What are some NextGen firewalls


The firewall has continued to evolve since its introduction in the late 1980s. The security classic is still considered an essential component for protecting against attacks on the corporate network. Find out how a firewall works and how the different variants differ.

Firewall - a definition

In general terms, a firewall is a network device that monitors packets going into or out of the network. If a firewall is installed on a computer, it is called a personal or desktop firewall. If it is not located on the system to be protected, but on its own device in the network, it is known as an external firewall. Other names are network or hardware firewall.

Firewalls block or allow data transit based on defined rules that decide which traffic is allowed and which is not. In this way, they defend against attacks from outside via open ports on a computer or network. This includes, for example, Internet worms such as SQL Slammer, Sasser etc. In addition, firewalls block harmful traffic from the inside to the outside if, for example, malware that has gained a foothold internally despite all countermeasures wants to contact a control server.

Various types of firewalls have evolved over the years. They have become increasingly complex and use a larger number of parameters to decide whether traffic is allowed to pass. Modern variants are usually referred to as Next Generation Firewalls (NGFW). They contain a number of features that go beyond filtering techniques.

Firewalls were originally used as guardians at the borders between trustworthy networks and those that are not trusted. Companies are now also using them to shield internal network segments such as the data center from other segments of the company network.

Network firewalls are typically deployed as hardware appliances. However, they are also available as virtual versions so that they can be installed as software on your own hardware.

Proxy-based firewall

This type of firewall acts as a security gate between users requesting data and the source of that data. This is why it is often referred to as the "gateway firewall". It acts as a proxy between the resources to be protected and other networks such as the Internet and checks all exchanges between the two.

For example, if an external device wants to access a resource in the protected network via the Internet, this request goes through the firewall - the device and network never communicate directly with each other. The request from the device is intercepted by the firewall and the transmitted packets are checked. The firewall can filter them to apply policies and mask the location of the receiving device. It then establishes a separate secure connection between itself and the target resource. The response from within the network also goes back to the external device via the proxy in two stages. This protects the receiving device and the network itself.

The advantage of a proxy firewall is that devices are never directly connected to the network. The firewall has its own IP address, which is only used for external communication. Therefore, this type of firewall is considered to be one of the most secure. Since not only the network address and port number of an incoming data packet are examined, but the network packets as a whole, proxy firewalls usually also have extensive logging functions. This makes it a valuable resource for administrators in the event of a security incident, as log data can be easily evaluated.

On the other hand, performance can suffer, as delays occur if the firewall constantly cuts, re-establishes and filters incoming connections. This in turn makes it impossible to use some applications through the firewall, as the response times are too slow. It is also possible that the firewall only supports certain network protocols and therefore only certain applications from the outset. Since all traffic goes through the firewall, it also becomes a kind of Single Point of Failure (SPoF), the failure of which can paralyze the entire network.

Stateful firewall

In order to get the performance disadvantages of the proxy firewall under control, the IT security provider Check Point developed the stateful firewall in the early 1990s. Instead of examining every single packet, it monitors the connection status - a so-called stateful inspection. This reduces the delay.

At the beginning of a connection, the firewall checks in depth whether the packets are allowed, secure packets. If it classifies the traffic as legitimate, the firewall establishes a connection to the destination and lets the packets pass. It now retains this status in memory and allows all subsequent packets that are part of this communication to pass through without further thorough examination. The status includes details such as the IP addresses and ports involved in the connection as well as the sequence numbers of the sent packets. Invalid packets that do not belong to an existing connection, for example because they belong to a Denial-of-Service (DoS) attack, are blocked.

Since the stateful firewall stores all connection information - permitted and blocked - in a table in its memory, a targeted Distributed Denial-of-Service (DDoS) attack can cause difficulties. The processing of legitimate connections and thus the service can suffer from the sheer number of blocked connections held by the table in the event of such an attack.

To mitigate this risk, many companies distribute network traffic processing across multiple firewall appliances. Often the choice falls on cloud-based solutions, as they scale with the workloads and thus rule out failure due to overload.

Next Generation Firewall (NGFW)

Next Generation Firewalls (NGFW) filter packets in addition to the connection status as well as source and destination addresses on the basis of further characteristics. They contain rules about what individual applications and users are allowed to do and use more information to make better decisions about whether traffic is allowed.

Many NGFW today combine security functions that were traditionally provided by other solutions. These include, for example:

  • Intrusion Prevention Systems (IPS) - As a separate solution, the IPS was usually located directly behind the traditional firewall and took measures against detected anomalies and attack patterns that had made it past the firewall. Many NGFW expand the classic IPS capabilities with finely granulated security factors. They compare the analyzed traffic against a database of known attack patterns and can detect and prevent unknown attacks based on deviations from normal operation. The integration of the IPS into the NGFW reduces the administrative effort for the administrators, as there is no extra communication between the solutions to configure and control.

  • Deep Packet Inspection (DPI) - In contrast to classic packet filters, this variant not only inspects the header with the origin and destination of packets, but also their data content. For example, DPI checks which application is being accessed and what type of data is being transmitted. This information can be used to define smarter and more detailed policies for the firewall. In addition to controlling the entry of traffic, DPI can also be used to restrict the bandwidth that certain applications can use or to prevent sensitive information from leaving the secure network.

  • SSL / TLS termination - Traffic encoded with the encryption protocol Transport Layer Security (TLS) or its predecessor Secure Sockets Layer (SSL) cannot be checked by DPI because the content cannot be read. Some NGFW therefore offer the option of stopping this traffic, decrypting it, inspecting it and finally establishing a second TLS / SSL connection to the destination address. For example, employees can be prevented from sending internal information from the secure network to the outside, while legitimate traffic can pass through unhindered. Since it is possible that personal data is automatically processed when using DPI in this depth, it is important to carefully check what is necessary and possible in terms of data protection.

  • Sandboxing - Incoming emails with attachments can contain malicious code. Sandboxing enables an NGFW to run attachments and any code they contain in a shielded environment and determine whether they are harmful. The disadvantage here is: Sandboxing adds an additional step to the transmission - similar to the proxy firewall - which sometimes requires a lot of computing power. As a result, performance can suffer and the flow of traffic can be delayed.

In addition to the above, an NGFW can also contain other features. This makes it possible to preventively include data that are still unknown to the system in the firewall's decision-making process. For example, if researchers have identified the signature of a new malware, the NGFW can obtain this information and filter out traffic that has this signature.

The latest developments continuously expand the functions of the NGFW and implement, for example, context-sensitive protection against Advanced Persistent Threats (ATPs) or explicitly support virtualized and cloud environments. The degree of automation increases, so that IT can react more quickly to threats and the management effort is reduced.

Unified Threat Management (UTM)

Next generation firewalls were initially only designed for the functions of intrusion prevention and deep packet inspection. Everything that went beyond that and included antivirus features, for example, was referred to as Unified Threat Management (UTM). UTM devices combine several functions in one solution as standard. Above all, they stand out for their comfortable and simple installation and require a few simple steps to configure.

On the other hand, it can happen that a UTM solution is not suitable for an individual environment or that a company is already using individual security products that have similar performance characteristics. Then the entire range of functions of the UTM does not necessarily pay off. Large companies, on the other hand, can reach the limits of UTM when security solutions are to be scaled in large networks. An individual solution that can grow flexibly with you may be the better option here.

In the meantime, more and more functions are being integrated into NGFW so that they are largely congruent with UTM. The most striking difference is that UTM offers less throughput than an NGFW, but is easier to deploy and manage. An NGFW, on the other hand, offers higher throughput rates and more detailed customization options, but is more complex to manage.

Web Application Firewall (WAF)

This type of firewall sits between web servers and the Internet. It protects against certain HTML attacks such as zero-day exploits, SQL injection (SQLi), in which the database can be read and manipulated via a web application, or cross-site scripting (XSS). The latter method exploits a security gap on the client or server to embed malicious code in trustworthy environments and use it to manipulate websites, take over browsers or steal confidential information.

WAF are available hardware, software or cloud-based. It is also possible to integrate it directly into applications in order to check whether every client trying to reach a server is allowed to do so. Classic black or whitelisting of recognized patterns is used, which may lead to false positives. Current WAF incarnations use self-learning functions, among other things, to recognize and ward off previously unknown attacks.

With a WAF, IT can close several security gaps in applications behind the firewall at the same time. It is also a way of protecting legacy systems that are no longer updated and are therefore vulnerable.

The disadvantage is that incorrectly or too restrictively configured WAF filters can disrupt operation. In addition, applications that use active content on the client side (e.g. JavaScript) may be poorly supported or require considerable configuration effort. In addition, using a WAF can lead to security being neglected in application development. However, a firewall is not a substitute for a secure application.