What is a next-generation firewall (NGFW)? | NGFW vs. FWaaS

A next-generation firewall (NGFW) is a firewall with powerful modern features. Next-generation firewalls can be hosted in the cloud, though not all of them are.

Learning Objectives

After reading this article you will be able to:

  • Define 'next-generation firewall'
  • Contrast classic firewalls with next-generation firewalls
  • Learn about how cloud firewalls overlap with next-gen firewalls

Copy article link

What is a next-generation firewall (NGFW)?

A next-generation firewall (NGFW) is more powerful than a traditional firewall. NGFWs have the capabilities of traditional firewalls, but they also have a host of added features to address a greater variety of organizational needs and block more potential threats. They're called "next generation" to differentiate them from older firewalls that don't have these capabilities.

The difference between a next-generation firewall and older firewalls is somewhat like the difference between a smartphone and an old-fashioned cell phone. Both have some features in common – texting, voice calls, a list of contacts, etc. But a smartphone adds so many advanced features that it's practically a different type of product, and as a result there's a different term for it.

What does a firewall do?

A firewall is a security product that monitors and controls network traffic based on a set of security rules. Firewalls can be software applications installed on a server or a computer, or they may be physical hardware appliances that connect to an internal network. Firewalls usually sit between a trusted network and an untrusted network; often the trusted network is a business's internal network, and the untrusted network is the Internet.

Typical capabilities of a traditional firewall include packet filtering, stateful inspection, proxying, IP blocking, domain name blocking, and port blocking.

  • Packet filtering refers to the ability to filter out potentially dangerous network traffic. All data that travels over a network (such as the Internet) is broken up into smaller chunks called packets. A firewall can look at each individual packet and, if it matches certain predetermined rules, block it from entering or exiting an internal network.
  • Stateful inspection takes packet filtering one level deeper. With stateful inspection, firewalls can examine data packets in the context of other packets that have passed through the firewall. A data packet may look harmless on its own, but if it's heading towards an unusual destination within the network, it could be malicious. (For instance, a SQL query isn't malicious on its own, but if it's sent through a web form, it might be part of a SQL injection attack.)
  • Proxying, in networking, refers to one machine sending or receiving network traffic on behalf of another machine. A firewall can act as a proxy by making requests and receiving network responses on behalf of the user devices within its internal network, filtering out malicious data before it has a chance to reach those devices.
  • IP and domain name blocking means that the firewall can block users from accessing certain websites or applications altogether.
  • Port blocking allows firewalls to filter out certain kinds of network traffic. In networking, a port is a place where a connection between one machine and another terminates. Ports are virtual, or software-based – they don't correspond to physical components of the machine. Certain ports are reserved for certain kinds of network connections: HTTPS connections, for instance, take place on port 443.

What features differentiate a next-gen firewall from a traditional firewall?

NGFWs have all of the above features. But in addition, they include technologies that weren't available in earlier firewall products:

Intrusion prevention system (IPS): An intrusion prevention system actively detects and blocks cyber attacks. This is like having a security guard who actively patrols a building, instead of one who just sits next to the front entrance.

Deep packet inspection (DPI): Older firewalls typically inspect only the headers* of the data packets passing through. NGFWs inspect both data packet headers and the packet payload, in order to better detect malware and other kinds of malicious traffic. This is somewhat like a security checkpoint where the security officers actually inspect the contents of a person's luggage, instead of just having that person tell the officers what items are in their luggage.

*A packet header contains information about the packet as a whole, such as how long it is and where it originates from.

Application control: In addition to analyzing network traffic, NGFWs can identify which applications the traffic comes from. Based upon that, NGFWs can control what resources different applications can access, or block certain applications altogether.

Directory integration: User directories allow an organization's internal teams to track the privileges and permissions each user has. Some NGFWs can filter network traffic or applications based on these internal user directories. If a user does not have permission to access a certain application, then that application is blocked for that user by the firewall, even if the application isn't identified as malicious.

Encrypted traffic inspection: Some NGFWs can actually decrypt and analyze traffic that is encrypted with SSL/TLS. A firewall is able to do this by acting as a proxy for the TLS process. All traffic to and from the website is decrypted by the firewall, analyzed, and encrypted again. From a user's point of view, this proxying is virtually seamless, and they can interact with secure HTTPS websites like normal.

Are NGFWs deployed in the cloud or on-premises?

NGFWs can run either in the cloud or on-premises. The only thing that distinguishes an older firewall from a next-gen firewall is whether or not it has next-generation capabilities like those listed above.

What is Firewall-as-a-Service (FWaaS)?

Firewall-as-a-Service (FWaaS) is a firewall that is hosted in the cloud by a third party vendor. "Cloud firewall" is another term for this type of service.

FWaaS is not a physical appliance, nor is it hosted on an organization's premises. Like other "as-a-Service" categories, such as Software-as-a-Service or Platform-as-a-Service, FWaaS runs in the cloud and is accessed over the Internet.

Before the advent of cloud computing, a firewall sat in between a trusted network and an untrusted one, and there was a clear boundary between the trusted and untrusted networks. But in cloud computing, this boundary, called a "network perimeter," does not necessarily exist, because trusted cloud assets are accessed over an untrusted network (the Internet). Cloud-hosted firewalls keep these assets secure despite this lack of a network perimeter.

What is the difference between FWaaS (cloud firewalls) and NGFWs?

Next-Generation Firewall vs Cloud Firewall

Most modern firewalls, including FWaaS/cloud firewalls, are next-generation. However, "FWaaS" and "next-generation" describe two different characteristics of a firewall. FWaaS describes where a firewall is. "Next-generation" describes what a firewall can do.

Any firewall that has next-generation capabilities is an NGFW, no matter where it's hosted. A cloud firewall, or FWaaS, is hosted in the cloud – whether or not it has next-generation capabilities. Additionally, cloud-hosted firewalls are configured, maintained, and updated by a vendor, making them easier for customers maintain and usually more up-to-date and safer.

What kind of firewall does Cloudflare offer?

The Cloudflare WAF (web application firewall) is a cloud-based firewall that protects cloud assets as well as web applications. The Cloudflare WAF is unique in that it continually identifies and blocks new potential threats. It does this by analyzing traffic data from the entire global Cloudflare network.