Traditional firewalls protect networks by selectively blocking or allowing network traffic based on IP address and network ports. While this is still the case, next-generation firewalls (NGFWs) provide a range of additional features to protect networks against new and emerging threats.

NGFWs have been around for over a decade, yet many organisations fail to take advantage of their most beneficial features. I’ve come across a few recently, so thought I’d share my top 5 NGFW features and why they are so important.

1. Web Filtering

   Web Filtering prevents users from accessing certain websites based on categories, such as adult material, gambling or sites know to contain malicious code. These categories are maintained by the firewall manufacturer and provided as a subscription service, so admins don’t need to worry about manually keeping lists up to date.

   Web filtering profiles can be applied to different groups of users. For example, access to social media sites may be provided only to the marketing department, while other staff have limited access during their lunch break.

2. Application Control

   Some applications bypass firewall restrictions by concealing their communication in standard web protocols. These applications range from something harmless, like games, to potentially security risks, like proxy services and P2P sharing applications.

   Malware on a single infected computer can expose an entire network by establishing communication with a hacker’s command and control (C&C) server using HTTPS, the same protocol used for browsing secure websites.

   By analysing network traffic as it passes through the firewall, Application Control can identify the types of applications being used and control which are block or permitted. For example, network admins can prevent the use of unauthorised remote-control applications (e.g. TeamViewer, LetMeIn or GoToMyPC), which are sometimes used by scammers in social engineering attacks, or peer-to-peer (P2P) file-sharing applications, which a disgruntled employee might use to extract intellectual property from the organisation before they leave.

3. Network Intrusion Prevention

   NGFWs are able to detect intrusion attempts based on either statistical anomalies or threat signatures, and prevent them from mounting a successful attack.

   Statistical anomaly-based detection identifies attacks based on malicious behaviour, such as a brute-force attack on an FTP site, or port scan on a organisation’s IP addresses. Once detected, the firewall can block connections to and from the attacker to prevent a successful intrusion.

   Signature-based detection, on the other hand, uses patterns found in known malicious software to prevent attacks. This is particularly beneficial on the first day malicious code is used to exploit a vulnerable system, also known as a zero-day attack.

   For example, when a web server vulnerability is discovered your website might be exposed to an attack until a patch is developed and applied, which could take days, weeks or longer. Since detection signatures can be created more quickly than software patches, your firewall’s Intrusion Prevention feature can be used prevent attacks until the system can be patched.

4. Certificate Inspection

   To avoid detection, malicious websites will often try to penetrate the network perimeter by delivering malware over an encrypted connection. Most websites are now encrypted with an SSL/TLS certificate making it easier for users to inadvertently download malware without detection.

   Certification Inspection works by decrypting and re-encrypting traffic between the user and web server, which allows the firewall to examine the traffic for threats. Without certificate inspection, your firewall’s security features, such as Application Control, cannot completely protect networks against threats.

5. High Availability

   Various IT systems, including servers, storage and network devices, rely on High Availability (HA) configurations to minimise downtime and the impact of hardware failures. This is achieved by introducing a second, redundant device into the system.

   When two firewalls are configured this way they form a highly-available cluster, which allows network traffic to flow normally if either member of the cluster were to fail.

   As well as providing protection against a hardware failure, HA clusters allow firewall administrators to apply patches to firewalls without the need to schedule outages or interrupt systems that operate around the clock. HA also has a side benefit of being able to spread intensive workloads across multiple units, such as network traffic analysis and virus scanning to speed up network processing.

There are many other noteworthy features of NGFWs, such as VPNs, traffic shaping, multifactor authentication and directory services integration, which may also be valuable to your organisation. But if you’re network already relies on an NGFW to protect it against network threats, I recommend reviewing the configuration to ensure my top 5 are in use.