Next-generation firewall is a marketing term, so there’s no single, clear definition of this sort of device. You’ll also see the term unified threat management (UTM) to describe what is essentially the same thing.

Below, I’ve put together a shopping list of features that are often included in next-gen firewalls so you can understand the options and make sure the ones relevant to your client networks are covered by the device you’re looking at.

First, a few words about basic firewalls

At its most basic (and I’ll explain all the terms in a moment) a firewall is a stateful device that can apply network layer access control to packets passing through it. It’s also able to do network address translation (NAT). And one of the most important yet most overlooked features of a basic firewall is that it must include extensive logging.

  • Stateful in this context means the firewall keeps a table of every active session passing through it. If I’m allowed to make an outbound connection to a web site on the Internet, the state table knows it should allow inbound packets back from the same site. But after my session ends and the firewall is no longer expecting those inbound packets, it should block them.
  • Network Layer access controls are simple rules that permit or deny traffic based on information in the packet headers. This information could include IP addresses, protocols, or port numbers.
  • Network address translation is a pretty well-understood concept. At a minimum, I want to hide internal private addresses from the Internet. So when forwarding a packet out to the Internet, the firewall needs to replace private addresses with public addresses that can be routed on the Internet. In many cases, I also want to make internal resources publicly accessible, which again means I need to create a mapping rule that associates the internal resource with a public IP address.
  • Logging is a little more subtle. A firewall should be capable of logging information about every successful session. In most cases, you’ll also want log information about unsuccessful sessions through the firewall. You may also want information about all of the NAT translations the firewall has done and all administrative activities done to the firewall. Ideally, this information should be sent to a central server so you can sort through it and look for interesting patterns that might indicate something bad is going on.

Another feature commonly found on basic firewalls is high availability. This involves having a second firewall configured to automatically take over in case the first one fails. To do this without dropping active sessions, it’s important that the secondary device have all state information about the sessions.

In most cases, the failover mode is active-standby: the secondary device doesn’t pass packets until the primary device fails. Then it takes over all processing. In some cases, it’s possible to build an active-active failover model in which two firewalls share the traffic load in some way. These active-active failover models are invariably much more complicated to both build and manage, though.

firewall flames SD-WAN

Photo: Eric E Castro on Flickr

Key features of next-generation firewalls

A next-generation firewall (NGFW) has all the features of a basic firewall plus some or all of the additional features I discuss below.

It’s important to note that not all NGFW vendors offer all these features, and sometimes the features are called by different names. Some vendors require expensive additional licences for some of the features. And sometimes the features are delivered using a cloud service, not done inside the firewall.

For licensed subscription features, it’s particularly important to understand what happens when the licence expires. Does your fancy firewall stop working? Does it still work but not perform the specific function?

Geolocation

Geolocation is the ability to associate IP addresses with physical locations. Rather than specifying a bunch of IP address ranges that will change over time, you can specify a whole country.

I’ve often used geolocation to restrict access from countries where I know the company has no legitimate business (cough, North Korea). However, you could also use geolocation to create a special NAT rule that sends all your North American traffic to one web server and all your European traffic to a different one.

Because IP address allocations change rather frequently, geolocation requires intermittent updates to remain current.

IDS/IPS

Intrusion detection or prevention systems look at the contents of packets going through the firewall and try to spot things that look like attacks. In most cases, IDS/IPS devices use signatures to detect known attacks. They also look for generic types of attacks, which are less signature dependent.

Because new attacks appear constantly, IDS/IPS devices tend to become less useful over time unless their signatures are regularly updated. This typically requires a subscription service from the vendor.

Antivirus/anti-malware

As files are uploaded or downloaded, they pass through the firewall and it can do a basic examination. In most cases, this will be signature-based analysis, looking at checksums and scanning inside the file for patterns of bytes that have been seen in known malware in the past. This feature obviously requires that files aren’t encrypted and the firewall has a recently updated set of signatures.

In truth, simple malware scanning at the firewall isn’t terribly effective because it’s so easy to hide malware with encryption. You’ll usually have better anti-virus scanning on the destination computer.

Sandboxing

A better form of malware scanning is called a sandbox. This is essentially a virtual machine (VM) running a common target operating system such as Windows. The firewall intercepts the file download and sends it over to the sandbox VM where it’s “detonated,” meaning the VM tries to run the file as if it were the target computer. The sandbox then looks for common types of malicious behaviour such as connecting to command and control (C&C) networks.

Once the file has been analyzed, the VM is safely deleted and a new one is created.

sandbox network infrastructure security isolation

Photo: F Delventhal on Flickr

In some cases, the sandbox is a separate physical box sitting at the network edge. In other cases, it’s a cloud service. It tends to be less effective to put a sandbox inside the firewall because the sandbox requires so many memory and CPU resources to run.

For many sandbox deployment models, the firewall holds onto the file and doesn’t deliver it to the end user until the cloud service has indicated it’s clean. This can result in a small delay.

A sandbox is much more effective than signature-based malware detection because it can catch new, previously unseen varieties of malware, and it works well against encrypted downloads. It’s still not perfect, though.

Malware writers are getting better at detecting when the code is unpacked in a sandbox. Also, sometimes malware is trying to target a particular vulnerability in a particular operating system. The defense only works if the sandbox happens to be running the target vulnerable operating system.

Web proxy and URL checking

Another useful feature often included in a next-gen firewall is either a URL checker or a full web proxy service.

A web proxy sits in the middle of an encrypted HTTPS session. To the web browsing computer, it pretends to be the web server. To the web server, it pretends to be the browser. In this way, the proxy can decrypt the HTTPS session in both directions and see exactly what’s going on, hopefully detecting any malicious activity.

A URL checking service doesn’t actually decrypt the session. It just pulls the web site information out and checks a large database of known bad or questionable sites to see if this particular one is OK.

Typically, both types of services will provide detection for a wide range of content types, not just malware. For example, they can be used to enforce appropriate-use policies against adult sites, gaming, video streaming, and so forth.

Both URL checkers and web proxies can be cloud services, or they can use separate physical boxes on-site. And there are operational models that don’t even include the firewall. For example, a common web proxy cloud service model involves the web browser communicating directly with the cloud service.

As more and more web traffic is encrypted, it’s becoming increasingly difficult to police web traffic without a decrypting web proxy. So it’s a very useful part of your security infrastructure. However, it doesn’t need to be part of the firewall.

The other way web proxies can be useful is in caching content for frequently accessed web sites. If several people access the same content on a common web site, the proxy can download and keep the content the first time it’s accessed. Then each subsequent viewer gets the cached version, which is faster because it’s local.

The cache also keeps that traffic off the Internet link, which reduces overall congestion. This only works if the proxy is physically inside your network, instead of a cloud service. And, because proxies tend to be fairly expensive, it’s really only cost-effective at larger sites.

web proxy in the middle NGFW firewall

Reverse proxy

A reverse proxy is similar to a proxy, except that instead of sitting in front of the web browser and protecting it against many web sites, it sits in front of the web server and protects it against many browsers. The reverse proxy holds the SSL certificates for the web server, and offloads the SSL work from that server.

One of the principal benefits of a reverse proxy is that it can sit in front of a relatively insecure web server and ensure attackers can’t hit it directly. A reverse proxy can also help mitigate certain types of denial of service attacks, a service model that’s particularly effective if the reverse proxy is a cloud service.

Web application firewall

A web application firewall (WAF) is a more sophisticated version of a reverse proxy. In truth, I haven’t seen really good WAF implementations built into next-gen firewalls, but there’s no reason it couldn’t be done.
A WAF enforces good HTTP and HTTPS behaviour. It’s usually implemented to decrypt the HTTPS packets and forward them to the web server as standard HTTP traffic. The WAF holds the SSL certificates for the web server. In this way, the WAF is able to fully inspect the contents of every packet.

A WAF typically look for things like attempted buffer overflow attacks on input fields, SQL injection attacks, cross-site scripting, and so forth. It also tries to detect any attempts to exploit known vulnerabilities in web server software.

Load balancing

Some next-gen firewalls include a load balancer feature. I’ve used this for both data center and remote branch implementations.

At the data center, it’s useful to be able to split the load across multiple web servers on your DMZ. Normally this would be done by a discrete load balancer appliance, but it makes a lot of sense to combine the reverse proxy and WAF functions with the load balancer since they’re complementary, particularly for HTTPS traffic. But if you have a lot of web traffic, it makes more sense to separate the firewall from these other functions. It’s also nice for management reasons to have distinct logical control points.

At a branch location, I’ve used load balancer features on firewalls to automatically redirect traffic to a secondary backup server at a different data center. Also, if I adjust the priorities differently for different branches, I can make half of them use one server and the other half use a different server. Then, if either of these servers fails, the remaining one automatically takes over for all branches.

load balancer NGFW next-gen firewall

Rob Brewer on Flickr

Threat intelligence

Threat intelligence is dynamic information that gets downloaded from a cloud service at regular intervals. The dynamic information is then used to help detect and block malicious behaviour.

Unfortunately, exactly what kinds of information are included in a threat intelligence feed can vary wildly. In some cases, it includes IP addresses of things like known spammers and known command-and-control servers. In other cases, it might include specific indicators of compromise that can be used to help detect malware.

Behavior analysis

Behavior analysis means trying to spot malicious applications by the fact that they do something unexpected. For example, a web server shouldn’t be making outbound connections to unknown IP addresses.

The term is also used to describe how sandboxes detect malware based on suspicious actions like trying to modify the Windows registry or deliberately trying to write past the end of allocated memory.
Behavior analysis is an emerging trend in security, and it potentially requires a lot of CPU and memory resources to monitor application behaviour adequately.

Central management

There are two sides to firewall management, and some vendors separate these functions into separate central applications. The first is configuration management, including the ability to manage and push out policies across large numbers of devices. The second is security monitoring.

Configuration management is a tricky problem. If you have a lot of firewalls, chances are there will be important differences between their configurations based on local requirements. At a minimum, the differences will include basic network configuration like interfaces and IP addresses. But if there are externally accessible resources (servers) at different sites, you’ll probably also need to have different firewall rules on every device.

At the same time, you probably still want to have centrally coordinated policies for next-gen functions such as which IDS/IPS signatures you want to use and web proxy settings. You could manually create the policies on every firewall, but it’s much easier to create the policies centrally and push them out to all devices. Central management is particularly important when you have active/standby configurations involving two firewalls that must have identical configurations to work properly.

hub central management NGFW

Andrew Fogg on Flickr

You could handle the central security monitoring on a piece of software from your firewall vendor, or using a separate Security Incident Event Management (SIEM) console. Or you could use both. I actually like to use both because the vendor software usually provides better detail on the specific security alarms and requires less work to give useful information.

Another really useful function of a central management console is coordinating automatic updating of new rules, including security intelligence feed data as well as new IDS/IPS signatures. Security is a highly dynamic field. New threats appear constantly, and it makes life a lot easier if you can download and push out new policies and rules.

And, if you can download and push out policies and rules, you can do the same with software/firmware updates to the firewall devices. Some next-gen firewalls don’t seem to create firmware updates very often, while others create new versions several times a year. Since critical security bugs do appear in firewalls, I like to stay on top of the release notes for these new releases. And when I have a lot of firewalls, I like to be able to automate these updates.

Next-generation firewall vendors

Watch out for marketing nonsense, which seems to be particularly dense in the NGFW market.

For example, one vendor will tell you it’s a problem that another vendor’s NGFW features run “bolted on” in a separate virtual machine on the same hardware as the basic firewall, rather than being directly integrated into the main firewall code. I can’t see what difference this makes as long as it’s sized appropriately so there are no performance problems.

Some vendors criticize others either for using cloud services or not using cloud services for certain types of analysis. Again, if the performance isn’t affected, you shouldn’t care.

You can check research reports, like those from Gartner, for recommendations on the best next-generation firewall vendors. The research firms do a good job of providing up-to-date analysis of both existing and emerging products.

My current favourite firewall vendors, in no particular order, are Cisco, Palo Alto, and Fortinet. I’ve used all of these products in networks, sometimes side by side. In fact, I quite like the idea of using multiple security products together because they each have different strengths and weaknesses. Hopefully, what one misses another will catch.

I like Cisco ASA firewalls, particularly since the acquisition and integration of the SourceFire product line. They provide an incredible number of features.

The greatest disadvantage to Cisco is that the flexibility and power of the basic equipment can lead to confusion among inexperienced administrators. It’s not hard to shoot yourself in the foot without knowing it. And there are usually about 10 different ways of accomplishing the same basic tasks. However, inexperienced administrators can largely mitigate these issues by using the ASDM GUI interface rather than the more flexible and powerful CLI. And I think the FireSight central management system for the SourceFire components is very good.

Palo Alto has a more tightly integrated approach. They include next-gen firewall features in their main firewall code, which in principle gives performance benefits. The Palo Alto central management system is excellent.

My biggest complaint with Palo Alto is that they tend to focus too much on unorthodox protocol implementation as a sign of malicious behaviour. But hackers can and often do implement their attacks on standard platforms. And, conversely, many big software vendors have implemented completely broken protocols that then require elaborate workarounds on the firewall.

Palo Alto are also the most expensive firewalls of the three discussed here.

next generation firewalls NGFW next gen

Ron Almog on Flickr

Fortinet‘s greatest virtue is that it provides a huge range of solid next-gen firewall features with amazing price to performance ratios. They offer (most of) the same features across a huge range of platforms.

Their bottom-end firewalls are suitable to very low speed Internet connections at remote branch offices, while their top end data center firewalls provide some of the best throughput and latency performance available. The trade-off is that some of these features (like IDS/IPS, for example) are less flexible and robust than the corresponding features on Cisco or Palo Alto devices. Also, the Fortinet central management systems are far less sophisticated than those of Cisco or Palo Alto.

I know that all of these vendors will object strenuously to the way I’ve characterized what I perceive as their weaknesses. I’ve previously raised all of these issues with the vendors directly and received stern rebuttals that in all cases completely failed to fully address my concerns.

But my main point is they are all excellent, and I strongly recommend all of these products. Just bear in mind that no product is perfect, and even the best products will be completely unsuitable in some environments.

Make it someone’s job

Finally, keep in mind that a firewall is just a tool. You can’t just turn it on and walk away— you must actively monitor it. If it catches and blocks an attack of some kind, that’s great.

But you also need to worry about warnings and alerts. And remember that when a firewall blocks bad things originating from inside your network it could indicate an internal device is already compromised.

If you really intend to use the features of a next-generation firewall, plan to have someone whose job it is to look at all of the recent alerts from the firewall at least daily. This person should follow up on every alert and determine whether it represents a real concern, and take appropriate action to remediate the root cause of the problem.

It’s also a good idea to use the false positives to tune the rules gradually over time so they’re optimized for your client’s environment. Since many organizations can’t afford a full-time resource with firewall expertise, they often look to managed service providers to fulfill the requirement.