic for inspection, applying all of the above intelligence to reduce your organisation’s risk.
All these features and capabilities may have existed in previous product offerings, however, it means that you need to manage multiple products, typically from different vendors, each with a completely distinct user interface. NGFWs take away this complexity by providing a unified offering with tightly integrated management.
The bottom line is that NGFWs will:
- Contextualise your network security;
- Reduce the risk of exposure to new threat vectors; and
- Increase compliance with regulations and policies.
As with all technologies, an holistic approach needs to be taken to identify the level of risk or threat to your organisation and select the appropriate NGFW offering for your environment. At Dimension Data, we are backed by the world’s leading security vendors and can assist with the design and implementation of a NGFW solution that meets your business requirements.
Our understanding of leading technology from multiple vendors, backed by a team of over 500 global security experts, can assist you with securing your network with next-generation firewalls.