In a marketing world that sees words and phrases like “new,” “improved,” and “next-generation” thrown around like New Year’s confetti, is the “next-gen firewall” label meaningful or just more marketing blather? Perhaps surprisingly, next-gen firewalls are different than classic firewalls in substantial ways — ways that you should know about when looking at all the marketing language that does float around the security industry.
States and Deep Packets
The first significant difference between the two types of firewalls lies in how they evaluate traffic. Most traditional firewalls are “stateful” firewalls while next-gen devices tend to do some form of deeper packet inspection. So what does that really mean?
A stateful firewall looks at the state of a particular connection: The protocol it uses, the port over which it is communicating, and whether it conforms to specific rules established by the firewall admin. The great advantage of stateful firewalls is that they can handle a high traffic volume with limited CPU power, because the go/no-go decision is being made once per connection. Once a connection is permitted, it’s permitted as long as the connection is maintained. Deeper packet inspection requires more from the firewall.
Where stateful firewalls tend to focus on the “wrapper” for a connection, deep packet inspection pays attention to the connection’s contents. A next-gen firewall can look not only at the protocol, source, and destination, but at whether the packets are mal-formed, whether they contain malware, and whether the contents are consistent with expected traffic from a particular source. This inspection is much more compute-intensive than a stateful firewall, but it provides protections from many additional threat types.
Another way of looking at the difference in how the two types of firewalls work is to measure them against the OSI 7-layer model. Stateful firewalls tend to live at Layer 3 — the Network Layer. This is where network protocols operate, and is also the layer at which many network switches function. Deep packet inspections take place at higher levels on the stack.
Deep packet inspection takes effect on layers 4 – 7 of the OSI stack, checking to see whether the packets are misformed, properly encoded, and carrying data permitted by corporate rules. These checks (and rules regarding acceptance or rejection) mean that deep packet inspection can identify and act upon many attacks that a classic, stateful firewall would not catch.
Replacing Different Devices
In a traditional network security infrastructure, the firewall was one of the devices providing protection. It would typically be deployed along with an intrusion detection/prevention system (IDS/IPS), a web application firewall (WAF), a network filter, and perhaps more. The various security devices might work together in a coordinated fashion, but making that happen requires system integration and perhaps a network security manager to do the coordination and centralized management. A next-generation firewall can make things somewhat simpler.
A next-gen firewall can replace many of the different devices used in a traditional network security stack with the obvious advantage of not requiring multi-device integration. The various functions of identifying and blocking threats at different OSI layers can happen within a single device, using a single programming language and a single management console. The tradeoff is that doing everything in a single appliance requires much more computing horsepower in the box and takes away the possibility of choosing “best in breed” solutions for each layer.
As CPUs have become more powerful, the performance penalty has been greatly reduced and next-generation firewalls have become far more popular. When looking at whether a next-gen firewall is right for your organization, you should ask for its capability both in terms of bandwidth and simultaneous connections. Find out how it deals with traffic among and between cloud services and on-prem networks.
And finally, make sure that your staff can deploy and manage the next-generation device as well as they can handle the traditional stack. Thousands of attackers are waiting for your answer.
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio