Enter the Next Generation Firewall

The term “Next Generation Firewall” (NGFW for short) is being used to describe devices that go beyond the traditional firewall functions by adding security capabilities such as intrusion prevention. Outside of security vendors, the term has been mostly championed by Gartner, using it to identify devices that have the following capabilities:

  • Standard firewall features such as packet filtering, network address translation and VPN capabilities.
  • “Integrated” network intrusion prevention.
  • An “application awareness”, capable of identifying applications and applying controls at the application layer (such as allowing Skype calls but blocking it from performing file transfers).
  • The ability to obtain and use “extra firewall” intelligence to improve blocking decisions, such as the use of reputation services or identity services such as Active Directory.

Be aware that just because a vendor uses the term, it doesn’t necessarily mean their product will provide this particular set of functions.

Things to consider when evaluating NGFW

Architecture: Next generation devices should apply all of their security capabilities on a single inspection, demonstrating true integration of all its components instead of simply bundling different product engines on a single box.
Throughput performance: All the additional capabilities, checks and inspections these devices perform will certainly act as a speed bump to the traffic flow.
Ease of use: A major driver for the adoption of these devices is the promise of reducing the complexity of managing disparate security products.

A successful implementation however, could really help in improving your chances against the new generation of network threats.

More detailed informations on my personal blog.