Next-generation firewalls vs. traditional: How they differ
Blog / Next-generation firewalls vs. traditional: How they differ
When people think of safeguards against incoming threats from the internet and the hackers that lurk in dark corners, a firewall is often the first thing that comes to mind.
Firewalls are security hardware that sit between your system and the outside world, intercepting any inbound and also outbound packets, denying or allowing them based on a set of pre-established cybersecurity parameters, in order to protect and safeguard networks, systems and the assets that reside on them.
However, like many things, firewalls are not all equal in capability and can differ by a large margin of sophistication and what actions they can perform in keeping your company safe.
Fundamentally, firewalls can be broken down into two primary categories for businesses, traditional and next-generation (NGFW).
Now, that’s all well and good, but what are the differences between traditional and Next-generation firewalls (NGFWs), and which is the best for your business and why? With cybercrime on the rise, it’s now more important than ever to make the right decisions for your organisation’s security.
First, let’s cover the basics.
What is stateless vs stateful inspection?
Data travels via encapsulation. This is where data is broken up into bits called packets, which are layered with all the necessary information, including how the IP address and how the data will be routed, before being sent over networks and systems packet by packet.
Keeping with our theme of breaking things into twos, when it comes to packets, firewalls can perform stateless or stateful inspection depending on their capability and sophistication.
Stateless inspection is where the firewall filters every packet independently of all others with no session table maintained, meaning the firewall cannot discern the wider context of groups of packets going in and out of the network and system between two users.
In regards to the packet, stateless inspection simply:
- Examines the source IP to see if it’s allowed in our network and has access privileges to destination IP.
- Checks to see if it meets filter set standards like policy.
- A check happens to see if the destination port or the service is allowed in the network.
- The firewall denies or accepts packet depending on results.
One of the key things is that a stateless inspection has no idea about which packets belong to which session. It has no concept of a session, only taking into account individual packets going to and from their destination one at a time.
Meanwhile, in contrast, a stateful inspection is where the firewall is state-aware, being able to inspect packets going in and out of the network while maintaining a database off all other packets which have come before it. It is fully aware of sessions between the users and assigns them IDs.
Essentially, it’s aware of the context.
Stateful inspections allows for:
- Seeing information associated with sessions, like the session ID, the policy name and how bytes are used in a session.
- Seeing the incoming interface, source and destination IP addresses, what VLAN or interface the packet is inbound from, number of packets.
- Configuring a timeout value, so the session doesn’t remain open forever.
- Network Address Translation (NAT) information and the outgoing interface.
A basic rule of thumb is the majority of traditional firewalls operate on a stateless level, while Next-gen firewalls operate in a stateful capacity. Although there are some traditional firewalls which can do a stateful inspection, they are not the majority.
Like all firewalls, traditional firewalls police the flow of traffic going in and out of your network, based on data coming from ports, protocols and policies, the source and destination IP address.
Traditional firewall can do:
- Stateless inspection. The vast majority of traditional firewalls only perform stateless inspection, and are unaware of sessions.
- Packet filtering, which makes sure inbound and outbound packets are inspected before allowing them to pass through. Packets which fail to meet the filter’s rules are dropped instead of forwarded.
- VPN support to help keep private networks secure when users are going onto public networks like the internet.
Although, they are limited to inspecting the network layer and transport layer of a packet in order to perform decisions and, as their name suggests, are not seen as the most advanced form of protective firewalls available.
This brings us to next-generation firewalls, the most robust firewall protection available.
Next-generation firewalls (NGFWs)
Next-generation firewalls (NGFWs) not only typically have traditional firewall’s common functions in their arsenal, but also a number of additional features and sophistication in order to protect networks and systems from threats, giving you a more layered security.
As aforementioned, they, as standard, transcend the static inspection that traditional firewalls are often limited to, having a number of application-level controls.
- Deep Packet Inspection (DPI), Whereas standard packet filtering only reads the header of a packet, DPI ensures thorough inspection of the packet’s contents, including its source, which means that the NGFW is able to see the full context of each packet.
- Application awareness, as they can inspect the application layer, enabling organisations to identify non-business applications and set application-specific rules like even blocking an application.
- An Intrusion Prevention System (IPS), allowing NGFW to actively detect and block intrusions, dropping malicious packets and logging/blacklisting IP addresses.
- Single Console Access and simpler infrastructure, facilitating easy access and streamlining the process of managing and updating security protocols, saving time and making things more efficient, which is vital in cybersecurity.
Next-generation firewalls have many benefits, including their ability to maintain network speed and high availability despite the complexity of their tasks and configurations, unlike traditional firewalls where complexity will slow everything down.
Popular brands for NGFW include:
- Cisco devices.
- Palo Alto Networks.
- Juniper Networks SRX.
- Sonic Wall.
- Check Point.
There are also options for Open-Source Next Generation Firewall, like configuring pfSense or using ClearOS.
With the cyber threat landscape always evolving, you need to evolve with it. With its more sophisticated capabilities for safeguarding companies against advanced, modern threats, first generation firewalls are strongly recommended over traditional firewalls, which are seen as not so effective these days.
Threat actors target flaws and vulnerabilities in your infrastructure in order to infect your system with malicious code and software, including exploiting unsecure devices, so you therefore need to cover as many weak-spots in your infrastructure as possible.
Of course, in order to get the robust security that you need in this modern age of systems, networks, people and clouds, there is no one solution. Your organisation will need to follow cybersecurity best practices and incorporate a number of functions, procedures and policies to deal with cyber threats.
Layer up your security with Securiwiser. Securiwiser is a security monitoring tool that evaluates your company’s cybersecurity posture, flagging up vulnerabilities and exploits in an easy-to-read dashboard. In real-time, it checks the security of your network, your cloud, if there’s malware, if there’s misconfigurations or strange port activity, and much more.
How secure is
How secure is