What is a NGFW?
What does the term “next-generation firewall” (NGFW) mean?
A next-generation firewall (NGFW) is a type of security appliance that analyses network traffic and applies rules to prevent potentially harmful data from passing through. NGFWs are constantly evolving and enhancing the capabilities of classic firewalls. They perform the same functions as firewalls, but more effectively and with extra functionality.
Take two airport security companies as an example. One verifies that passengers are not on any no-fly lists, that their IDs match those on their tickets, and that they are travelling to destinations served by the airport. Along with reviewing no-fly lists and other items, the second examines what passengers are carrying to ensure they are not carrying anything dangerous or prohibited. The first agency protects airports from obvious threats; the second agency also identifies less obvious concerns.
A conventional firewall functions similarly to the first security agency: it blocks or admits data (passengers) based on their destination, whether they are part of an authorised network connection, and their origin. An NGFW is more akin to a second security agency in that it inspects data at a deeper level in order to find and prevent dangers concealed within seemingly harmless traffic.
What capabilities does a next-generation firewall have?
NGFWs are capable of performing all of the functions of traditional firewalls. This includes the following:
Packet filtering: Inspecting and blocking each individual packet of data. Packet filtering is discussed in greater detail below.
Stately examination: Examining packets in context to ensure they are associated with a valid network connection.
VPN awareness: Firewalls are capable of identifying and allowing encrypted VPN traffic.
Additionally, NGFWs bring some functions that earlier firewalls lack. NGFWs employ both deep packet inspection (DPI) and packet filtering. Additionally, Gartner, a global research and consultancy group, defines an NGFW as:
Awareness of and control over applications
Preventing intrusions
Intelligence on threats
Upgrade paths for future information feeds
Techniques for dealing with ever-changing security risks
These skills are detailed below.
The majority of these functionalities are available because, unlike traditional firewalls, NGFWs can handle traffic at many OSI layers, not only layer 3 (the network layer) (the transport layer). For example, NGFWs can examine layer 7 HTTP traffic and determine which applications are running. This is a critical feature since layer 7 (the application layer) is increasingly being utilised by attackers to circumvent standard firewall security controls enforced at layers 3 and 4.
(For a more detailed explanation of the OSI layers, see What is the OSI model?)
What is packet filtering and how is it different from deep packet inspection (DPI)?
Filtering of packets
All data travelling over a network like the Internet is decomposed into smaller units known as packets. Due to the fact that these packets carry the data that enters a network, firewalls check them and either block or permit them to prevent unwanted information (such as a malware attack) from passing through. All firewalls provide this type of packet filtering.
Packet filtering operates by analysing the source and destination IP addresses, ports, and protocols associated with each packet — in other words, where each packet originates, where it is headed, and how it will arrive. Firewalls permit or deny packets based on this assessment, blocking out packets that are forbidden.
For instance, attackers occasionally attempt to exploit weaknesses in the Remote Desktop Protocol (RDP) by sending specially designed packets to the protocol’s default port, 3389. A firewall, on the other hand, may scan a packet, determine which port it is destined for, and block all packets destined for that port — unless they originate from a particular permitted IP address. This entails analysing network traffic at the layer 3 (to determine the source and destination IP addresses) and layer 4 (to determine the source and destination IP addresses) (to see the port).
In-depth packet examination (DPI)
NGFWs enhance packet filtering by doing deep packet inspection in addition to packet filtering (DPI). As with packet filtering, DPI entails scanning each individual packet to determine the source and destination IP addresses, as well as the source and destination ports. All of this information is provided in a packet’s layer 3 and layer 4 headers.
However, DPI examines the entire body of each packet, not just the header. DPI examines packet bodies in particular for malware signatures and other potential risks. It analyses each packet’s contents to those of known malicious attacks.
What is the difference between application awareness and control?
NGFWs either block or accept packets based on the application to which they are directed. They accomplish this by examining traffic at the application layer, or layer 7. Traditional firewalls lack this functionality since they evaluate only traffic at the layer 3 and layer 4 levels.
Administrators can use application awareness to prohibit potentially dangerous programmes. If data from an application cannot pass via the firewall, it cannot pose dangers into the network.
Both this feature and intrusion prevention (detailed below) are defined by Gartner as aspects of DPI.
Incursion prevention is a term that refers to the process of preventing intrusion.
Intrusion prevention analyses incoming traffic, detects known and unknown dangers, and prevents them. This feature is frequently referred to as an intrusion prevention system (IPS). As part of their DPI capabilities, NGFWs include IPSes.
IPSes can detect threats in a variety of ways, including the following:
Detection of signatures: Scanning the data contained in incoming packets and comparing it to known threats
Statistical anomaly detection: Scanning traffic in order to identify outliers in behaviour when compared to a known baseline.
Detection of stateful protocol analysis: Analogous to statistical anomaly detection, but with an emphasis on the network protocols in use and their comparison to typical protocol usage.
How is threat intelligence defined?
Threat intelligence is data on possible attacks. Because attack strategies and malware strains are constantly evolving, it is critical to have up-to-date threat intelligence to prevent attacks. NGFWs are capable of receiving and acting on external threat intelligence streams.
By supplying the most recent malware signatures, threat intelligence ensures that IPS signature detection is successful.
Additionally, threat intelligence might provide information about the IP repute of a host. “IP reputation” identifies IP addresses from which assaults (particularly bot attacks) frequently originate. A feed of threat intelligence on IP reputation offers the most recent known problematic IP addresses, which an NGFW can then block.