Next Generation Firewalls
Next Generation Firewalls (NGFWs) are the newest type of firewall to enter the marketplace aimed at addressing
two key limitations of earlier variants: 1) the inability to inspect packet payload and 2) the inability to distinguish
between types of web traffic.
An NGFW is an adaptive network security system capable of detecting and blocking sophisticated attacks.
NGFWs typically perform traditional functions such as packet filtering, stateful inspection and network address
translation (NAT), but introduce application awareness, incorporate deep packet inspection (DPI) technology and
offer varying degrees of integrated threat protection, such as data loss prevention (DLP), intrusion prevention system
(IPS), SSL/SSH inspection and web filtering.
Application awareness is “the capacity of a system to maintain information about connected applications
to optimize their operation and that of any subsystems that they run or control.”20 This is important because
discriminating between legitimate and malicious traffic has become increasingly difficult amid the upsurge in
web-based services. The ability of an NGFW to differentiate between types of web traffic such as an authorized
business web application and a streaming media site aids enforcement of corporate policies—regardless of port or
protocol—and similarly offers insight to user activities and behavior.
DPI allows for payload interrogation against signatures for known exploits, malware, etc. DPI affords a great deal
of information about your traffic, which aids in determination of normal traffic making anomaly detection more
effective, especially in more complex networks.
Depending on your particular organization, you may be asked to review, recommend or specify vendor solutions.
Bear in mind that while many next generation solutions advertise similar functions, how they do so is often decided
by their interpretation of concepts and implementation of proprietary technology. As sophisticated as NGFWs may be
today, it should not be your only line of defense.