Next Gen Firewall

What is a Next Gen Firewall (NGFW)?

Next generation firewalls have more sophisticated features than a traditional, or legacy, network firewall. Here are some common next generation firewall features:

• Deep packet inspection — Network firewalls examine data within the four TCP/IP communication layers (from highest to lowest): application, transport, IP/network, and hardware/data link. Next gen firewalls can inspect traffic at higher order TCIP/IP communication layers, including the application layer. This provides next generation firewalls with application awareness, e.g., context about which application traffic is transiting to and from, and baselines of expected user and application behavior against which to compare transit patterns.
• Intrusion detection and intrusion prevention — Inspecting traffic at higher order TCIP/IP layers enhances next gen firewalls’ ability to detect and prevent cyberattacks. Nextgen firewalls can monitor for potentially malicious activity based on specific behavior signatures or anomalies and then block suspicious traffic from the network. These capabilities are referred to as intrusion detection services (IDS) and intrusion prevention services (IPS).
• Distributed denial of service protection — Denial of service (DoS) attacks are malicious attempts to shut down a service by intentionally flooding the service with illegitimate requests, rendering the service unable to respond to legitimate requests from users. Distributed DoS (DDoS) attacks use multiple computers to generate the flood of illegitimate requests. Next gen firewalls are better able to detect and prevent these sorts of attacks than traditional firewalls because next gen firewalls are stateful. Statefulness enables the firewall to check more characteristics of connection requests against those of established connections, which aids in the detection of illegitimate requests, even when they may be formed differently or coming from different computers.

Next generation firewalls protect the organization from breaches and cyber threats, so it’s important to validate that the next generation firewall can accomplish its advertised functions. The best next generation firewalls are rigorously tested and certified by trusted, independent technology product assurance testers, such as ICSA Labs. Verify that the testing laboratory applies objective testing criteria for evaluating product performance.

When evaluating solutions, consider that the best next generation firewall may be part of a broader solution. For example, the HPE Aruba Networking EdgeConnect SD-WAN platform combines advanced SD-WAN capabilities with identity- and role-based traffic segmentation, enforced with a built-in next gen firewall (including IDS/IPS and other security functions). HPE Aruba Networking was also the first SD-WAN vendor to attain ICSA Labs Secure SD-WAN certification, validating its built-in next generation firewall and advanced security features.