By using Port or protocol filter lists (also known as Access Control Lists) a firewall does protect the network in a minimal manner. But doing IP header filtering is not enough today when there are so many attackers and they can change the port or IP addresses.
These days the problem can be from clicking on Websites with malware from internal to external (which is allowed).
The true problem today is when legitimate IP traffic (surfing the Internet or other applications are working and then download malware or other illegitimate programs trying to enter your computer systems. How about if you are in LinkedIn and click on a link (which is a website so a port 80 legitimate usage) and it happens to be a phishing attack link.
Here is the Sonicwall NGFW solution:
Where the firewall tries to “learn” the correct traffic so that if something out of the ordinary occurs the NGFW will stop it. (whereas an old IP filter FW would have allowed it).
All NGFW have IPS capabilities (Intrusion Prevention Systems)
PA (Palo Alto) inspects the Data and compares it with some data that you may want to ensure does not go out without being noted. Some more advanced FW’s were called stateless FW which means not just port filtering, but inspecting data. The inspecting data FW would only be checking for viruses and spyware that was known which means that current or new viruses would be missed.
The NGFW can inspect data and note in a log such as your own SS# or your client SS#’s.
This can be important when thousands of data points are stolen (which look like normal data going out to the Internet. (How about the Anthem data breach?)
McAfee touts 10 must have features of which 6 are absolute features:
1. Central Powerful management (good to be able to manage your FW)
2. User and application Control (this is a bit of data information matching)
3. High Availability ( self- explanatory)
4. Deep Packet Inspection (here some attacks can be found due to their configuration)
5. Protection against evasion techniques (Looks for viruses and more)
6. Convertible Architecture (Allows the machine to be placed in many types of locations and configurations)
IPS – Intrusion Prevention System can prevent traffic that is deemed to be the same as the signature
Cisco seems to have the points that McAfee listed except they are named different marketing speak
NSS Labs looked at the Fortinet NGFW:
Firewall Policy enforcement
User group ID aware policies (gives capabilities to certain identities – Active Directories)
Packet processing power
The “Super Massive” Appliance has
deep packet instection
Its own IPS capabilities
So I listed Palo Alto, Cisco, McAfee, and Dell’s SonicWall details.
To me the bottom line is the following:
Perform proper IPS (Intrusion Prevention System) with context aware capabilities. Protect the network even with new malware coming daily while allowing the good traffic to come in and out.
The trick is how to figure out what is the best machine for you? Because the sales people will say theirs is the best for you.
If you have time to create a bake-off (comparing the systems side by side) with some of your actual network traffic that would be ideal.
I found a document which is a must read if interested:
When SANS has a document about a NGFW review then I would read it (even though McAfee sponsored it) it does have a lot of actual screenshots which would be handy when comparing the NGFW’s