Why You Need a Next Generation Firewall NGFW

By Garry Hamilton

NGFW - next generation firewalls are changing the face of our security systems. These hardware-based or software-based advanced solutions can be used to detect and block sophisticated attacks. A next generation firewall enforces security policies at the different layers of the OSI model, starting from the network layer and going through the application layer and beyond.

Network Security

Our digital world is becoming more and more crowded with important information and sensitive data. That makes network security a big concern for all of us. It opens a very big market for different vendors to race in this very competitive sector.

While each vendor is trying to show its muscles in this sector, there are a lot of new ideas and concepts that emerge every day. Despite the fact that most of it is solely marketing centric and adds no true value to the underlying technology, some of it is really valuable and pushes the technologies related to the network security to the new levels.

Next Generation Firewall - Do We Need It? Network Devices Inc

Next Generation Firewall - Do We Need It? Network Devices Inc

From Traditional to Cisco Next Generation Firewall

One of the most trending headlines in the industry lately is the Next Generation Firewall NGFW. In this blog post, we will give you an overview of network firewall security, how does a firewall work, and why next generation firewall. During this introductory overview, we will focus on one of the major players in the network security sector - Cisco network firewall.

Network Security Management History

Firewall technologies evolved during the last couple of decades, starting with a simple stateless packet filtering firewalls. The first generation of legacy firewalls started to emerge to make use of information found in the layer 4 headers of the packets flowing through it. However, such a simple inspection turned out to be not enough. Stateless firewalls were suffering from the complexity of the configuration and implementation because the administrators had to count for the flows in both directions. The return flow of any session initiated from the trusted side of the network was not automatically allowed in. This is why newer network security firewall devices at that time started to work in a stateful manner to achieve a more granular method of controlling the traffic in both ways.

After that period, there was a change in the working method of many applications. Many of those applications started to use well-known protocols in their operations. For instance, a lot of applications started to communicate on top of the most common protocol –the HTTP protocol- such as Exchange ActiveSync protocol. Despite the flexibility brought by such applications and protocols, attackers got a very good opportunity to attack networks. Using those well-known protocols, and identifying applications based on layer 4 information turned out to be insufficient.

Network Security Solutions Today

At that time, vendors working in network security made a great effort to inspect packets not only at Layer 4 level but all the way up to Layer 7 ad the payload above it. New attractive concepts are emerging as the Deep Packet Inspection -- DPI -- concept.

Firewalls reached the stage at which they are stateful and capable of inspecting the packets up to the layer 7. So what does the concept of NGFW add to the equation?

Network Firewall Security Next Generation Firewall Network - Devices Inc

Network Firewall Security Next Generation Firewall Network - Devices Inc

Next Generation Firewall vs. Traditional Firewall

Here we will list the extra features a decent NGFW can do in contrast with a traditional firewall:

  • Integrated intrusion prevention system (IPS). This is a very important feature of the NGFW. We will create a special blog post on this topic.
  • Identification of applications. You can achieve this identification using many different methods which differ from vendor to vendor. For example, a header inspection, pre-defined application signatures, and payload analysis. An accurate identification plays a key role in the enforcement of the network security policy at the application level. The most of network attacks are being done at that level as we mentioned earlier.
  • Granular and extreme control of applications. This can be returned to the previously mentioned feature. For instance, employees can have an access to Facebook even during the working hours. However, they don't have to have an access to the games inside Facebook web pages. This won't affect the other contents of the website.
  • Capability to correlate information from other network security devices and software including directory-based policies, Network Access Control NAC policies, etc.
  • Secure sockets layer (SSL) decryption. They have many deployment models for the different vendors, such as Forward SSL Proxy and Reverse SSL Proxy. Such a feature can enable the identification of harmful malware hidden inside encrypted applications.
  • More accurate performance related numbers and figures. While in legacy firewalls a misleading throughput related numbers used to be seen inside the datasheets of the firewalls because those numbers were obtained for a pure layer 4 stateful filtering. However, when the usage of advanced features (which was considered as add-on features to the basic functionality of the firewall) dropped dramatically, all those issues had gone with the NGFWs. This is because people consider those features (i.e. AV, malware, SPAM, IDS/IPS) as built-in to the software and the underlying hardware of the NGFW itself.

Despite the attractiveness of the above list, Cisco network firewall, Cisco ASA firewall, and other Cisco security solutions add more attractive features and make this list longer. We will dive into those extra features of NGFWs provided by Cisco Systems. In the next blog post, we will explain them in detail.

Cisco Network Firewall Models for Evolved Network Security


To get the best firewall security, take a look at our network security and firewall devices. Learn more about why Cisco Firewall ASA 5500-X Series is perfect for Small to Medium Businesses and how can Cisco Firewall ASA 5500 Series help you stay secure and protect your investment at Cisco Firewall Collection page. Cisco ASA 5500 Series is a unified platform that will deliver world-class firewall protection, VPN, unified communications security, intrusion prevention (IPS). This Cisco ASA Firewall is perfect for service providers, enterprises, and for small to medium-sized businesses.


ASA5506-K8, Cisco ASA Firewall 5500 Series


ASA5506-K9, Cisco ASA Firewall 5500 Series




Explore Cisco Firewall ASA 5500-X Series options that we offer and contact us today. Network Devices Inc. support stands by to help you and answer any next generation firewall questions you may have.



Newer Post


Leave a comment

Please note, comments must be approved before they are published

Just added to your wishlist:
My Wishlist
You've just added this product to the cart: