Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Next-Gen Firewalls 101: Not Just a Buzzword

In a rare twist, "next-gen" isn't just marketing-speak when it comes to next-gen firewalls, which function differently than traditional gear and may enable you to replace a variety of devices.

(image by knssr, via Adobe Stock)

In a marketing world that sees words and phrases like "new," "improved," and "next-generation" thrown around like New Year's confetti, is the "next-gen firewall" label meaningful or just more marketing blather? Perhaps surprisingly, next-gen firewalls are different than classic firewalls in substantial ways -- ways that you should know about when looking at all the marketing language that does float around the security industry.

States and Deep Packets
The first significant difference between the two types of firewalls lies in how they evaluate traffic. Most traditional firewalls are "stateful" firewalls while next-gen devices tend to do some form of deeper packet inspection. So what does that really mean?

A stateful firewall looks at the state of a particular connection: The protocol it uses, the port over which it is communicating, and whether it conforms to specific rules established by the firewall admin. The great advantage of stateful firewalls is that they can handle a high traffic volume with limited CPU power, because the go/no-go decision is being made once per connection. Once a connection is permitted, it's permitted as long as the connection is maintained. Deeper packet inspection requires more from the firewall.

Where stateful firewalls tend to focus on the "wrapper" for a connection, deep packet inspection pays attention to the connection's contents. A next-gen firewall can look not only at the protocol, source, and destination, but at whether the packets are mal-formed, whether they contain malware, and whether the contents are consistent with expected traffic from a particular source. This inspection is much more compute-intensive than a stateful firewall, but it provides protections from many additional threat types.

Upper Layers
Another way of looking at the difference in how the two types of firewalls work is to measure them against the OSI 7-layer model. Stateful firewalls tend to live at Layer 3 -- the Network Layer. This is where network protocols operate, and is also the layer at which many network switches function. Deep packet inspections take place at higher levels on the stack.

Deep packet inspection takes effect on layers 4 - 7 of the OSI stack, checking to see whether the packets are misformed, properly encoded, and carrying data permitted by corporate rules. These checks (and rules regarding acceptance or rejection) mean that deep packet inspection can identify and act upon many attacks that a classic, stateful firewall would not catch.

Replacing Different Devices
In a traditional network security infrastructure, the firewall was one of the devices providing protection. It would typically be deployed along with an intrusion detection/prevention system (IDS/IPS), a web application firewall (WAF), a network filter, and perhaps more. The various security devices might work together in a coordinated fashion, but making that happen requires system integration and perhaps a network security manager to do the coordination and centralized management. A next-generation firewall can make things somewhat simpler.

A next-gen firewall can replace many of the different devices used in a traditional network security stack with the obvious advantage of not requiring multi-device integration. The various functions of identifying and blocking threats at different OSI layers can happen within a single device, using a single programming language and a single management console. The tradeoff is that doing everything in a single appliance requires much more computing horsepower in the box and takes away the possibility of choosing "best in breed" solutions for each layer.

As CPUs have become more powerful, the performance penalty has been greatly reduced and next-generation firewalls have become far more popular. When looking at whether a next-gen firewall is right for your organization, you should ask for its capability both in terms of bandwidth and simultaneous connections. Find out how it deals with traffic among and between cloud services and on-prem networks.

And finally, make sure that your staff can deploy and manage the next-generation device as well as they can handle the traditional stack. Thousands of attackers are waiting for your answer.


About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights