Next-Generation Firewalls? Find out now!

by Excellium SA

Next-Generation Firewalls? Find out now!

by Excellium SA

by Excellium SA

Next-Generation Firewalls are the successor of many other firewalls. How do Next-Generation Firewalls work? What about their added value?

In this newsletter, we cover Next-Generation Firewalls from scratch.

Firewalls in a few words

First thing first, let’s define what a firewall is before addressing Next-Generation firewalls.

A firewall is defined as a system that simply allows or blocks connections between multiple computer networks. It was designed to be the first line of defence against malicious activities from the internet. Nowadays, this kind of system becomes a standard in IT security, whether in corporate, government or even personal networks.

To go the extra mile, we can say that the basic task of a firewall, as explained above, is to allow or block a connection initiated from a network and/or endpoint device. For example, access to a server (Web, FTP, etc.) is determined by security policies set up by a network administrator. The firewall records information about network traffic, which can provide the network administrator with an overview of the potential attacks he or she may face.

A computer with Next-Generation firewalls installed for better security

Next-Generation Firewalls predecessors

The Packet Filter Firewalls

Our journey begins at the end of the 80ties when the first firewalls were created at Cisco Systems and Digital Equipment Corporation, the so-called “Packet Filter Firewalls”. These first-generation firewalls were relatively simple filtering systems, it was the first step of today’s network security.

The Packet Filter Firewall worked stateless meaning that the firewall filtered and dropped traffic based on a security policy. The main disadvantage of this generation was that it could not keep track of the connection state. In other words, packets were treated one by one without regard to related packets.

Packet processing was used at Layer 3 and 4 of the OSI Model by matching header fields of the packet according to 4 parameters: packet source, packet destination, ports, and protocols used to forward the traffic. At that moment, no higher layer was used.

The major weakness of the Packet Filter Firewalls was that the hackers could craft the packets to pass through the filters taking advantage of the poor state. Indeed, operating system stacks were vulnerable, because a single packet could crash the whole system. Nowadays, that rarely occurs.

Web-based traffic was fully allowed by Packet Filter Firewalls, which also included web-based attacks. These firewalls could not differentiate valid return packets from imposter return packets. For this reason, the packet filter firewall concept was reworked, and the idea of a stateful firewall was born.

The Stateful Firewalls

In the early 90ties, the Packet Filter Firewalls were no longer effective against hackers’ attacks becoming even more developed and complex over years. Therefore, it didn’t take long for the Stateful Firewalls to be created.

The Stateful Firewall features the same functionalities as its predecessor except that it can monitor and store the session as well as the connection state, which is a big advantage. Based on source, destination IP addresses, ports, and protocol used, this generation of firewalls can associate related packets in a flow. Briefly speaking, if a packet matches this bi-directional information, it belongs to the flow.

Nowadays, the use of the internet is omnipresent, and businesses use it to deploy services. However, a major concern arises;  how can we grant access to those services without compromising on security? Indeed, businesses want to protect their networks against attempts by employees and other corporate personnel, such as contractors and partners, to access network resources they are not authorized to access.

In addition, businesses also want to protect their networks against attacks launched either unwittingly or intentionally from within the LAN and across the Internet. This is where Stateful Firewalls come in.

Unable to give the necessary tools to administrators in order to monitor the state of communications and connections within and across sessions, the Stateful Firewall didn’t take long to replace its predecessor. Open connections, sessions and communications status between a source and a destination host are directly stored in a state table.

Providing administrators with an intelligent view into network connections allows them to define rules that control traffic access based on the state of the connection. It is the key principle of a Stateful Firewall. Instead of the Stateless Packet Filter Firewalls, which worked on 4 tuples, Stateful Firewalls work on five tuples to identify a connection state.

In fact, the main problems of the Packet Filters Firewalls have been solved by its successor, which can manage the connection/sessions state in its state table. But what about the problem of not being able to discern good web traffic from bad web traffic? For this, we would need firewall features that could detect and block web attacks.


The youngest one: The Next Generation Firewalls

Let’s now head to the 21st century! In 2003, Gartner, an American consulting and research company active in the field of advanced technology, started to think about the idea of a Next-Generation Firewall (NGFW).

In 2004, they began publishing notes related to the subject (Next-Generation Firewalls). 5 years later, in 2009, the first official report defining the principle of the Next-Generation Firewall was published. Next-Generation Firewall federates many existing security technologies in one single asset. Application visibility and control, deep packet inspection, advanced threat protection, and quality of service have been merged together to define the Next-Generation Firewall concept characterized as non-disruptive, in-line, bump-in-the-wire configuration, and including performance and management improvements.

NGFWs provide a large functionality panel including some of the traditional firewall services, but without the perceived performance problems. These functionalities also include support for the user, for the user group, and for the user role-based features revealing the user identity separately from an IP address assigned to their system in order to solve some of the remaining network security problems. Their deep packet inspection features ensure that attempted attacks were recognized and remediated. These features can examine traffic closely to determine if it presents an attack.

Why should you choose Next-Generation Firewalls?

As previously explained, the key benefits for choosing Next-Generation Firewalls lie in multiple features, which enhance the level of your security according to the latest vulnerabilities.

Let’s now move on to the next parts in order to deepen some features and understand the reason why they are so important in your infrastructure.


Next-Generation Firewalls ‘features

Deep Packet Inspection

Deep packet inspection (DPI) is an advanced method of managing and examining network traffic. In a few words, this form of packet filtering locates, identifies, classifies, and allows/blocks packets with specific data or code payloads in comparison with conventional packet filtering. Mainly performed as a part of firewall defence, DPI functions are used at the application layer of the OSI model. But how does it work exactly?

DPI examines the contents of packets received by the firewall and takes real-time decisions according to the security policy implemented. In the past, only the header of the packets was analyzed, partially due to the limitations of older technologies. Not long ago, firewalls did not have the necessary processing power to perform real-time deeper inspections on large volumes of traffic. DPI was born from these technological advancements in order to perform more advanced inspections and inspect packet headers as well as the date. With DPI, an NGFW can identify the application or service used in a packet.

URL Filtering

Considered as the most common type of web filtering technology, URL filtering has been designed and thought to allow or block access to certain websites. This URL filtering is based on a specific list of websites (called filters) according to the action to apply to them. Triggered by comparing the URL address a user is trying to access, the filter specifies whether to block, allow, and/or track visits to those URL addresses. The URL filtering process occurs at the application layer by examining URL requests over common protocols like HTTP/HTTPS, FTP, and SMTP.

As explained above, URL filtering can block malicious, time-wasting, or even questionable URL addresses such as gambling, social media, or known phishing websites. Primarily maintained by the security vendor, the URL filtering database is purpose-built to reference the known malicious URLs and categories definitions (like gambling, social networks, etc.). The concept of URL classification is designed by the vendor through a combination of internal research, threat intelligence, machine learning, and artificial intelligence algorithms. In addition, the URL filtering database is also customizable. It’s, therefore, possible to submit directly to the vendor a change for a Miscategorized URL.

What’s next?

Firewall-as-a-Service, commonly called FWaaS, is a shorter-term describing cloud-based firewalls. Like other categories of “as-a-Service”, Software-as-a-Service (SaaS) and “Platform-as-a-Service” (PaaS), FWaaS works in the Cloud and is reachable from the Internet. Third-party vendors suggest that “as a service” should be continuously updated and managed.

But what is the main difference between cloud-based firewalls FWaaS and the Next-Generation Firewalls?

The term “next-generation firewall” is for general applications, but NGFWs do not necessarily work in the Cloud. A Cloud firewall can have NGFW capabilities, but an on-premises firewall can also be a Next-Generation Firewall.

The main advantage of a FWaas resides in its capability to scale almost instantly to accommodate an expanding network. Adapted according to your network’s size, configurations, demand, and unique security needs. And that’s fully possible because it’s cloud-based.

With the decentralization of networks increasing year by year to avoid problems associated with the on-premises infrastructure concept, the Cloud is a natural response. In addition to “traditional” cloud solutions (storage, development, etc.), FWaaS is now a solution that is understood, assimilated, and developed in the Cloud, in the same way as its so-called “traditional” solutions. Taking advantage of the benefits of an NGFW integrated with cloud infrastructure is already underway.


Did you like this article? Find more cybersecurity articles right here.