What Is A Next-Generation Firewall And Why Do We Need It?

What is a Next-Generation Firewall and why do we need it?.jpg

By Yoram Ehrlich

Your network is under threat daily – if not every minute - contending with dozens to thousands of attacks per day. Reinforcing your network so it can defend itself from and head off increasingly malicious cyberthreats requires ever more powerful, yet flexible, security architectures.

NSS Labs, Inc., a global cybersecurity analyst group, defines this new cyber-defense paradigm as a breach detection system (BDS): a key component of a complete, robust BDS network security infrastructure is the firewall (FW) and, to be more precise, the next-generation firewall (NGFW).

Attack Detection, Regardless of Type

The breach detection system must defend the enterprise from myriad malicious attacks. They may present as single independent threats trying to insinuate themselves via tainted email, or they may come in wave after wave to overwhelm and breach the network and its security mechanisms.

One of these types of attacks is the “Denial of Service” (DoS) attack, along with its more robust offshoot, the “Distributed DoS” (DDoS) attack. This is actually a very simple but forceful type of assault on an enterprise network. In its simplest form, the attack is based on storming a network by sending a large amount of traffic toward it, overloading and overextending its resources.

According to companies like Akamai and Kaspersky, DDoS attacks are increasing, especially due to the rise in IoT solutions being used for botnets. The stretching of resources demanded by the DDoS attack leaves the defenses overwhelmed and overextended, facilitating the incursion of attacking malware during the confusion.

The best plan to prevent or mitigate a DDoS attack is to combine several solutions to cover all potential attack points in your network. NGFWs and Web application firewalls (WAF) are among the typical DDoS mitigation components.

Next-Generation Firewalls

A traditional firewall is only able to scan and control connections based on packet information available between layers 2 and 4 (where the “layers” refer to the open systems interconnect model (OSI)). A traditional firewall generally includes additional tools such as network address translation.

NGFWs upgrade the traditional firewall and add intrusion prevention systems (IPS) and application awareness (protection against layer 7 attacks). NGFWs include other functionality such as TLS/SSL termination and inspection, as well as deep-packet and malware detection, to create a broader and more formidable breach detection system.

Since network downtime is unacceptable, correct deployment of the NGFWs, such as active-active clustering, will empower a definitive uninterrupted operation and ensure business continuity. In addition, during standard or emergency maintenance, system modules will be able to be provided for, node-by-node, without any break in service – even those modules operating with different software versions or hardware combinations.

What to Look For in a NGFW

1) Deep Packet Inspection (DPI)

An advanced form of network traffic scanning and classification, enhanced detection of advanced malware and zero-day attacks, and the capability to classify applications, and more. NGFWs equipped with DPI capability should also provide dynamic updates that can be automated, with recommended policy configurations and vulnerability-based protection fingerprints.

2) Centralized Management System

The team managing your system needs to be able to accumulate and monitor data across all the security inspection and defense mechanisms and be able to instantly respond to any threat or anomaly. The NGFW system should be able to integrate with the other security systems and enable the team to observe and manage all firewall activity through a single dashboard.

For example, it should enable network port and IP address management and the ability to update new network information to identify new malware attacks, as well as displaying the system performance and result analysis.

3) SSL Decryption

Depending on the enterprise’s security policies and restrictions, a significant percentage of its network data traffic is SSL-encrypted. Network security managers need to take into consideration that there is an increase of HTTPS adoption and SSL on many websites. The firewall must be able to identify, decrypt and inspect SSL traffic and be capable of bypassing specific segments of it according to policy rules.


The most effective first level of physical defense in your network architecture’s security infrastructure is the firewall, and there is now a clear shift toward next-generation firewall (NGFW) technology incorporating advanced know-how.

The latest NGFW added-value features such as IPS, DPI, and decryption mechanisms will help protect your network and ensure that users and data are protected and that the network provides uninterrupted, stable service.

A comprehensive security architecture will include NGFWs as well as other compatible and supportive security devices and software that will create a formidable, yet flexible shielded infrastructure for your networks 24/7.

About Yoram Ehrlich

Yoram Ehrlich is VP Products at Niagara Networks, which provides high performance network visibility solutions to allow seamless administration of security solutions, performance management, and network monitoring. 

More About Yoram