Firewalls are continuously evolving and transitioning into more intelligent network devices. Originally, traditional firewalls could only apply access control restrictions based on source and destination IP addresses and ports. As their feature sets matured, firewalls grew to include basic application awareness for protocols that weren’t so strictly tied to ports, such as FTP control and data channels. Also, basic security inspection was added mostly for layer 2-4 attacks. Several firewall companies touted and marketed these capabilities as intrusion prevention (IPS), even though their products fell far short of what any decent dedicated IPS would provide for security inspection. Thus, IPS is still required alongside traditional firewalls to achieve security inspection and protection for applications up to layer 7.
Next generation firewalls (NGFW) take this concept further by primarily applying the access control to traffic based on knowledge of the application, its content and structure of the traffic. These controls can also be tied to users more often than before. This provides for very granular control of the applications in one’s network and defends against applications riding over well known ports. This does not, however, provide more security up to layer 7 so that it is able to replace an IPS.
A research note dated October 12, 2009 from Gartner titled “Defining the Next Generation Firewall1,” indicates that “NGFWs will be most effective when working in conjunction with other layers of security controls.” We see some security companies working to advance the security coverage in their NGFW products but today, none exist that can replace your firewall and IPS while providing the same level of comprehensive security. We see the next generation firewall eventually becoming a feature of IPS, which will ultimately help organizations save administrative resources and costs through robust and integrated policy management.
Jason Lancaster, Technology Director, TippingPoint
1 Pescatore, John and Greg Young, “Defining the Next Generation Firewall,” Gartner, Inc. (October 12, 2009), http://www.gartner.com/DisplayDocument?doc_cd=171540.
