Emergence of Next-Gen Firewalls
The traditional stateful firewall has relied upon source and destination IP addresses ports and layer 4 protocols. However today’s applications are no longer run on their own port numbers. For example thousands of applications now tunnel over HTTP and HTTPS protocols. So allowing HTTP and HTTPS and blocking everything else does not mean allowing web traffic only. Your network has become exposed to whole new generation of applications which run over these protocols. Therefore it has become essential that we are able to detect applications based on their content, and this resulted in the concept of Next-Gen firewalls.
Next-Gen Firewall Definition Overview
A Next-Gen Firewall provides application control and visibility and comes built in with a list of thousands of applications defined by application signatures which you are able to control and write rules for. A Next-Gen firewall provides the ability to create rules based on who the user is or which group it belongs to and to what applications (based on application content signatures and no longer just the port number) they have permission to use across the firewall and optionally to where they are allowed access. For example the IT department are allowed to FTP on to the DMZ servers, and everyone else is blocked.
Next-Gen firewalls generally come with utilities that provide better visibility in relation to users and applications. So for example many vendors have introduced dashboard widgets on the home pages which show information such as top 20 users using peer to peer applications, top 10 applications used over a period of time and so on. Also granular reporting capabilities have been built in to include user names and applications, and other utilities such as real-time traffic flows have been introduced.
UTM vs Next-Gen Firewalls
Now that we know the concepts of Next-Gen firewalls we can compare UTM firewalls to Nex-Gen firewalls.
Traditionally UTM’S were stateful firewalls and then they emerged into UTM firewalls adding layers of protection such as IPS, AV, web filtering, Anti-spam and so on. Now some UTM vendors have built next generation functionality into their products. They have now introduced the control of applications, application visibility and the ability to create rules based on users and applications.
Next-Gen Firewalls however have been architectured from scratch to provide a completely flushed and enhanced design with control and visibility of applications as the focus point.
Looking at both sides of the argument
Palo Alto who are a leading Next-Generation firewall vendor and have built their firewall based on Next-Gen functionality from ground up say they have a true Next-Gen Firewall completely designed from scratch to provide this capability. Where UTM vendors have had to bolt these features on to an old architecture making them generally difficult to configure and they are generally slower than Next-Gen firewalls.
From the other side of the argument, Fortinet who are a leading UTM vendor say their firewall already has the capabilities of a Next-Gen firewall, and it’s just another buzz word in the world of security. Fortinet’s opinion on a Next-Gen firewall is that its just another firewall providing a subset of the capabilities of a UTM firewall.
There is no answer to which one is the best and there never will be. The ultimate goal here is to provide better security based on the content of applications and better visibility so we are able to see what is occurring on the network.
Whether you should invest in a Next-Gen firewall or a UTM firewall should be based on your individual requirements and not weather a firewall is a UTM or Next-Gen firewall. In other words ignore the terminologies used “Next-Gen” and “UTM” and look for a firewall which provides the requirements for your network, within your budget, etc.