Next

Generation Firewall vs. Traditional Firewall

Next-generation firewalls (NGFWs) have developed out of necessity in todays computing environments, where
malware attacks have grown in sophistication and intensity and have found ways of exploiting weaknesses in
traditional firewalls.

Because the firewall is the first line of defense against such attacks, and protection of the corporate network is of the
utmost importance, it stands to reason that firewalls have evolved as well to meet the threat.

Where traditional firewalls have fallen down is in their inability to inspect the data payload of network packets and
their lack of granular intelligence in distinguishing different kinds of web traffic. With most network traffic using
web protocols, traditional firewalls cannot distinguish between legitimate business applications and attacks, so they
must either allow all or reject all.

Clearly, something beyond a traditional firewall was needed that could carry out advanced security functions
without impacting the latency of the network, which is what led to the development of NGFWs. The relationship
between traditional firewalls and NGFWs is best understood by looking more closely at their similarities and
differences.

Similarities between the two:

Obviously the general purpose of both traditional firewalls and NGFWs is the same to protect an organizations
network and data assets. In terms of the software components packaged by the two, they both include some variation
of the following:

Static packet filtering that blocks packets at the point of interface to a network, based on protocols, ports, or
addresses
Stateful inspection or dynamic packet filtering, which checks every connection on every interface of a firewall
for validity
Network address translation for re-mapping the IP addresses included in packet headers
Port address translation that facilitates the mapping of multiple devices on a LAN to a single IP address
Virtual private network (VPN) support, which maintains the same safety and security features of a private
network over the portion of a connection that traverses the internet or other public network.
Differences between the two:

Gartner Research was one of the early champions of NGFWs, and even though the idea has been around for several
years now and the need for them pressing, less than 20% of all enterprise Internet connections today are secured by
them. By the end of 2014, that number was expected to rise, according to Gartner, to something nearly 35%.
Before describing the differences between traditional and next-generation, a working definition of an NGFW might
be in order, and according to Gartner, that is a deep-packet inspection firewall that moves beyond port/protocol
inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from
outside the firewall.
Here are the extra security features that can be found in a good NGFW that are not part of a traditional
firewall:
Non-disruptive, in-line, bump-in-the-wire (BITW) configuration, wherein a stealth firewall resides inside the
subnet so it can filter traffic between hosts
Integrated signature-based intrusion prevention system (IPS), which specifies which kinds of attacks to scan for
and report on
Identification of applications using pre-defined application signatures, payload analysis, and header inspection,
plus enforcement of network security policy at the application level, because applications (rather than
networking services and components) have become the greatest area of exploitation today by malware and other
attacks
Full stack visibility, which goes hand-in-hand with control of applications
Granular control, or extremely detailed control of applications
Capability to incorporate information from outside the firewall, including directory-based policies, white lists,
and black lists
Upgrade path to include future security threats and information feeds
Secure sockets layer (SSL) decryption to enable identification of undesirable encrypted applications

The next great thing:

The nature of computing being what it is and the nature of computer attacks being what they are, both of these can
be expected to undergo advances in the future, if not the very near future which means even NGFWs will give way
to the next great thing in security.

What this will be might be driven by the advances in sophistication by malware attacks, but in the near future, what
is fairly certain will be a vast increase in the number of application identification signatures recognized and tighter
integration of all security devices to minimize performance degradation.

*Source: http://www.mydigitalshield.com/traditional-firewalls-vs-next-generation-firewalls/