Everything You Need to Know about NGFW
Here is solid advice for evaluating a next-generation firewall (NGFW), from features to consider to questions to ask.
The next generation firewall (NGFW) was first identified and defined in 2009, but adoption has been relatively slow. By 2015 Gartner estimated that fewer than 40 percent of enterprise Internet connections were secured using NGFWs.
Gartner expects demand for NGFWs to explode over the next few years, however, as enterprises seek better ways of securing their networks. By the end of 2018 Gartner estimates that NGFWs will secure 85 percent of connections, with 90 percent of new purchases being NGFWs.
Traditional Firewall vs. NGFW
Traditional network firewalls provide a level of enterprise security by performing port and protocol inspection on network traffic. They block packets that are forbidden (by protocol or port) or which have not been requested by a legitimate application on a specific port.
Next generation firewalls (NGFWs) go beyond this static inspection by carrying out stateful packet inspection right down to the application layer. This allows them to block packets that are not matched to known active connections, to block unwanted application traffic (rather than traffic on specific ports) and to close network ports all the time unless they are actually in use, which provides some protection against port scanning.
Essential NGFW Features
All NGFWs offer two key features: application awareness and control, and identity awareness.
Application awareness and control lets you see which applications are being used on your network and provides you with a means to control this application usage. By identifying the applications and enforcing network security policy at the application layer - independently of port and protocol - you can, for example apply application blacklists or whitelists; allow Facebook but not Facebook applications such as Candy Crush Saga; or allow Skype for voice-over-IP but not for file sharing
Buyer's tip: Look for fine-grained policy enforcement for your most important business applications. Experience shows that NGFWs that offer the ability to exercise close control over a few dozen applications are more valuable than those that promise some control over hundreds or even thousands of applications you may never use.
Application control by itself can be something of a blunt instrument that can either prevent or allow certain types of application usage. Identity awareness integrates this control with corporate directories such as Active Directory, enabling you to apply secure firewall rules more granularly, to groups or even individual users.
For example, you can create a rule allowing sales and marketing staff to use certain social media applications, and allow contractors or temporary staff to access a small subset of those while board members can be granted unfettered Internet access.
Buyer's tip: Identity awareness is a feature that many NGFW vendors emphasize, but in practice the ability to control usage at the user or group level has not been widely adopted. Unless you have a specific need for identity awareness, it should be given less weight in your evaluations than application control.
Other Important NGFW Features
Intrusion protection systems (IPS)
Vendors are adding an increasing amount of IPS functionality into their offerings. What started as fairly rudimentary IPS capabilities have in many cases developed into a powerful IPS deeply integrated with the NGFW's other functionality. The IPS in many NGFWs can now challenge many standalone IPS appliances.
Buyer's tip: Intrusion protection systems are a key part of your corporate defenses, so it's important to consider if you want to get IPS functionality from your NGFW or whether it makes more sense to use a standalone, best-of-breed IPS. If you want IPS integrated in a NGFW, Gartner recommends assessing the IPS effectiveness as demonstrated through third-party testing under realistic threat and network load conditions.
Network sandboxing provides protection against malicious software by providing the ability to send suspicious files to an isolated sandbox in the cloud. There the files can be allowed to run and their behavior examined to determine whether they are malicious or not.
Network sandboxing is frequently offered by NGFW vendors or partners as a subscription service. The network sandbox market was worth over $500 million in 2014, but such is its popularity that it is forecast to grow to $3.5 billion by 2019.
Buyer's tip: Network sandboxing is rapidly becoming a mainstream feature, so it's worth checking that any vendor you consider offers it today or plans to offer it in the near future.
Threat intelligence feeds
Threat intelligence feeds provide lists of malicious IP addresses, malware signatures and other threat indicators to help the secure firewall and IPS features detect threats and prevent attacks.
Buyer's tip: Check whether any secure firewall under consideration can only accept the vendor's threat intelligence feeds or whether it can be used with feeds from a variety of sources.
Questions to Ask NGFW Vendors
- What is the peak firewall traffic throughput capability when all security features are disabled?
- What is the peak firewall traffic throughput capability with all the security features I require enabled?
- What is the base cost of the device?
- What is the cost of the device with my security requirements enabled?
- What are the annual maintenance and update costs?
- What are the annual subscription costs (for intelligence feeds, network sandboxing, etc.)?
- Can capacity and security features be changed on demand, and what are the cost implications of doing so?
- How much expertise is needed to configure the firewalling and security capabilities?
- How is the device configured, and how easy is the interface to use?
- Is the device IPv6 ready?
Security feature related:
- Which applications is the secure firewall aware of, and is it possible to create awareness for custom applications?
- How often is the application list updated?
- What kind of reporting is provided to help understand application usage and user behavior?
- How granular is the identity awareness control?
- What other security features are offered?
- How effective is the IPS functionality as demonstrated through third-party testing under realistic threat and network load conditions?
- Which threat intelligence feeds are supported?
- How are updates for features like anti-malware scanning delivered, and how frequently? And who provides them; is security research carried out in-house?
- If network sandboxing is not offered, is it on a short-term roadmap?
- Which security certifications does the device hold?
Short List of NGFW Vendors
Market leading NGFW vendors include:
Among other notable vendors:
- Intel Security (McAfee)
- Dell SonicWALL
- Juniper Networks
- Watch Guard Technologies
- Barracuda Networks
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.