Evolution and Emergence of Next-Generation Firewalls

This post will overview the evolution and workings of firewalls and why next-generation firewalls are important.

Our digital world is becoming increasingly clogged with critical information and sensitive data. As a result, network security is a significant concern for all of us. It creates a massive market for various vendors to compete in this highly competitive sector.

While each vendor is trying to stand out in this sector, many new ideas and concepts emerge daily. Yes, many of those novelties are for marketing purposes and add little, if any, value to the underlying technology. However, some valuable innovations are still pushing network security to new levels.

Emergence of Firewalls

First Generation: Packet Filtering and Stateful Firewalls

Digital Equipment Corporation was already a leading name in digital technology in the 80s. After using WWW to provide marketing information worldwide, being the strategic partner in the innovation of influential innovations such as MecklerWEb and CommerceNet (Columbia University). In 1988, the company also introduced the first-ever firewall, a packet-filter firewall (Juniper.Net)

Despite being affordable and very easy to use, packet filter firewalls did not have the technology to prevent more advanced cyber attacks. Their job was to monitor the network traffic and check the IP source and destination. 

Just a year later, AT&T Bell introduced the first stateful firewall. Stateful firewalls could monitor the network traffic for a pre-defined connection, adding an extra layer of security.

However, such a simple inspection turned out to be insufficient. Because administrators had to account for flows in both directions, stateless firewalls were challenging to configure and implement. The return flow of any session initiated from the trusted side of the network was not automatically allowed in. 

That shortage is why, at the time, newer network security firewall devices began to work in a stateful manner. The purpose was to achieve a more granular method of controlling network traffic in both directions.

Second Generation: Proxy Services

Following packet filtering and stateful firewalls, there was a change in the working method of many applications. Many of those applications started to use well-known protocols in their operations. For example, many applications began communicating on top of the most common protocol, HTTP, such as the Exchange ActiveSync protocol.

Despite the flexibility of such applications and protocols, attackers still got the opportunity to attack networks. Using those well-known protocols and identifying applications based on layer 4 information turned out to be insufficient.

Third-Generation / Next-Generation Firewalls

NGFW - next-gen firewalls are changing the face of our security systems. These hardware-based or software-based advanced solutions can detect and block sophisticated attacks. A next-generation firewall enforces security policies at the different layers of the OSI model, starting from the network layer and going through the application layer and beyond.

Next-generation firewalls provide:

·  Granular control

·  Deeper visibility

·  Advanced threat detection

·  Deep packet inspection with the help of AI/ML technology

Unlike legacy firewalls, next-gen firewalls process traffic based on security policies or access rules.

These firewalls can perform deep inspection into network packets and analyze their behavior against expected outcomes. Apart from performance and packet inspection characteristics, the NGFW firewall also offers the following:

·  Application control and visibility

·  URL filtering

·  IPS

·  Anti-bot

·  Anti-virus

·  Sandboxing

·  SSL-Decryption

This additional security feature and deep-level packet inspection performed by the NGFW firewall enable them to identify and mitigate a wide range of attacks more effectively than legacy firewalls.

A Deeper Look into Next-Gen Firewalls

At the time, network security vendors made a concerted effort to inspect packets. They performed the inspection not only at the Layer 4 level but also up to Layer 7 and the payload above it. New attractive concepts are emerging as the Deep Packet Inspection -DPI- concept.

Firewalls reached the stage at which they are stateful and capable of inspecting the packets up to layer 7. So, what does the concept of NGFW add to the equation?

Next-Generation Firewall vs. Traditional Firewall

Below is a list of the extra features a decent NGFW can do in contrast with a traditional firewall:

·  Integrated intrusion prevention system (IPS)

IPS is a critical feature of the NGFW. You can read more about it in our upcoming introductory firewall article.

·  Identification of applications

You can achieve this identification using various methods, varying from vendor to vendor. Some examples include header inspection, application signatures, and payload analysis. Accurate identification is critical in enforcing network security policies at the application level. As previously stated, the majority of network attacks are carried out at that level.

·  Granular and extreme control of applications

Granular control is associated with the previously mentioned feature. For instance, employees can access Facebook even during working hours. However, their access to the games inside Facebook web pages can be blocked. Granular control allows blocking only particular parts on a webpage without affecting other content.

·  Capability to correlate information from other network security devices and software

This advanced network communication includes directory-based policies, Network Access Control NAC policies, etc.

·  Secure sockets layer (SSL) decryption

They have many deployment models for different vendors, such as Forward SSL Proxy and Reverse SSL Proxy. Such a feature can identify harmful malware hidden inside encrypted applications.

·  More accurate performance-related numbers and figures

Previously, misleading throughput-related numbers could be found in firewall datasheets because those numbers were obtained for pure layer 4 stateful filtering. However, when the use of advanced features (considered add-on features to the basic functionality of the firewall) dropped dramatically, all those issues were resolved by NGFWs. This is because people consider those features (such as AV, malware, SPAM, and IDS/IPS) to be built into the NGFW's software and underlying hardware.

The list above is eye-catching. You can keep reading our articles on specific models of firewalls or CONTACT US for more information.