Firewalls, NGFW, What’s The Difference?

When you choose a firewall to protect your network edge, I’m sure next-generation firewall advertising comes up in search results quite often. Abbreviated as NGFW, next generation firewalls are advertised as being more secure and more intelligent than regular firewalls. However, oftentimes the extra functionality that makes an NGFW “next generation” is locked away behind subscription fees in the thousands per year. Sometimes purchasers order one, expecting an easy solution, only to find out too late that this is the case more often than not.

THE SUBSCRIPTION TRAP

Business runs on money. Plain and simple. Without it, there’s no reason to be in business. More specifically, business runs on margin, profitability and overhead reduction. Technology companies are no different. Research and development costs money. Marketing costs money. Employees cost money. Increasing revenue and reducing overhead can sometimes be the difference between a successful product launch and a bankrupt business.

Stateful (layer 4) and stateless (layer 3) firewalls receive software updates to address security vulnerabilities and add new features. These updates are most often built into the cost of the device and whatever licenses are offered for it.

NGFWs are different. They operate a lot like antivirus software, scanning every packet for hints of malicious activity, IT policy violations, peer-to-peer protocols like BitTorrent, and much, much more. They can police traffic based on who is using an application. NGFWs also require regular security definition updates to continue protecting against newer and more evolved threats. This incurs costs on the device manufacturer that go well beyond what periodic software updates bring. With the advent of AI-based threats, the importance of having these capabilities on-hand cannot be understated.

NGFW – SOMEWHAT OF A BUZZWORD

The name NGFW is actually sort of a misnomer—a marketing term created by manufacturers to mark the shift towards more evolved firewalls in cybersecurity. The proper term for NGFW is “application layer firewall.” As you now know, next-generation firewalls need a regular stream of new definitions to do their job properly. Feeds come from a variety of sources, but most paid NGFW definitions come from security researchers who are paid to produce them.

Security researchers who work on NGFW definitions spend years analyzing traffic patterns, creating signatures and identifying new threats. Suricata is one such tool that NGFWs use to load these signatures and analyze traffic patterns for potential threats and breach attempts. The easiest way to understand what a NGFW does vs. what a regular firewall does is to compare them to the Open Systems Interconnection or OSI model.

LAYERS OF INTEROPERABILITY

The OSI model is represented by 7 layers, each of them becoming more specific. In order to understand the difference between a normal firewall and an application layer firewall, it is crucial to know about the OSI model and what operates at each layer.

• Layer 1 – Physical, network hubs, also known as repeaters, operate here. Hubs receive data and broadcast it across all connected links.
• Layer 2 – Data Link, switches operate at this layer. Switches recieve data and use MAC addresses and logical links to direct data to the correct destination.
• Layer 3 – Network, routers and IP addresses operate here. Routers allow multiple independent networks to connect to each other via routing protocols. Firewalls use rules at this level to block unwanted connections from untrusted IP addresses and protocols.
• Layer 4 – Transport, where TCP and UDP protocols operate. Firewalls on this layer can block packets based on whether or not an existing connection exists.
• Layer 5 – Session, where estabilishment (login) and termination (logoff) of connections happens.
• Layer 6 – Presentation. Data formatting, encryption/decryption and compression/decompression happens here.
• Layer 7 – Application, the layer closest to the user. Firewalls operating at this layer can inspect packets for malicious payloads, detect and stop DDoS attempts, and more.

THE DIFFERENCE IN HARDWARE

An application layer firewall or NGFW works all the way up at layer 7, where a normal firewall only operates at layer 3 or 4. Layer 3 and 4 firewalls aren’t nearly as sophisticated or capable of capturing threats such as AI-generated attacks, encrypted viral payloads or ransomware traffic. In order to do that, you need a layer 7 or application layer firewall. These firewalls can decrypt and re-encrypt incoming traffic in near-real time to detect and defend against these more modern threats.

As you can imagine, these newer devices also require powerful processors to perform the deeper packet inspection required of them. For example, a Cisco ASA 5505, a layer 4 firewall with stateful packet inspection only required an AMD Geode LX 800 with a clock speed of 500MHz to achieve 150Mbps of throughput. By contrast, the ASA 5506 (NGFW version) has a 4 core Intel Atom C2000 clocked at 1.5GHz to accomplish just 125Mbps if all NGFW features are enabled. That is more than three times the processing power.

THE DOWNSIDE: OVERHEAD

As you can see, application layer firewalls require frequent signature updates, more powerful hardware, and are orders of magnitude more complex. Producing one requires more employee overhead, more research and development and more production time to put a product to market.

THE BIG PICTURE

Commercial NGFWs are expensive. If your organization can afford the initial costs, subscription fees and costs for a vendor-certified consultant or IT personnel to get you up and running, great. Use one. If you can’t, alternatives exist which are free, open source and have excellent track records, and they are gaining traction with power users who want more advanced features without purchasing prohibitively expensive boxes and yearly update subscriptions.

PFSense Community Edition and OPNsense are well known in the United States and Europe, are hardened for security and OPNsense is completely open source. These are NGFWs that warrant further attention if you’re in the market for one.