What is a Next-Generation Firewall (NGFW)?

A brief overview of NGFWs

The evolution from traditional firewalls to next-generation firewalls arose from the need to address increasingly complex and stealthy cyber threats. Early firewalls focused primarily on controlling access based on IP addresses, ports, and protocols. However, as applications became more complex and attackers more sophisticated, the limitations of these static rules became apparent. NGFWs were developed to address this gap, providing deeper packet inspection, application awareness, and built-in security capabilities such as intrusion prevention and malware detection.

Key features of NGFWs

• Application Awareness: Unlike traditional firewalls, NGFWs can identify and control access to applications, regardless of port or protocol, giving organizations more granular control over traffic based on specific app behaviors rather than just network parameters.
• Intrusion Prevention System (IPS): Integrated IPS enables NGFWs to detect and prevent malicious activity by identifying and blocking known threats such as exploits, malware, and unauthorized access attempts.
• Deep Packet Inspection (DPI): NGFWs analyze the data within packets, looking beyond headers to inspect the payload for potential threats, providing more comprehensive security compared to earlier firewalls.
• SSL/TLS Traffic Decryption: NGFWs can decrypt and inspect encrypted traffic, a resource-intensive feature given the processing requirements of inspecting the increasing volume of SSL/TLS-encrypted web traffic.
• Identity-Based Access Control: NGFWs can enforce security policies based on user identities rather than just network addresses, offering more refined and user-specific protection.
• Threat Intelligence Integration: Modern NGFWs often integrate with external threat intelligence services, providing real-time updates on the latest threats and enabling proactive defense against emerging attack vectors.

NGFW vs. traditional firewalls and other security tools

While traditional firewalls act as a barrier that blocks or allows traffic based on predefined rules (such as IP address or port), NGFWs are much more dynamic. They inspect traffic in real time, identify specific applications, and can even detect suspicious behavior within legitimate traffic flows.

Compared to intrusion detection and prevention systems (IDS/IPS), NGFWs offer both inline blocking (IPS) and advanced traffic inspection capabilities. NGFWs operate inline with network traffic, ensuring immediate threat mitigation through active blocking (like an IPS), whereas IDS operates out of band, providing visibility and alerting without actively blocking traffic. This distinction highlights that while NGFWs actively prevent threats, IDS focuses on monitoring and detection, often providing a richer dataset for analysis without affecting network performance.

However, NGFWs are not invisible to attackers. Unlike network detection and response (NDR) solutions, which are deployed out of band and provide visibility without actively interacting with traffic, NGFWs operate inline and can be detected and potentially targeted by attackers. This makes NDR an invaluable complement to NGFWs, as its passive nature ensures it remains hidden from attackers while providing continuous monitoring and threat detection.

It's important to note that some NGFWs have limitations in dealing with certain types of sophisticated attacks, especially those involving lateral movement within the network. NGFWs primarily focus on north-south traffic (traffic entering and leaving the network), which means they may struggle to identify threats moving laterally (east-west traffic) within the network. This lack of internal visibility can allow sophisticated attackers to operate undetected once inside the network.

Another limitation is the lack of logging depth. While firewall logs generally include basic information like source and destination IPs, ports, and protocol types, NGFWs typically do not provide extensive metadata such as the details of HTTP, DNS, and SSL transactions (e.g., the URL accessed in an HTTP request or the DNS names resolved). To overcome this limitation, some organizations have resorted to enabling NGFW 'debug' logging to achieve the granular visibility needed by SecOps teams. However, enabling debug logging can lead to significant performance and cost implications, as generating verbose debug logs can degrade network performance and become expensive due to increased storage requirements.

Do I need NDR if I already have NGFW?

NGFWs and NDR solutions serve different but complementary purposes in a comprehensive security strategy.

NGFWs are highly effective at preventing threats at the perimeter, focusing on north-south traffic, inspecting packet headers, and applying rules to block or allow traffic. However, NGFWs are limited when it comes to monitoring internal (east-west) network traffic, which is crucial for detecting threats that have managed to infiltrate the network. Sophisticated attackers often use lateral movement techniques to reach their objectives, and NGFWs typically lack the visibility required to detect these internal activities.

NDR solutions provide comprehensive network monitoring that includes both perimeter and internal traffic. By leveraging deep packet inspection, behavior analytics, and advanced threat detection, NDR solutions can identify threats that evade NGFW defenses or originate inside the network. Unlike NGFWs, which often focus on active blocking, NDR provides detailed, out-of-band monitoring that ensures comprehensive visibility. This includes capturing extensive metadata, such as application-level protocols (e.g., HTTP, DNS, SSL) to provide more context about network activities. Additionally, NDR enhances the ability to detect lateral movement, suspicious internal behavior, and complex multi-stage attacks that NGFWs may miss, making it invaluable for threat hunting and incident response. By retaining rich, compact data ideal for long-term analysis, NDR empowers security teams to better understand network activity and identify malicious behavior that might otherwise go unnoticed. It can uncover and document potentially malicious activity that a firewall might not block, offering rich, compact data ideal for long-term retention and analysis.

Deploying NDR alongside an NGFW ensures that your security strategy covers both external threats attempting to breach your network and internal threats that may be propagating unnoticed. This combination provides a robust, layered defense that is essential for modern cybersecurity resilience.

How NGFWs fit into a comprehensive security stack

Next-generation firewalls form a critical layer in a broader security strategy. By incorporating capabilities like deep packet inspection, application control, and IPS into a single platform, NGFWs offer a strong defense against both known and unknown threats. However, they are most effective when used alongside other security tools that address different aspects of network security.

For example, NGFWs complement network detection and response (NDR) solutions by providing perimeter protection and threat blocking, while NDR focuses on broader network visibility and customizable detection. NGFWs are excellent at blocking known threats at the perimeter, but NDR solutions like Corelight's Open NDR Platform are essential for detecting and investigating threats that evade initial defenses or originate within the network. NDR also supports Zero Trust and microsegmentation strategies by providing insights into traffic patterns and flows within the network, helping to implement and validate effective security controls.

Combining NGFWs with security orchestration tools like security information and event management (SIEM) further enhances security by correlating alerts from multiple sources and providing context for better incident response. This layered approach ensures that both perimeter defenses and internal network activity are covered, reducing the likelihood of undetected breaches and improving response times.

Embracing NGFWs for advanced protection

NGFWs address the shortcomings of traditional firewalls by offering advanced detection, prevention, and control capabilities for modern network environments. However, NGFWs alone are not enough to provide complete protection against sophisticated cyber threats.

When combined with other advanced tools such as network detection and response (NDR) and SIEM, NGFWs help form a layered, defense-in-depth strategy that provides robust protection. NDR solutions like Corelight's Open NDR Platform are particularly crucial in detecting and responding to threats that bypass perimeter defenses, ensuring that organizations maintain visibility and control over their entire network.

To learn more about how Corelight’s Open NDR Platform works alongside NGFWs to strengthen your security posture, contact us or request a demo today. Let Corelight help you build a more resilient and comprehensive cybersecurity strategy.