Principal Security Engineer

What Is a Next Generation Firewall?

June 20, 2019 by Chuck McAuley

A Next Generation Firewall (NGFW) is a device that incorporates both the features of a traditional firewall along with the capabilities of advanced threat detection and filtering. While most vendors will have their own spin on what makes them great, you can define them based on a common set of features.

They are all firewalls

You can't spell Next Generation Firewall without Firewall. All NGFW's have a common set of traditional firewall features. This includes abilities such as Network Address Translation (NAT), packet filtering, and tracking session state. NAT is the ability to translate an IP address and port pair into another. This allows multiple computers to share an IP address. Your home Internet router supports the same ability.

Packet filtering is the ability to prevent communication based on IP address, TCP or UDP port, or protocol (such as "block all ICMP packets"). Once the NGFW device finds a match to the first criteria listed, those packets have an action taken on them (allow, drop, log, etc.).

The third firewall feature is session state tracking. This feature enables a firewall to prevent out of order packets and packets that don't belong to an existing session. Other communication traffic cleaning activities are also performed which keeps networking communication safer and more effective. This combined with some other features is normally referred to as "packet scrubbing", the implication being that you are cleaning the network traffic before allowing it into your network.

These features sets are used extensively in networking communication today and are still heavily relied upon to reduce attack your attack surface. But they aren't what adds the "next generation" label to NGFW.

Next Generation?

NGFW's take the above feature sets and incorporate a smorgasbord of additional options. They introduce application filtering, content filtering, intrusion prevention, and malware protection. There can be other abilities incorporated into NGFWs, but this is the bare minimum feature set all of them have.

Application Filtering

Application filtering enables a firewall to look deeper into traffic, at the layer 7 level. This allows administrators to provide filtering on a per application basis, and sometimes even at a per-action level. Common uses include filtering based on network traffic, such as "only users in call centers can use VoIP" or "only marketing and sales are allowed access to social media sites."

Other uses can be leveraged by administrators to prevent common malware or malicious user actions, such as preventing FTP, Tor, or commonly used filesharing protocols. Many of these applications can hide from protocol filtering, but not application level inspection. Most NGFW's will have some capability to inspect encrypted traffic to perform this filtering. However, if there is a lot of encrypted traffic that needs inspection, it's common to see this offloaded to a dedicated decryption device before inspection is applied.

Content Filtering

Sometimes application filtering is too stringent or not dynamic enough. This is where content filtering comes in, typically using a proxy like feature. It's a means of denying access to certain websites that fall in broad categories. Almost the entire web is bucketed into one or more of these, and most are available for filtering. The most common web categories to be blocked by organizations tend to be the ones that are of the highest risk or violate acceptable use policies, such as "adult", "violence", "gaming" and "gambling."

Intrusion Prevention

Intrusion prevention is the means of applying deep packet inspection to identify known attacks as they are sent across the Internet. Since patching can be a painful and slow process, many enterprises turn to using an intrusion prevention system (IPS) as a means of protecting themselves quickly and expediently. An IPS used to be a separate technology deployed after the firewall itself, but with the gains of Moore's law and parallel computation, this function is fully integrated into almost all NGFW's at this point.

An IPS will have a library of signatures that alert and block whenever an attack is detected. Since the number of signatures enabled can directly impact performance, most IPS engines will ship with a default set of rules enabled for the most common attacks. However, it is expected that the user will tailor the IPS rules to match the software that they have deployed for the most performant means of providing protection.

Malware Protection

NGFWs also provide network-based antivirus protection. This mechanism can come in many forms, but typically leverages the same deep packet inspection technology that the IPS component does. A content file, such as a PDF, observed transiting the network via a commonly used protocol, such as SMTP or HTTP, will have a computational hash applied to it. This hash, normally SHA-256, will be compared to the cloud, and if identified as malicious, the file will be stripped or connection aborted. In order to perform this just in time comparison, the connection can either let most of the content pass and hold back the last few packets, or can provide a web proxy like functionality, storing the content for inspection and then passing it on. Other technology in the space will also execute ("detonate") samples that have not been seen before in order to detect if they are malicious. All of these methods provide an additional layer of protection against malware before an endpoint security solution would need to inspect it.

But wait there's more

The above technologies are common across all NGFW's, but this doesn't mean that is all they provide. Most provide VPN access, TLS decryption, threat intelligence, DDoS mitigation, loading balancing, and many niche capabilities. But the above features, IPS, content filtering, and in-network malware detection are really what set them apart from their earlier counterparts that focused only on packet level filtering. As requirements from customers continue to expand, you can expect to see these devices take on additional workloads and expectations. The only question is what do you call something that already is "next generation?" Deep Space Firewall doesn't have the same catchy title. Live long and prosper

If you are interested in exploring more information around today’s security threats, check out this great resource – The 2019 Ixia Security Report.