Professional Documents
Culture Documents
traffic and applies rules to block potentially dangerous traffic. NGFWs evolve and
expand upon the capabilities of traditional firewalls. They do all that firewalls do, but
more powerfully and with additional features.
Consider two airport security agencies. One checks to make sure passengers are not
on any no-fly lists, that their identities match what is listed on their tickets, and that
they are going to destinations the airport actually serves. The second one, in addition
to checking no-fly lists and so on, inspects what the passengers are carrying, making
sure they do not have dangerous or disallowed items. The first agency keeps airports
secure from obvious threats; the second also identifies threats that may be less
obvious.
An ordinary firewall is like the first security agency: it blocks or allows data
(passengers) based on where it is going, whether or not it is part of a legitimate
network connection, and where it comes from. An NGFW is more like the second
security agency: it inspects data on a deeper level to identify and block threats that
may be hidden in normal-seeming traffic.
VPN awareness: Firewalls are able to identify encrypted VPN traffic and
allow it through.
NGFWs also add several capabilities that older firewalls do not have. NGFWs use
deep packet inspection (DPI) in addition to packet filtering. And according to
Gartner, a global research and advisory firm, an NGFW includes:
Intrusion prevention
Threat intelligence
Most of these features are possible because, unlike regular firewalls, NGFWs can
process traffic at several layers in the OSI model, not just layers 3 (the network layer)
and 4 (the transport layer). NGFWs can look at layer 7 HTTP traffic and identify which
applications are in use, for instance. This is an important capability because layer 7
(the application layer) is increasingly used for attacks to get around the security
policies applied at layers 3 and 4 by traditional firewalls.
(To learn more about the OSI layers, see What is the OSI model?)
NGFWs improve upon packet filtering by instead performing deep packet inspection
(DPI). Like packet filtering, DPI involves inspecting every individual packet to see
source and destination IP address, source and destination port, and so on. This
information is all contained in the layer 3 and layer 4 headers of a packet.
But DPI also inspects the body of each packet, not just the header. Specifically, DPI
checks packet bodies for malware signatures and other potential threats. It compares
the contents of each packet to the contents of known malicious attacks.
Threat intelligence keeps IPS signature detection effective by providing the latest
malware signatures.
Finally, an NGFW can be deployed as a cloud service; this is called a cloud firewall or
firewall-as-a-service (FWaaS). FWaaS is an important component of secure access
service edge (SASE) networking models. (Compare NGFW and FWaaS in more depth.)
Magic Firewall is tightly integrated with Cloudflare One, a SASE platform that
combines networking and security services.