Just about everyone has a firewall of some sort. But does it really need to be “next gen”?
Gartner and other industry analysts have made a lot of the “Next Generation Firewall” market, or NGFW for short. It isn’t just hype, though. Threats faced by organizations of all sizes as we head into 2015 are so sophisticated, varied, and, most importantly, dangerous, that traditional firewalls are simply inadequate to protect users and networked resources. The next gen firewall addresses both emerging threats and more common attacks without bogging down in terms of performance...at least, that’s the idea. In practice, it isn’t always that easy.
This still doesn’t explain exactly what an NGFW is. Fortinet recently released a white paper detailing “5 ½ Things That Make a Firewall ‘Next Gen’”. Yes, 5 ½. Just read the paper...you’ll get it. And yes, the link requires a quick registration, but if you think you might be in the market for smarter network protection, it’s worth a read. Here are the CliffsNotes, though, so we can get to the meat of this blog post.
Traditional firewalls largely rely on ports, protocols, and IP addresses to block unwanted or potentially dangerous applications. Close up all of the ports your users don’t actively need and you close a lot of holes bad guys can use to access your network. Block protocols associated with unnecessary applications like BitTorrent and you’ve saved some bandwidth and blocked some malware. Keep forward-facing resources like web servers in a DMZ and everything behind the firewall, and you have additional protection from hackers. I’m oversimplifying here, but the point is that traditional firewalls rely on threats being relatively static in nature with straightforward characteristics that are easily blocked.
NGFWs, on the other hand, look much more closely at the actual traffic moving to and from your network -- so-called deep packet inspection. They don’t just examine the source, destination, or protocol of network packets, but also their payloads. Next gen firewalls are often referred to as “application aware”, meaning that they can manage traffic based on the actual applications involved which often use multiple ports and protocols. Even the aforementioned BitTorrent isn’t a cut-and-dried case of protocol blacklisting as legitimate and even bandwidth-saving uses emerge for the technology. Perhaps more importantly, this more sophisticated inspection of network traffic means that NGFWs can implement a variety of network security and gateway functions like content filtering, anti-malware, etc.
Again, I’m simplifying this quite a bit. There are details aplenty in that white paper I mentioned. And it’s worth noting that NGFWs are often subsumed within the broader markets of unified threat management (UTM) appliances and enterprise network firewalls. But throwing around acronyms like we’re eating alphabet soup doesn’t answer the question I posed up front. NGFWs have clear benefits over their first generation counterparts, but does every organization’s firewall need to be “next gen”?
The short but not very good answer is “probably”. Being able to turn on a variety of network protection functions as well as protections (and restrictions) for end users from a single appliance is a no-brainer from an administration standpoint. NGFWs give administrators powerful tools to implement policy and detect and mitigate emerging, dynamic threats in ways that traditional firewalls can’t match. Add in QoS features, protection from web-based malware, content filtering, and much more and it would seem like IT departments should be running, not walking, to their nearest NGFW vendor.
Oftentimes, that’s true, and adoption of NGFW technologies has been strong. Not all next gen firewalls are created equal, though. Some are quite expensive - prohibitively so for some smaller businesses or those without significant IT infrastructure to protect. Others suffer serious performance problems as more of their protection features are enabled. I’d be remiss if I didn’t point out that one particular vendor, whose name starts with an F and ends with a t, offers a wide range of UTM and NGFW products with very high performance at very competitive price points. But I digress.
As more businesses come under attack, both from increasingly automated and stealthy malware and hackers motivated by the prospect of big payouts from data breaches, NGFWs are becoming a necessity. There is a reason that all the cool kids are using NGFW technologies in their UTM and enterprise network firewall products - no one is immune from these attacks and the stakes are simply too high to rely exclusively on legacy firewalls and client-side antivirus. The right NGFW product can provide substantially improved protection from most threats at a price that’s right for the organization with little impact on network performance (and perhaps improvements with QoS and other application-level controls). With the wrong NGFW, organizations may as well stick with whatever first-generation protection they have in place.