Business & Technology
Firewalls are a standard tool in an organization’s network security kit. In an ever-evolving threat landscape, however, some firewalls are more effective than others. A next-generation firewall (NGFW) is the only type of firewall that provides the capabilities to protect modern businesses against emerging cyberthreats.
But not every NGFW is designed the same way. In this post, we will explain what a next-generation firewall is and how to select one that delivers high-quality security and a great user experience.
Next-generation firewalls, also known as second generation firewalls, protect organizations through advanced security features. NGFWs provide functions like deep-packet inspection, intrusion prevention (IPS), advanced malware detection, application control, and overall increased network visibility through inspection of encrypted traffic. They can be found anywhere from an on-premise network edge to its internal boundaries, and can also be employed on a public or private cloud environment.
Traditional firewalls acted as a sentinel that monitors traffic moving into, and sometimes out of, the network. These devices would look at packets, network addresses, and ports to determine if data should be allowed through or blocked. A good analogy is airline travel. In the first few iterations of the firewall, data was simply checked to see if it had a ticket, and if its credentials were in order, it could board the plane.
Then application traffic took off, and first-generation firewalls could no longer keep up. That’s because criminals were able to hide malware inside application traffic, where the firewall ticket taker couldn’t see it.
So, next-generation firewalls were born with new set of capabilities like Application Control and Intrusion Prevention System (IPS) to detect known and zero day attacks. This new tool could see into applications and find and block malware by closely watching network traffic. Think of it as adding an x-ray machine to your airline boarding process. You may have had a ticket, but if there was something dangerous in your luggage you were still denied access.
Over time, additional security inspection technologies were added to the process, such as remediating malware including ransomware with Anti-Malware. Think of these as the equivalent to body scanners and wiping down luggage looking for bomb-making residue. Unfortunately, as inspections became more frequent, the security gateway became a serious bottleneck. Adding to all that was the rise of encrypted traffic to provide users the safety of securely accessing applications from anywhere to anywhere.
While traditional firewalls were too simple, the complexity and the processing burden of some of the next-generation firewall is its greatest weak point. For that reason, it’s essential to choose your next-generation firewall in a way that balances security capabilities and performance without making a tradeoff.
Today’s networking environment is more complicated than ever. Rather than networks becoming borderless, they have become porous, with points of access and endpoints multiplying at an unprecedented rate. According to the most recent Anti-Phishing Working Group (APWG) report, in the first quarter of 2020, 75% of all phishing sites used SSL.
This will demand a variety of capabilities, including decryption at a very high performance level, deep packet inspection post decryption, detection of malicious URLs, identification of command and control activities, download of malwares and threat correlation. However, these features are extremely CPU-intensive, and are notorious for bringing even high-end commercial NGFWs to their knees. And as malware and threats become increasingly difficult to detect at the access point, it is absolutely necessary that security span across the network in order to monitor behaviors in order to uncover intent.
These requirements are redefining the NGFW capabilities.
The reality is that nearly all currently available firewall devices and platforms are simply not up to the task. Which is part of the reason why organizations spend billions of dollars on security every year and the prevalence and severity of cybercrime still shows no signs of slowing down. Rather they are becoming sophisticated and driven by big payouts run services like Malware as a Service - MaaS.
The next generation of firewall security needs to include three things:
There are two undeniable truths about networks: the volume of data, driven by things like IoT and the Cloud, is going to continue to increase, and the scope and scale of networks is going to continue to expand. Security tools need to enable this growth without compromising data and resource protection. Unfortunately, most firewalls today have the following two fatal performance characteristics:
This is why when most firewalls today encounter real world traffic environments that require layers of simultaneous inspection, the decryption of SSL traffic, and escalating network traffic volume, they collapse.
What’s needed is a new generation of firewalls designed with the performance requirements of today’s networks in mind.
It’s not enough to simply inspect traffic. To catch many of today’s most sophisticated threats, intelligence gleaned from such inspections needs to be shared in real time with the rest of the network. Unfortunately, most of today’s NGFW solutions function in isolation. Many don’t even share information between the different security tools loaded on a single platform, let alone with other security tools deployed across the distributed network.
But cross-platform integration and the direct correlation of threat information are essential for securing today’s networks. And that functionality needs to scale across today’s highly distributed networks that include physical and virtual domains, IoT and other endpoint devices, and multi-cloud environments that can include multiple IaaS and SaaS providers.
As a result, attacks can come from anywhere, originating either from inside, sometimes from rouge users but mostly from compromised users or from outside of one of the network perimeters. To detect and respond to known and zero day threats today’s NGFW solutions need to run IPS and Anti-Malware capabilities. The unknown threats require Advanced Threat Protection capabilities by integrating with sandboxing and other sources that can share threat intelligence.
Powered by Fortinet’s purpose-built Security Processing Units (SPUs), like the NP7 and CP9. FortiGate NGFWs offers the industry’s highest security compute rating - including support of TLS1.3 - to detect attacks in HTTPs sessions, like ZEUS, Trickbot, Dridex, and protect organizations from network, application and file-based attacks and many other sophisticated threats. Fortinet NGFWs also offer hyperscale and delivers the industry’s highest number of concurrent connections, and connections per second speed meeting the escalating user demands for an organizations service while providing essential security.
The Fortinet NFWs provide performance-intensive services in the most demanding environments, including hyperscale data centers, to inspect, segment, and secure locally hosted data and workloads at network speeds.
Security devices and tools need to be integrated together to scale and adapt to even the most elastic network environments. This enables granular visibility of users, IoT devices, cloud applications and access devices end-to-end. The complexity of both network infrastructures and the threat landscape requires an integrated Security Fabric that combines easy-to-use, unified management and orchestration, broad visibility, granular control, and centralized compliance capabilities to reduce complexity while protecting the entire attack surface.
Performance and correlation across distributed networks are still not enough. Today’s attacks can begin stealing data or ransoming resources within minutes of breaching a network. Security must be able to respond to detected threats at digital speeds.
Security automation allows networks to respond in a coordinated fashion to a detected threat. Once malware or a breach has been detected, all devices connected to the Security Fabric need to be able to respond in real time. Affected devices and malware need to be detected and isolated.
Today, this requires deep inspection in real-time. Rather than running sandbox tools as separate appliances or services – with all the challenges and time delays that separate management and correlation tools impose – anti-malware, content disarm and reconstruct, virus outbreak service capabilities need to be a core requirement of today’s NGFWs.
Threat intelligence must also be shared so that sensors can begin scanning the network for other incidences of the detected attack. Shields need to be raised to prevent similar breaches from occurring. Remediation needs to take place to get resources back online. And forensic analysis needs to begin in order to determine how a breach occurred, what resources were compromised, and how to shore up defenses to prevent that from happening again.
Increasingly, as the speed of compromises continues to increase, and infiltration techniques become more sophisticated, AI tools will need to be deployed to see and even anticipate attacks and more effectively coordinate threat response to shut down cybercriminalsbefore that can achieve their objectives.
Fortinet continues to redefine NGFW deployment based on our security fabric vision of providing broad, automated, and powerful capabilities.
Fortinet’s patented security processors and highly optimized security software provide industry’s highest threat protection and SSL inspection performance, regardless of whether they are deployed at the network edge, in the core, or in the segments.
With FortiOS 7.0, customers are able to leverage an automated fabric topology view to gain complete visibility across their distributed network ecosystems, including 360° visibility into hybrid networks, access points, endpoints, and threats. Additionally, the Fortinet Security Fabric provides granular visibility into applications – including SaaS applications – which is critical for enterprises transitioning to the cloud.
With natively integrated proxy capabilities, Fortinet NGFW is the only NGFW in the industry that natively integrates access proxy capabilities to enable zero trust network access (ZTNA). This allows organizations to host applications anywhere with consistent policy controls to enable and secure hybrid workforce models with seamless and superior user experience
In today’s networked environment, broad, powerful, integrated, and automated solutions aren’t just nice things to have. They are essential components of the next generation of network security.
Find out how the Fortinet Security Fabric platform delivers broad, integrated, and automated protection across an organization’s entire digital attack surface to deliver consistent security across all networks, endpoints, and clouds.