What is a Next-Generation Firewall and why do we need it?
Business networks are constantly under threat and often contend with multiple attacks per day. A breach detection system (BDS) is a defensive tool designed to detect the activity of malware inside a network after a breach has occurred. A key component of a robust BDS network security infrastructure is the firewall (FW).
Because of the changing threat landscape, and with increasingly malicious cyber threats now compromising networks, next generation firewalls (NGFWs) are recommended as part of robust security architecture. But how do NGFWs differ from FWs and why do you need them?
What’s the definition of a Next-Generation Firewall?
A NGFW is a firewall that moves beyond blocking and protocol/port inspection to add intrusion prevention and application-level inspection by being able to bring intelligence from outside the firewall.
What’s the difference between a FW and a NGFW?
A NGFW is essentially a more advanced version of a FW. Both use VPN support and dynamic and static packet filtering to ensure all connections between the internet, network and firewall are secure and valid. Both should also be able to translate port and network addresses in order to map IPs. However, there are some fundamental differences between them.
The most obvious difference is that NGFWs are able to deep-filter packets based on applications using analysis and signature matching, and they have extensive visibility and control over applications. They are also able to use signature-based IPs and whitelists to distinguish between safe and unwanted applications, irrespective of encryption, evasive tactics or protocols, which are then identified using SSL decryption.
Another one of the next generation firewall features is that they can protect a network against a variety of threats — both known and unknown. These include malware, spyware, vulnerability exploits, malicious URLs and more Advanced Persistent Threats (APTs).
Why do I need a Next-Generation Firewall?
User behaviour, network infrastructure and fundamental shifts in the application landscape have steadily eroded the security that traditional firewalls once provided. This is because users are accessing a range of applications on a variety of devices as part of their working life. Virtualisation, mobility, data centre expansion and cloud-based initiatives are also affecting network security.
Traditional responses to threats have included either attempting to ‘lock down’ all application traffic (which can hinder business processes) or allowing all applications to function (which can increase security and business risks).
In order to strike a balance between denying everything and allowing everything, applications need to be safely enabled by considering business-related elements including the application identity, the type of content and who is using it as part of an overall firewall security policy criteria.
What types of attacks can occur?
A BDS defends enterprises from a myriad of malicious attacks, from single independent threats to multiple threats that overwhelm and breach networks and their security mechanisms. A common type of attack is the Denial of Service (DoS) attack, and its off-shoot, the Distributed DoS (DDoS) attack.
A DoS will shut down machines or networks making them inaccessible to users. A DDoS is more robust, and in its simplest form, it works by storming a network with a large amount of traffic, which overextends and overloads its resources.
DDoS attacks are increasing due to the rise in Internet of Things (IoT) solutions that are being used for botnets, which is a number of internet-connected devices, each of which is running one or more bots. Botnets can be used to steal data, send spam, perform DDoS attacks and allow the attacker to access the device and its connections. This stretching of resources leaves defences overwhelmed, which allows malware to attack.
What to look for in a NGFW
- Prevention capabilities to stop attacks before they impact your network.
- A next-generation IPS built-in to identify stealthy threats and stop them quickly.
- URL filtering to enforce policies on URLs.
- Built-in advanced malware protection and sandboxing that continuously analyses file behaviour to quickly detect and eliminate threats.
- Deep-packet inspection (DPI) capabilities to classify applications and detect zero-day vulnerability.
- The ability to identify, decrypt and inspect SSL traffic and bypass specific segments according to policy rules.
- The ability to tie application usage to user identity rather than an IP address, regardless of a device or location.
- The ability to incorporate the work of firewalls, antiviruses, and other security applications into one solution, creating a broader and more formidable breach detection system.
- Threat activity across hosts, users, devices and networks.
- When and where a threat originated and where it has been across your extended network.
- Active websites and applications.
- Communications between file transfers, virtual machines etc.
- Management for every use case, whether it’s from an on-box manager or centralised management across all appliances.
- The ability to deploy on-site or in the cloud via a virtual firewall.
- Customised features that meet your needs, including advanced capabilities.
- The ability to choose from a wide range of throughput speeds.
- The ability to integrate with other security systems allowing teams to observe and manage all firewall activity through a single dashboard.
- The ability to enable IP address and network port management.
- The ability to display result analysis and system performance, and update network information to identify new malware attacks.
- Detect threats in seconds and a successful breach within minutes or hours.
- Prioritise alerts so you can take precise and swift action to eliminate threats.
- Deploy a policy that has automatic enforcement across all facets of your organisation.
- Automatically shares policy, event data, threat information and contextual information with web, email, endpoint and network security tools.
- Automates security tasks like policy management, impact assessment and user identification.
- Offer uninterrupted operation and therefore business continuity.