Our previous article on the basics of firewalls introduced us to their logic and features. However, firewalls are not static entities. They are constantly evolving, becoming increasingly advanced with each iteration. Next-generation firewalls (NGFWs) have now reached a point where they boast new capabilities. These include anti-malware features, intrusion detection and protection, decryption, and integration with identity management systems such as Active Directory.
Let’s dive into the differences between traditional firewalls and NGFWs, and understand if a next-generation firewall is for you.
Traditional firewall
A traditional firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Its main function is establishing a barrier between a trusted internal network and untrusted external networks, such as the Internet.
Traditional firewalls carry out the functions that are typical of stateful firewalls, such as:
- Packet filtering: Traditional firewalls use packet filtering to inspect packets at the network layer. They examine the source and destination IP addresses, ports, and protocols to determine whether to allow or block the traffic.
- Stateful inspection: They maintain the state of active connections by tracking the state of network connections (such as TCP streams or UDP communication). This means they can allow returning traffic from a trusted connection initiated from within the network.
- Rule-Based Access Control (RBAC): Administrators set up rules to allow or deny traffic based on IP addresses, port numbers, and protocols. These rules are static and require manual updates to respond to new threats.
LIMITATIONS: Traditional firewalls are unaware of traffic specifics beyond basic protocol information. They don’t analyze packet payloads to recognize the applications generating the traffic, and most cannot classify users.
Next-generation firewall (NGFW)
Next-generation firewalls build upon the capabilities of traditional firewalls by incorporating additional, more sophisticated features to provide better network security.
Critical features of NGFWs are:
- Deep Packet Inspection (DPI): NGFWs can analyze packets’ actual content (payload) to detect malicious activity hidden within legitimate traffic.
- Application Awareness Control: NGFWs can identify and control applications regardless of the port or protocol. This allows them to enforce security policies at the application layer and block unwanted applications or features.
- Integrated Intrusion Detection and Prevention System (IDS/IPS): NGFWs often include an Intrusion Detection and Prevention System (IDS/IPS) to detect and prevent known and unknown threats in real time.
- Advanced Threat Protection: NGFWs offer advanced threat protection features, such as antivirus, anti-malware, sandboxing, and threat intelligence integration, to defend against sophisticated cyber threats.
- User Identity Integration: NGFWs can integrate with directory services (e.g., Active Directory) to apply security policies based on user identities and roles rather than just IP addresses.
- SSL/TLS Inspection: NGFWs can inspect encrypted traffic (SSL/TLS) to ensure threats are not hiding within encrypted connections, which is increasingly important as more traffic becomes encrypted.
- Granular Policy Enforcement: NGFWs provide more granular policy enforcement capabilities, allowing organizations to create more detailed and specific security policies.
DOWNSIDES: While NGFWs offer many features, they also present challenges. One of the most significant is their potential impact on performance. NGFWs demand substantial CPU, memory, and storage resources to handle their extensive tasks. Decryption can severely affect performance, given the prevalence of encrypted Internet traffic, which now accounts for 90% of all traffic.
Feature comparison
The table below summarizes the features of traditional and next-generation firewalls for a quick comparison.
| Feature | Traditional firewall | Next-generation firewall |
|---|---|---|
| Packet filtering | Basic | Deep packet inspection |
| Application awareness | None or limited | Identifies and control applications |
| Threat detection | Relies on static rules | Integrates IDS and IPS mechanisms |
| Policy granularity | Rule-based control | Granular policy enforcement |
| Encrypted traffic | Encrypted traffic is invisible | Applies decryption |
At first glance, next-generation firewalls seem the obvious choice for those with enough resources to allocate them. In reality, however, things are more complex. Each feature of next-generation firewalls presents downsides that should be carefully evaluated.
Downsides of NGFW's features
Below are some key pointers that we recommend you consider if you are keen to adopt a next-generation firewall:
- Application detection: Application detection in next-generation firewalls relies on signatures and requires accurate traffic decryption. For practical application detection, you must prepare to combine ports and applications when allowing or disallowing applications in your firewall rules rather than relying on the sole application detection feature.
- Intrusion detection and protection: Next-generation firewalls’ IDS and IPS features rely on signatures. Both features require fine-tuning to be effective.
- URL filtering: URL filtering controls access based only on the URL portion of the request. This means that it’s only applicable to web traffic, and it can be easily bypassed by simply typing the IP address of the destination website in the browser.
- Anti-malware: This feature turns your firewall into a malware stopper based on signatures or a sandbox environment. If the firewall doesn’t feature threat extraction in the sandbox, the first user to download infected software will still be infected.
- Decryption: Decryption is a prerequisite for most advanced features in next-generation firewalls. While it unlocks their full potential, decryption comes with compatibility, performance, and legal issues.
- User Identity mapping: This feature allows you to connect the firewall to Active Directory or similar identity management systems to apply rules and policies to users or groups, regardless of their IP. This is helpful when users frequently travel to different locations or work with multiple devices. However, it requires an appropriate setup and is prone to failure in uncoordinated changes.
Understanding decryption consequences
Traditional firewalls are blind to encrypted traffic. Next-generation firewalls ‘ ability to decrypt traffic is a revolutionary feature. However, this ability comes with downsides that you should fully understand and consider before you adopt one.
PRE-REQUISITES
To implement decryption on next-generation firewalls, you’ll need the following:
- Digital certificates with certificate issuance (such as CA) capability
- Decryption policies configured in your firewall
- A list of the traffic and applications incompatible with the decryption feature.
CERTIFICATE PLANNING
The process of decrypting and re-encrypting traffic between the client and the server in a next-generation firewall is similar to an MITM (Man-in-the-middle) attack. Applications will not recognize the key after the traffic is encrypted again by the firewall, and they will not work. For this reason, some web applications are abandoning certificate pinning. Furthermore, firewalls can’t impersonate client certificates, so they won’t be able to perform the decryption. You should consider that not all applications in your production environment will work with decryption; among them, there might be critical applications.
PERFORMANCE
Crypto accelerators can offload CPUs from encryption and decryption operations. However, the number of operations per second will still be impacted. The firewall must impersonate the server, terminate sessions, and establish new connections. Additionally, the process of generating keys for decryption affects the overall performance. Encryption will slow down your overall production traffic.
LEGAL ISSUES
When you enable decryption on your firewall, you can capture traffic and see payloads in clear text. This means that firewall administrators can read confidential information not meant for them. Before you enable decryption on your firewall, your legal department should define permissions and policies on what traffic shouldn’t be decrypted. Examples are account information and credentials, health information, PIIs, etc.
Understanding user identity mapping scenarios
User identity mapping is becoming increasingly popular as users work with different devices, become more mobile, and adopt a hybrid presence policy.
The type of users you have will determine if this feature applies to your environment. Your firewall, indeed, will fail in the following scenarios:
- User AD login sessions and expired records are periodically deleted from the domain controller to save storage space.
- Whenever AD administrators make uncoordinated changes, there will be a mapping failure.
- When users are logged into a machine through a remote desktop session (you must account for those scenarios with IP-based exceptions to the user rules).
- When users log into a machine using a terminal server like Citrix.
- In Logon-as-a-service scenarios (for example, with IP phones and soft phones, the firewall will apply the rule to the phone application and not to the user).
What firewall?
The best way to decide what type of firewall to adopt is to know your environment and use cases.
Cisco Firepower Threat Defence, CheckPoint Smart Console, and Palo Alto Networks are among the most reliable enterprise next-generation firewalls. For those who want an open-source solution, PfSense is a choice that can cover most of the capabilities of an NGFW without the costs of a next-generation firewall.
