What Makes a NextGenerationFireWall(NGFW) & Why Use It?

We know a firewall protects the networkbasic networkdiagram

 

By using Port or protocol filter lists (also known as Access Control Lists) a firewall does protect the network in a minimal manner. But doing IP header  filtering is not enough today when there are so many attackers and they can change the port or IP addresses.

These days the problem can be from clicking on Websites with malware from internal to external (which is allowed).

The true problem today is when legitimate IP traffic (surfing the Internet or other applications are working and then download malware or other illegitimate programs trying to enter your computer systems.   How about if you are in LinkedIn and click on a link (which is a website so a port 80 legitimate usage) and it happens to be a phishing attack link.

Here is the Sonicwall NGFW solution:

ngfw_large-sonicwall

 

Where the firewall tries to “learn” the correct traffic so that if something out of the ordinary occurs the NGFW will stop it. (whereas an old IP filter FW would have allowed it).

All NGFW have IPS capabilities (Intrusion Prevention Systems)

 

Palo Alto NGFW:

PAthreat_prevention

PAone_pass_0

 

PA (Palo Alto) inspects the Data and compares it with some data that you may want to ensure does not go out without being noted. Some more advanced FW’s were called stateless FW which means not just port filtering, but inspecting data. The inspecting data FW would only be checking for viruses and spyware that was known which means that current or new viruses would be missed.

The NGFW can inspect data and note in a log such as your own SS# or your client SS#’s.

This can be important when thousands of data points are stolen (which look like normal data going out to the Internet.  (How about the Anthem data breach?)

 

McAfee NGFW:

McAfee touts 10  must have features of which 6 are absolute features:

1. Central Powerful management  (good to be able to manage your FW)

2. User and application Control (this is a bit of data information matching)

3. High Availability ( self- explanatory)

4. Deep Packet Inspection (here some attacks can be found due to their configuration)

5. Protection against evasion techniques (Looks for viruses and more)

6. Convertible Architecture (Allows the machine to be placed in many types of locations and configurations)

 

Cisco NGFW

cisco-asa-firepower

IPS – Intrusion Prevention System can prevent traffic that is deemed to be the same as the signature

Cisco seems to have the points that McAfee listed except they are named different marketing speak

 

NSS Labs looked at the Fortinet NGFW:

Application control

Firewall Policy enforcement

User group ID aware policies  (gives capabilities to certain identities – Active Directories)

Packet processing power

fortinetfirewallpolicyenforcement

 

 

Dell Sonicwall NGFW:

The “Super Massive” Appliance has

deep packet instection

High throughput

Its own IPS capabilities

malware protection

DellSonicwall-ngfw

So I listed Palo Alto, Cisco, McAfee, and Dell’s SonicWall details.

 

To me the bottom line is the following:

Perform proper IPS (Intrusion Prevention System) with  context aware capabilities. Protect the  network  even with new malware coming daily while allowing the good traffic to come in and out.

The trick is how to figure out what is the best machine for you? Because the sales people will say theirs is the best for you.

If you have time to create a bake-off (comparing the systems side by side) with some of your actual network traffic that would be ideal.

 

 

I found a document which is a must read if interested:

http://www.sans.org/reading-room/whitepapers/analyst/advanced-network-protection-mcafee-generation-firewall-35250

When SANS has a document about a NGFW review then I would read it (even though McAfee sponsored it) it does have a lot of actual screenshots which would be handy when comparing the NGFW’s

 

 

 

Advertisements

2 thoughts on “What Makes a NextGenerationFireWall(NGFW) & Why Use It?”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.