What is an NGFW?
Next-generation firewalls (commonly abbreviated to NGFWs) are deep-packet inspection firewalls that add application-level inspection, intrusion prevention, and that utilise intelligence from outside the firewall.
Gartner points out that “an NGFW should not be confused with a stand-alone network intrusion prevention system (IPS), which includes a commodity or non-enterprise firewall, or a firewall and IPS in the same appliance that are not closely integrated.” In fact, Gartner helpfully lists the key characteristics of NGFWs:
- Application awareness, full stack visibility and granular control.
- Non-disruptive in-line bump-in-the-wire configuration.
- Standard first-generation firewall capabilities, such as network-address translation (NAT), stateful protocol inspection (SPI), and virtual private networking (VPN).
- Integrated signature-based Intrusion Prevention System (IPS) engine.
- Ability to incorporate information from outside the firewall, such as directory-based policy, blacklists, and white lists.
- Upgrade path to include future information feeds and security threats, and Secure Socket Layer (SSL) decryption to enable identifying undesirable encrypted applications.
Since NGFWs appeared on the market, traditional firewalls have effectively become obsolete because they cannot inspect the payload of each packet and cannot distinguish between malicious content and legitimate business application traffic. An NGFW can not only achieve this but can also distinguish between specific applications and apply policies based on business rules. It is this application awareness that qualifies whether a firewall counts as an NGFW.
If the idea of a NGFW sounds too good to be true, you’re probably wondering what the drawbacks are. Different vendors use different techniques to achieve the same ends, so it’s true that not all NGFWs are the same. And probably the biggest pitfall is network degredation.
NGFWs and network performance
The trouble with NGFWs has historically been that the more features you enable, the more network performance degrades. That means customers are forced to turn off some of the NGFW capabilities if they want to retain high network traffic throughput on their NGFW device; some estimates put the impact of some NGFW designs at 50% or more.
But these days, network operations and security are inseparable. When a data breach occurs the network becomes threatened and consequently the whole business is at risk. As Cisco puts it, “resiliency, performance, and threat defence are increasingly intertwined”. And keeping up network performance while constantly evaluating threats can be a huge challenge, as we’ve just seen.
So business resilience is a high priority for network operations teams. They simply can’t do their jobs if security becomes a choke point. With too many NGFW products, when you enable advanced threat functions they cause a serious network bottleneck.
‘No compromise security architecture’
When Cisco began development of its Firepower 2100 series NGFWs the key aim was to implement all the robust security features of NGFWs without degrading network performance. The team’s objectives included:
- Sustained throughput performance when threat functions are enabled.
- Flexibility and future-proofing versus ASIC-based designs that inhibit the ability to add new defences and functions.
- A fast path that accelerates flows that do not require threat inspection, further enhancing performance through the appliance.
At the heart of the Firepower 2100 series are a dual, multi-core CPU architecture and software optimisation features that really do have such negligible impact on the network that you won’t even notice the appliance is there, protecting your business.
How does Firepower 2100 achieve its performance?
By applying purpose-built processing for each task, Firepower 2100 Series NGFWs reduce the need to overprovision and foster deeper inspection levels than might otherwise be possible.
The design uses Intel multi-core CPUs for Layer 7 threat inspections (app visibility, intrusion detection, URL filtering, malware and file inspection, user identity, etc.) and a combination of merchant and a Network Processing Unit (NPU) for layer 2-4 traffic (stateful firewall, NAT, VPN-SSL encryption/decryption, and more.).
Traffic first traverses the NPU, where it may be blocked based on access controls, negating any need to inspect further. Flows requiring advanced inspection are copied and sent to the x86 complex, where inspection services are optimised using methods such as security group tags. In addition, a ‘fast path’ option allows intelligent re-routing of trusted traffic dynamically.
Does it work?
Cisco’s solution is extremely effective. Global Security Mag noted that “The new Cisco Firepower 2100 Series provides businesses with the confidence to pursue new digitisation opportunities, knowing they have a security architecture designed to protect against the greatest threats, without affecting the performance of critical business functions.”
Firepower 2100 can reduce the traditional complexity and fragmentation of security within a single appliance. You can go from connection to protection within five minutes with its low-touch provisioning. And, of course, it’s an ideal solution for organisations looking for an advanced threat, ransomware and malware protection solution that can also help businesses demonstrate GDPR compliance.
