A next-generation firewall (NGFW) is a firewall with powerful modern features. Next-generation firewalls can be hosted in the cloud, though not all of them are.
After reading this article you will be able to:
Copy article link
A next-generation firewall (NGFW) is more powerful than a traditional firewall. NGFWs have the capabilities of traditional firewalls, but they also have a host of added features to address a greater variety of organizational needs and block more potential threats. They're called "next generation" to differentiate them from older firewalls that don't have these capabilities.
The difference between a next-generation firewall and older firewalls is somewhat like the difference between a smartphone and an old-fashioned cell phone. Both have some features in common – texting, voice calls, a list of contacts, etc. But a smartphone adds so many advanced features that it's practically a different type of product, and as a result there's a different term for it.
A firewall is a security product that monitors and controls network traffic based on a set of security rules. Firewalls can be software applications installed on a server or a computer, or they may be physical hardware appliances that connect to an internal network. Firewalls usually sit between a trusted network and an untrusted network; often the trusted network is a business's internal network, and the untrusted network is the Internet.
NGFWs have all of the above features. But in addition, they include technologies that weren't available in earlier firewall products:
Intrusion prevention system (IPS): An intrusion prevention system actively detects and blocks cyber attacks. This is like having a security guard who actively patrols a building, instead of one who just sits next to the front entrance.
Deep packet inspection (DPI): Older firewalls typically inspect only the headers* of the data packets passing through. NGFWs inspect both data packet headers and the packet payload, in order to better detect malware and other kinds of malicious traffic. This is somewhat like a security checkpoint where the security officers actually inspect the contents of a person's luggage, instead of just having that person tell the officers what items are in their luggage.
*A packet header contains information about the packet as a whole, such as how long it is and where it originates from.
Application control: In addition to analyzing network traffic, NGFWs can identify which applications the traffic comes from. Based upon that, NGFWs can control what resources different applications can access, or block certain applications altogether.
Directory integration: User directories allow an organization's internal teams to track the privileges and permissions each user has. Some NGFWs can filter network traffic or applications based on these internal user directories. If a user does not have permission to access a certain application, then that application is blocked for that user by the firewall, even if the application isn't identified as malicious.
Encrypted traffic inspection: Some NGFWs can actually decrypt and analyze traffic that is encrypted with SSL/TLS. A firewall is able to do this by acting as a proxy for the TLS process. All traffic to and from the website is decrypted by the firewall, analyzed, and encrypted again. From a user's point of view, this proxying is virtually seamless, and they can interact with secure HTTPS websites like normal.
NGFWs can run either in the cloud or on-premises. The only thing that distinguishes an older firewall from a next-gen firewall is whether or not it has next-generation capabilities like those listed above.
Firewall-as-a-Service (FWaaS) is a firewall that is hosted in the cloud by a third party vendor. "Cloud firewall" is another term for this type of service.
FWaaS is not a physical appliance, nor is it hosted on an organization's premises. Like other "as-a-Service" categories, such as Software-as-a-Service or Platform-as-a-Service, FWaaS runs in the cloud and is accessed over the Internet.
Before the advent of cloud computing, a firewall sat in between a trusted network and an untrusted one, and there was a clear boundary between the trusted and untrusted networks. But in cloud computing, this boundary, called a "network perimeter," does not necessarily exist, because trusted cloud assets are accessed over an untrusted network (the Internet). Cloud-hosted firewalls keep these assets secure despite this lack of a network perimeter.
Most modern firewalls, including FWaaS/cloud firewalls, are next-generation. However, "FWaaS" and "next-generation" describe two different characteristics of a firewall. FWaaS describes where a firewall is. "Next-generation" describes what a firewall can do.
Any firewall that has next-generation capabilities is an NGFW, no matter where it's hosted. A cloud firewall, or FWaaS, is hosted in the cloud – whether or not it has next-generation capabilities. Additionally, cloud-hosted firewalls are configured, maintained, and updated by a vendor, making them easier for customers maintain and usually more up-to-date and safer.
The Cloudflare WAF (web application firewall) is a cloud-based firewall that protects cloud assets as well as web applications. The Cloudflare WAF is unique in that it continually identifies and blocks new potential threats. It does this by analyzing traffic data from the entire global Cloudflare network.
Learning Center Navigation