A firewall is a network security device that grants or rejects network access to traffic flows between an untrusted zone and a trusted zone.
Unlike UTM, a Next Generation Firewall is application aware and makes decisions based on application, user and content. It’s natively integrated design simplifies operation and improves security. Given its success, the term NGFW has now become synonymous with firewall.
Early on, stateful inspection firewalls classified traffic by looking only at the destination port (e.g., tcp/80 = HTTP). As the need for application awareness arose, many vendors added application visibility and other software or hardware ‘blades’ into their stateful inspection firewall and sold the offering as a UTM (Unified Threat Management). UTMs did not improve security since the functions were retrofitted into the firewall, and not natively integrated.
The user identity feature on NGFWs identifs users in all locations, irrespective of device types and operating system. However, the issue of user identity goes beyond classifying users for policy reporting. Protecting user identity is equally important.
The 2017 Verizon Data Breach Investigation Report found that 81-percent of hacking-related breaches leveraged weak and/or stolen credentials2. Attackers use stolen credentials to access an organization, move laterally, and escalate privileges for unauthorized applications and data.
A NGFW enforces capabilities like machine learning based analysis and multi-factor authentication (MFA) to prevent credential theft and subsequent abuse – and preserve the user identity.
Users are accessing diverse types of apps, including SaaS apps, from varying devices and locations. Some of these apps are sanctioned, some tolerated and others unsanctioned. Security administrators want to have complete control over usage of these apps and set policy to either allow or control certain types of applications and deny others.
An NGFW provides complete visibility into application usage, along with capabilities to understand and control their use.
For example, understand usage of application functions, such as audio streaming, remote access, posting documents etc., and then enforce granular controls over usage, such as uploading and posting to Facebook, file sharing on Box and file transfer.
Most enterprise web traffic is now encrypted, and attackers exploit encryption to hide threats from security devices.
An NGFW allows security professionals to decrypt malicious traffic to prevent threats, while at the same time preserving user privacy – with predictable performance.
Today, most modern malware, including ransomware variants, leverage advanced techniques to transport attacks or exploits through network security devices and tools.
An NGFW utilizes systems that can identify evasive techniques and automatically counteract them.
For example, it uses multiple methods of analysis to detect unknown threats, including static analysis with machine learning, dynamic analysis and bare metal analysis. By using a cloud-based architecture, the threat detection and prevention can be supported at mass scale across the network, endpoint and cloud.
As the number of needed security functions continues to increase, there are two options: add another security device or add a function to an existing device.
When the NGFW is built on the right architecture, it’s possible to add a function to a next-generation firewall, instead of adding another security device. This type of integrated approach offers benefits and advantages that discrete devices cannot.
NGFWs are available in both physical and virtual form factors to fit a variety of deployment scenarios and performance needs.
Organizations rely on multiple source of threat intelligence to ensure the widest possible visibility into emerging threats, but they struggle to aggregate, correlate, validate and share indicators across different feeds.
An NGFW automatically transforms this information into actionable controls that prevent future attacks.
User-ID™ technology enables our Next-Generation Firewalls to identify users in all locations, no matter their device type or operating system. Visibility into application activity— based on users and groups, instead of IP addresses—safely enables applications by aligning usage with business requirements. You can define application access policies based on users or groups of users. For example, you can allow only IT administrators to use tools such as Secure Shell, Telnet, and File Transfer Protocol. Policy follows users no matter where they go—headquarters, branch office, or home—and across any devices they may use. Plus, you can use custom or predefined reporting options to generate informative reports on user activities. With Policy Optimizer, you can strengthen security by closing dangerous policy gaps left by legacy firewall policies. Policy Optimizer helps your security team easily replace legacy rules with intuitive, application-based policies. Because App-ID-based rules are easy to create, understand, and modify as business needs evolve, they minimize configuration errors that leave you vulnerable to data breaches. These policies strengthen security and take significantly less time to manage.
Users spend almost all of their time on encrypted websites and applications.2 Unfortunately, attackers use encryption to hide threats from security devices.
Our Next-Generation Firewalls use policy-based decryption to allow security professionals to decrypt malicious traffic, including traffic using TLS 1.3 and/or HTTPS/2, yet pre- serve user privacy and predictable performance. Flexible controls allow you to leave traffic encrypted if it is sensitive for instance, if it is associated with shopping, military, healthcare, or government websites. You can prevent users from accessing websites that use self-signed, un- trusted, or expired certificates. You can also block access if a website is using unsafe TLS versions or weak cipher suites. To preserve user privacy, you can define decryption exclusions by policy and additionally allow users to opt out of decryption for specific transactions that may contain personal data. The rest of your traffic can be decrypted and secured. If you are unsure where to start, you can use our Next-Generation Firewalls to gain full visibility into the details of all encrypted connections.
Support for hardware security modules allows you to man- age digital keys securely. Perfect Forward Secrecy ensures the compromise of one encrypted session does not lead to the compromise of multiple encrypted sessions.
Users are accessing diverse application types, including SaaS. Some of these apps are sanctioned by your organization; some are tolerated, though not mandatory to carry out your business; and the rest must not be allowed since they increase risk. App-ID™ technology on our Next-Generation Firewalls accurately identifies applications in all traffic passing through the network, including applications disguised as authorized traffic, using dynamic ports, or trying to hide under the veil of encryption. App-ID allows you to understand and control applications and their functions, such as video streaming versus chat, upload versus download, screen-sharing versus remote device control, and so on.
SaaS application characteristics allow you to understand application usage. For example, you can identify which SaaS applications accessed from your organization lack the required certifications or have a history of data breaches. You can allow access to sanctioned enterprise accounts on SaaS applications, such as Microsoft 365™, while blocking access to unsanctioned accounts, including personal/ consumer accounts.
Cyberattacks have increased in volume and sophistication, now using advanced techniques to transport attacks or exploits through network security devices and tools. This challenges organizations to protect their networks with- out increasing their security teams’ workloads or hindering business productivity. Seamlessly integrated with the industry-leading Next-Generation Firewall platform, our cloud-delivered security subscriptions coordinate intelligence and provide protections across all attack vectors, eliminating the coverage gaps that disparate network security tools create. Take advantage of market-leading capabilities with the consistent experience of a platform and secure your organization against even the most advanced and evasive threats.
Organizations rely on threat intelligence from multiple sources to provide the widest visibility into unknown threats. Unfortunately, ingesting such high volumes of data leaves businesses struggling to aggregate, correlate, validate, and glean insights to share information and enforce protections across their networks. Wildfire quickly detects unknown threats, maintains shared intelligence from a global community, and automatically delivers protections to enforcement points in seconds, alleviating the manual tasks of reversing malware, sifting through large pools of data, and importing intelligence.
Conventional security models operate on the outdated assumption that everything inside an organization’s net- work can be trusted. These models are designed to protect the perimeter. Meanwhile, threats that get inside the net- work go unnoticed and are left free to compromise sensitive, valuable business data. In the digital world, trust is nothing but a vulnerability.
Zero Trust is a cybersecurity strategy that prevents data breaches. In Zero Trust, each step a user makes through the infrastructure must be validated and authenticated across all locations.
Our Next-Generation Firewalls directly align with Zero Trust, including enabling secure access for all users irrespective of location, inspecting all traffic, enforcing policies for least-privileged access control, and detecting and preventing advanced threats. This significantly reduces the pathways for adversaries, whether they are inside or outside your organization, to access your critical assets.
IT teams are stretched to the limit trying to manage today’s complex security deployments. Our Next-Generation Firewalls help by making it easy to manage security as well as visualize and interact with the data. Your administrators can manage individual firewalls through a full-featured, browser-based interface. Whether managing two firewalls or large-scale deployments, you can use management platform to obtain centralized visibility, edit security policies, and automate actions for all your firewalls in any form factor.
Role-based access control (RBAC), combined with pre- and post-rules, allows you to balance centralized supervision with the need for local policy editing and device configuration flexibility. The Application Command Center (ACC) and log management capabilities create a single pane of glass for actionable visibility across multiple devices, no matter where the devices are deployed. Additional support for standards-based tools, such as Simple Network Management Protocol (SNMP) and REST-based APIs, allows for easy integration with management tools you already use.
Protection against the evolving threat landscape often requires new security functions to be introduced Next-Generation Firewalls are built on a single-pass architecture, which offers predictable performance and native integration—features that cannot be attained by layering new capabilities on legacy architecture that still works on IP addresses, ports, and protocols. Our Next-Generation Firewalls perform full-stack, single-pass inspection of all traffic across all ports, providing complete context around the application, associated content, and user identity to form the basis of your security policy decisions. This architecture allows us to add innovative, new capabilities easily—as we’ve already done with WildFire and, more recently, IoT Security.