For VendorsBlog
Login

NGFW - next-generation firewall

NGFW - next-generation firewall

A next-generation firewall (NGFW) is a part of the third generation of firewall technology, combining a traditional firewall with other network device filtering functionalities, such as an application firewall using in-line deep packet inspection (DPI), an intrusion prevention system (IPS). Other techniques might also be employed, such as TLS/SSL encrypted traffic inspection, website filtering, QoS/bandwidth management, antivirus inspection and third-party identity management integration (i.e. LDAP, RADIUS, Active Directory).

NGFWs include the typical functions of traditional firewalls such as packet filtering, network- and port-address translation (NAT), stateful inspection, and virtual private network (VPN) support. The goal of next-generation firewalls is to include more layers of the OSI model, improving filtering of network traffic that is dependent on the packet contents.

NGFWs perform deeper inspection compared to stateful inspection performed by the first- and second-generation firewalls. NGFWs use a more thorough inspection style, checking packet payloads and matching signatures for harmful activities such as exploitable attacks and malware.

Improved detection of encrypted applications and intrusion prevention service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services.

Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols. But today, blocking a web application like Farmville that uses port 80 by closing the port would also mean complications with the entire HTTP protocol.

Protection based on ports, protocols, IP addresses is no more reliable and viable. This has led to the development of identity-based security approach, which takes organizations a step ahead of conventional security appliances which bind security to IP-addresses.

NGFWs offer administrators a deeper awareness of and control over individual applications, along with deeper inspection capabilities by the firewall. Administrators can create very granular "allow/deny" rules for controlling use of websites and applications in the network.

Compare of products in the category NGFW - next-generation firewall

Compare: NG Firewall
Characteristics
Antivirus and antispyware functions
IDS/IPS availability
Functionalities
  • SSL VPN remote access
  • Application control
  • IPv4/IPv6 protocols
  • Hiding adresses with NAT
  • DHCP
  • Decrypting SSL traffic
  • IPSec Site to Site VPN tunnels
  • Stateful TCP/IP stack
  • URL filtering
  • Configuring static and dynamic routing
  • Application control
  • Decrypting SSL traffic
  • URL filtering
  • SSL VPN remote access
  • Application control
  • IPv4/IPv6 protocols
  • Hiding adresses with NAT
  • DHCP
  • IPSec Site to Site VPN tunnels
  • Stateful TCP/IP stack
  • URL filtering
  • Configuring static and dynamic routing
  • SSL VPN remote access
  • Application control
  • IPv4/IPv6 protocols
  • Hiding adresses with NAT
  • DHCP
  • Decrypting SSL traffic
  • IPSec Site to Site VPN tunnels
  • Stateful TCP/IP stack
  • URL filtering
  • Configuring static and dynamic routing
  • SSL VPN remote access
  • Application control
  • IPv4/IPv6 protocols
  • Hiding adresses with NAT
  • DHCP
  • IPSec Site to Site VPN tunnels
  • Configuring static and dynamic routing
  • SSL VPN remote access
  • Application control
  • IPv4/IPv6 protocols
  • Hiding adresses with NAT
  • DHCP
  • IPSec Site to Site VPN tunnels
  • Stateful TCP/IP stack
  • URL filtering
  • Configuring static and dynamic routing
  • N/A
  • SSL VPN remote access
  • Application control
  • IPv4/IPv6 protocols
  • Hiding adresses with NAT
  • Decrypting SSL traffic
  • IPSec Site to Site VPN tunnels
  • Stateful TCP/IP stack
  • Configuring static and dynamic routing
  • SSL VPN remote access
  • Application control
  • IPv4/IPv6 protocols
  • Hiding adresses with NAT
  • IPSec Site to Site VPN tunnels
  • Stateful TCP/IP stack
  • URL filtering
  • Configuring static and dynamic routing
  • SSL VPN remote access
  • Application control
  • IPv4/IPv6 protocols
  • Hiding adresses with NAT
  • DHCP
  • Decrypting SSL traffic
  • IPSec Site to Site VPN tunnels
  • Stateful TCP/IP stack
  • URL filtering
  • Configuring static and dynamic routing
  • SSL VPN remote access
  • Application control
  • IPv4/IPv6 protocols
  • Hiding adresses with NAT
  • DHCP
  • IPSec Site to Site VPN tunnels
  • Stateful TCP/IP stack
  • URL filtering
  • Configuring static and dynamic routing
  • SSL VPN remote access
  • Application control
  • IPv4/IPv6 protocols
  • Hiding adresses with NAT
  • DHCP
  • Decrypting SSL traffic
  • IPSec Site to Site VPN tunnels
  • Stateful TCP/IP stack
  • URL filtering
  • Configuring static and dynamic routing
  • SSL VPN remote access
  • Application control
  • IPv4/IPv6 protocols
  • Hiding adresses with NAT
  • DHCP
  • IPSec Site to Site VPN tunnels
  • Stateful TCP/IP stack
  • URL filtering
  • Configuring static and dynamic routing
  • SSL VPN remote access
  • Application control
  • IPv4/IPv6 protocols
  • Hiding adresses with NAT
  • DHCP
  • Decrypting SSL traffic
  • IPSec Site to Site VPN tunnels
  • Stateful TCP/IP stack
  • URL filtering
  • Configuring static and dynamic routing
  • SSL VPN remote access
  • Application control
  • IPv4/IPv6 protocols
  • Hiding adresses with NAT
  • DHCP
  • IPSec Site to Site VPN tunnels
  • Stateful TCP/IP stack
  • URL filtering
  • Configuring static and dynamic routing
Bot protection
DDOS protection
Data Leak Prevention
Network behavior analysis support
Sandboxing support
Context-aware policy
Application level attacks protection (Application Intelligence)
Two-factor authentication (2FA)
Certificates based authentication
Available proxy modes
  • Reverse proxy
  • DNS proxy
  • N/A
  • Reverse proxy
  • Reverse proxy
  • N/A
  • N/A
  • N/A
  • Reverse proxy
  • DNS proxy
  • Reverse proxy
  • Reverse proxy
  • DNS proxy
  • N/A
  • Reverse proxy
  • Reverse proxy
  • Reverse proxy
  • DNS proxy
  • Reverse proxy
  • DNS proxy
Management
  • Bandwidth
  • Configuration console
  • N/A
  • Bandwidth
  • Configuration console
  • Bandwidth
  • Configuration console
  • N/A
  • Bandwidth
  • N/A
  • Bandwidth
  • Configuration console
  • Bandwidth
  • Configuration console
  • Bandwidth
  • Configuration console
  • Configuration console
  • Bandwidth
  • Configuration console
  • Bandwidth
  • Configuration console
  • Bandwidth
  • Configuration console
  • Bandwidth
  • Configuration console
Deployment options
  • High availability
  • Routed/Transparent mode
  • Virtualized environment
  • Virtualized environment
  • High availability
  • Routed/Transparent mode
  • High availability
  • Routed/Transparent mode
  • Virtualized environment
  • High availability
  • Routed/Transparent mode
  • Virtualized environment
  • High availability
  • N/A
  • High availability
  • Virtualized environment
  • High availability
  • Routed/Transparent mode
  • Virtualized environment
  • High availability
  • Routed/Transparent mode
  • Routed/Transparent mode
  • Virtualized environment
  • High availability
  • Routed/Transparent mode
  • High availability
  • Routed/Transparent mode
  • Virtualized environment
  • High availability
  • Routed/Transparent mode
  • Virtualized environment
  • High availability
  • Virtualized environment
Integrations
  • Threat Intelligence
  • Active Directory
  • SIEM
  • AAA-servers
  • Network security policy management
  • N/A
  • Threat Intelligence
  • Active Directory
  • SIEM
  • AAA-servers
  • Network security policy management
  • Threat Intelligence
  • Active Directory
  • SIEM
  • AAA-servers
  • Network security policy management
  • N/A
  • Active Directory
  • Threat Intelligence
  • Threat Intelligence
  • Active Directory
  • SIEM
  • AAA-servers
  • Network security policy management
  • Threat Intelligence
  • Active Directory
  • SIEM
  • AAA-servers
  • Network security policy management
  • Threat Intelligence
  • Active Directory
  • SIEM
  • IAM
  • AAA-servers
  • Network security policy management
  • N/A
  • Threat Intelligence
  • Active Directory
  • SIEM
  • AAA-servers
  • Network security policy management
  • Threat Intelligence
  • Active Directory
  • SIEM
  • AAA-servers
  • Network security policy management
  • Threat Intelligence
  • Active Directory
  • SIEM
  • IAM
  • AAA-servers
  • Network security policy management
  • Threat Intelligence
  • Active Directory
  • SIEM
  • AAA-servers
  • Network security policy management
OS and hardware

The most popular products in category NGFW - next-generation firewall All category products

Suppliers NGFW - next-generation firewall

Cisco

Cisco

Cisco Systems, Inc. is an American multinational corporation technology company headquartered in San Jose, California, that designs, manufactures and... Read more
Vendor, Supplier
Forcepoint Company

Forcepoint Company

Forcepoint, previously known as Websense and Raytheon|Websense, is an Austin-based company owned by US defense contractor Raytheon specializing in... Read more
Vendor, Supplier
Juniper Networks

Juniper Networks

Juniper Networks is an American multinational corporation headquartered in Sunnyvale, California that develops and markets networking products. Its... Read more
Vendor, Supplier

F.A.Q about NGFW - next-generation firewall

What is a next-generation firewall (NGFW)?

An NGFW contains all the normal defences that a traditional firewall has as well as a type of intrusion prevention software and application control, alongside other bonus security features. NGFWs are also capable of deep packet inspection which enables more robust filters.

Intrusion prevention software monitors network activity to detect and stop vulnerability exploits from occurring. This is usually done by monitoring for breaches against the network policies in place as a breach is usually indicative of malicious activity.

Application control software simply sets up a hard filter for programs that are trying to send or receive data over the Internet. This can either be done by blacklist (programs in the filter are blocked) or by whitelist (programs not in the filter are blocked).

Materials