What is a NGFW and Why You Need One

October 31, 2016 Security, Trends

Before the MPAA cease and desist notices, APTs, SSL malware, detailed web filtering requirements, regulatory monitoring to meet compliance standards…and the list goes on, we in the security world could rely on a trusty PIX or other layer 4 firewall. Those days have come and gone and today’s requirements have outgrown the traditional firewall. The tools needed to mitigate many of the de facto standard security threats are achieved by going deeper than deep packet inspection. That’s right, I’m taking it straight to the top of the OSI model. Today we fight the bad with good in the application layer. Don’t get me wrong, I get a sense of nostalgia thinking about the simpler times when a rule base of over 20 lines seemed complex. That frankly isn’t the world we live in today.

First I’d like to explain what I consider a “traditional” firewall. I label a firewall as traditional if the inspection criteria for the security policy is limited to source and destination IP Address paired with source and destination TCP/UDP port. Some traditional firewalls could raise the bar slightly by leveraging ALGs or application layer gateways, but let’s be honest, ALGs were not next gen anything besides a pain to troubleshoot. Another criteria I place on traditional firewalls is the ability to natively perform IDS/IPS functionality only after adding additional dedicated hardware. My last criteria is URL filtering which wasn’t an option previously because nobody cared where you went on the internet in 1999.

I’m not releasing any ground breaking news here as most, if not all, firewall manufacturers have been developing NGFWs for some time now. Cisco for example has drawn the line in the sand and published the end of support date for their old ASA line in late 2018 . How many really old PIXs and ASAs will still be running in production environments after 2018? I’d guess hundreds of thousands, if not millions. That’s a big problem I’m seeing in the industry today. These appliances will run for a very long time without the need to replace them due to hardware failure. Case in point, I had a screenshot from a few years ago of a command prompt on an old firewall that hadn’t been bounced in 7 years! I felt bad when we finally did replace that box considering it would probably still be chugging along had I not interrupted its streak. The old adage “don’t fix what is not broken” need not apply in the firewall world.  I know it sounds silly, but there are many engineers out there losing the case to the folks that control the purse strings due to “Security is not broken, so why fix it?”.

Usually upgrade decisions will eventually come down to the mighty dollar. Which, in my mind, is an easy case for the NGFW to win considering the value it provides at a similar price to the old traditional hardware. This is especially true if you’re not considering the extra licensing cost each vendor handles a bit differently. I’d argue that the first milestone should be to get the hardware in service, then add feature licenses as budget allows. I could make a case of why each license is important but at the end of the day every business has a different appetite for risk, so, mileage will vary. The financial case can sometimes be made that consolidating AV, IDS/IPS, Malware, Web filtering and DLP into a single appliance case reducing the overall op-ex if you are able to retire some standalone devices.

To wrap things up, if you want to have a tool in your tool belt that has a fighting chance at mitigating current threats, you really need to catch up with the times and install a NGFW on your perimeter. That doesn’t magically protect you from all threats coming your way. If configured properly, it will substantially reduce the threat vectors that you are forced to accept or mitigate elsewhere. More importantly, it will allow more granularity in control which in turn allows the security team to be more flexible in allowing only what is needed to enable the business to function.


Jeremy has built his career around protecting assets in the most critical IT sectors.