What to Look for in a Next-Generation Firewall

If your company uses any kind of technology that can access the internet, you are vulnerable to online threats and cyberattacks. Studies have found that small businesses are more attractive to cybercriminals because of the lack of security they put up around their systems. While a traditional firewall can protect your company from a number of cyberattacks and malicious websites, a next-generation firewall goes a step further and analyses even safe websites for dangerous links and potential attacks.

No two next-generation firewalls (NGFWs) are the same. When you are in the market for the best NGFW for your company, it can be helpful to know of the most important things to look out for. However, it is also important to note that different firewall providers may have their own names for the same thing, so it is important to get a thorough explanation of what each feature does so you ensure you are adequately covered:

IDS/IPS

IDS, IPS of intrusion detection or prevention systems look at packets of data passing through the firewall to try and identify anything that looks like an attack. They use signatures, which is a continuous sequence of bytes that are common for malware samples to detect viruses and attacks known to the system. Because cybercriminals are constantly coming up with new forms of viruses and attacks, an IDS or IPS device can quickly become outdated unless its knowledge of known signatures is constantly updated. Ask your firewall provider how often the firewall is updated as part of your subscription service.

Geolocation

Because so many employees today are working remotely from their own home networks due to lockdowns, it can be difficult to block IP addresses without accidentally blocking one of your own employees from accessing the system. Using geolocation, a next-generation firewall can restrict access from certain locations where you know no employee of yours could possibly be working from.

Geolocation also allows you to create NAT (Network Address Translation) rules that can help you direct traffic from different areas to different servers. This ability of a firewall can also become outdated very quickly because IP address allocations change very frequently, and regular updates are necessary to keep it current.

Antivirus software

Of course, any next-generation firewall worth its weight will come with antivirus software. Any file or data that is uploaded or downloaded will pass through the firewall and the antivirus software will look at checksums, do a signature-based analysis and scan the file or data for known malware patterns.

URL checking and web proxy

A major feature that next-generation firewalls provide is a URL checker or full web proxy service.

A web proxy decrypts encrypted HTTPS sessions from both the web browsing computer as well as the webserver and can detect any malicious activity. A URL checker, on the other hand, does not decrypt a session but uses the website’s information to match it against a database of known malware codes to decide if a website is safe to browse. In case a website has previously been flagged as malicious, it will warn the user trying to enter it, or straight up block the user from using the website.

Reverse proxy

In contrast to a web proxy, which sits in front of a web browser and protects it from malicious websites, a reverse proxy sits in front of a web server and protects it from malicious browsers. It protects a weak and insecure web server from attackers.

Stateful inspection (Dynamic Packet Filtering)

While a traditional firewall also has a stateful inspection or dynamic packet filtering feature, it only tracks traffic from Layer 3 to Layer 4. On the other hand, the stateful inspection feature of a next-generation firewall provides tracking facilities from Layer 2 to Layer 7, and even Layer 8 in some cases. This allows for more complete control over the network traffic of an organisation, allowing it to provide more security to its systems.

The next time you’re on the lookout for a good next-generation firewall, consider the features above and ask the provider of any other features the firewall may provide. Many providers may have a basic firewall which covers some of these features, while others may be add-ons. It is important to know exactly what each feature does and whether it is an integral part of the firewall or an add-on, so you get the best bang for your buck!