The traditional stateful firewall filters traffic based upon ports and protocols. For example, blocking or allowing the entire port 80 for HTTP traffic or port 443 for HTTPS traffic. It’s an "all-or-nothing" approach.

Newer firewall technology can also filter traffic based upon the applications or traffic types traversing these ports. For example, you could open port 80 for only select HTTP traffic, for those specific applications, sites, or services you allow. Think of it as blending the firewall and quality of service (QoS) functionalities into one solution.

These application-aware firewalls are commonly cited as a next-generation firewall (NGFW) but they are, basically, a form of a unified threat management (UTM) solution. However, the term UTM is usually applied to products that lack the true application-awareness and are targeted towards the SMB market. UTM products usually offer additional functions over traditional firewalls, such as antivirus, antispam, or even intrusion prevention systems (IPS).


The fine-tuning of traffic provided by NGFWs can help in both security and bandwidth control aspects. Since they’re smarter and provide deeper inspection, they have the potential to catch more malicious activity. They can also serve as content filters and provide QoS functions, so higher priority applications receive higher priority bandwidth. Along with the general need for better overall security, NGFWs are in demand due to the increase of cloud services and outsourced software as a service (SaaS) providers.

Common characteristics

Here are the common features of most NGFWs:

Standard firewall features: They include the traditional (first-generation) firewall functionalities such as stateful port/protocol inspection, network address translation (NAT), and VPN.

Application identification and filtering: This is the chief characteristic of NGFWs. They can identify and filter traffic based upon the specific applications, rather than just opening ports for any and all traffic. This prevents malicious applications and activity from using non-standard ports to evade the firewall.

SSL and SSH inspection: NGFWs can even inspect SSL and SSH encrypted traffic. They can decrypt traffic, make sure it’s an allowed application and check other policies, and then re-encrypt it. This provides additional protection from malicious applications and activity that try to hide using encryption to avoid the firewall.

Intrusion prevention: Being more intelligent and with deeper traffic inspection, they may also be able to perform intrusion detection and prevention. Some next-gen firewalls might include enough IPS functionality that a stand-alone IPS might not be needed.

Directory integration: Most NGFWs include directory support (i.e., Active Directory). For instance, to manage authorized applications based upon users and user groups.

Malware filtering: NGFWs can also provide reputation-based filtering to block applications that have a bad reputation. This can possibly check phishing, virus, and other malware sites and applications.

What gives

Keep in mind when comparing vendors they have varied approaches to implementing application-aware firewalls. The number of specific applications they can detect varies. Some may support as many as 5,000 applications, or as few as 800.

Additionally, the ability or process of how to identify new or unknown applications also differs among vendors. The depth of application awareness varies, as well. Vendors can offer what you might call sub-application or application-function awareness. They can, for example, distinguish between multiple applications hosted on the same site. Another example: you might block the sharing capabilities of an instant messenger while still allowing the ability to chat.

The vendors

Here’s a review of the technology behind some of the enterprise-level next-generation firewall vendors:

Palo Alto Networks: This is one of the first vendors to release an application-aware firewall. Their proprietary technologies include App-ID, User-ID, and Content-ID: App-ID classifies known and unknown applications traversing any port and protocol via clear-text or encrypted SSL or SSH connections; User-ID adds support of user and group policies via most all enterprise directories on the market in conjunction with the network-based User-ID agent; and Content-ID provides the real-time content inspection and filtering, URL filtering, and IPS functionality.

Barracuda Networks: Their Barracuda NG Firewall series combines NGFW and VPN technologies. It features application controls, intrusion prevention, Web filtering, antivirus, antispam, and network access control.

Juniper Networks: Their AppSecure software suite adds NGFW capabilities to their SRX Services Gateway. The application-awareness is provided by the AppTrack component. The AppFirewall and AppQoS components provide the traffic control and policy enforcement. Then the AppDoS and IPS components provide protection against attacks and malicious activity.

WatchGuard: They offer solutions for both the enterprise and medium-sized business environments. In addition to application control and IPS, they feature VPN, URL filtering, antispam, and antivirus functionality.

NGFWs provide a thorough job of inspecting and filtering network traffic. They let you fine-tune exactly what type of content you want to allow or block, apply per-user policies regarding content, and provide intrusion prevention and reputation-based functions to stop attacks and malicious activity.

Though the technologies and products are still young, enterprises and businesses should begin the process of migrating to NGFWs.

Eric Geier is the founder of NoWiresSecurity, which helps businesses easily protect their Wi-Fi networks with the Enterprise mode of WPA/WPA2 security. He is also a freelance tech writer. Become a Twitter follower or use the RSS feed to keep up with his writings.