What is a Next-Generation Firewall?

The Internet now accounts for the majority of traffic traversing enterprise networks. And it’s not just web surfing. The Internet has spawned a new generation of applications being accessed by network users for both personal and business use. Many of these applications help improve user and business productivity, while other applications consume large amounts of bandwidth, pose needless security risks, and increase business liabilities.
Traditional firewalls are unable to identify or effectively control any of these Internet applications. That’s because legacy firewalls classify traffic based only on ports and protocols.
For example, most web traffic would be identified as simply HTTP coming through Port 80, with no information on the specific applications associated with that port and protocol.
But this problem is not limited to Port 80. Internet applications are increasingly using encrypted SSL tunnels on Port 443, and use clever evasive tactics to disguise themselves or use port-hopping to find any entry point through the firewall. Again, legacy firewalls cannot see or control any of that traffic.
Gartner recently published a research note, “Defining the Next-Generation Firewall,” which states that “Changing business processes, the technology that enterprises deploy, and threats are driving new requirements for network security”.  Gartner warns that “To meet these challenges, firewalls need to evolve into what Gartner has been calling ‘next-generation firewalls.”

Gartner’s key findings include:

• The stateful protocol filtering and limited application awareness offered by first-generation firewalls are not effective in dealing with current and emerging threats.
• Using separate firewalls and intrusion prevention appliances results in higher operational costs and no increase in security over an optimized combined platform.
• NGFWs are emerging that can detect application-specific attacks and enforce application-specific granular security policy, both inbound and outbound.

Gartner’s Recommendations

In the same research note, Gartner issues the following recommendations to enterprise clients:

• If you have not yet deployed network intrusion prevention, require NGFW capabilities at your next firewall refresh point.
• If you have deployed both network firewalls and network intrusion prevention, synchronize the refresh cycle for both technologies and migrate to NGFW capabilities.