The NGFWs and its limitations: the evolution of the evolution

The arrival of NGFWs on the market has become a great revolution in the world of security. The old firewalls could only reach layer 4, filtering by destination and port, monitoring the network and mapping IPs but without being able to analyse the content of the packets, which leaves a big security gap that hackers do not doubt to take advantage of to introduce malware in files or perform other types of attacks. Given this major weakness, few companies use this type of firewall any more: they have all evolved to NGFW.

NGFW allows packets to be analysed up to the highest layer, the 7th layer. Thanks to this, address filtering can be applied, as it would be done with an old firewall, and packet inspectors can be used to ensure that the packets do not contain any malware. This technology also offers the possibility of implementing intrusion prevention systems and visibility across the entire attack surface. It can be deduced from all these features that this type of firewall will be considerably more expensive compared to a conventional one, but it is worth remembering that the extra price paid goes towards an exponential increase in security and greater processing power.

However, NGFWs do not prevent network attacks 100%, as every device has its limitations. On the one hand, studies have shown that the performance of such devices decreases dramatically when having to process SSL traffic, to the point of adding significant network downtime. This fact puts organizations at a certain trade-off when making a decision on the use of NGFW alone: either allow SSL traffic to bypass the firewall considering the security risks involved, or deal with reduced network availability and the potential to interfere with mission-critical tasks. On the other hand, the NGFW shows shortcomings as far as tracking users to their devices is concerned, since they are unable to take all network-specific protocols and proxy settings into consideration. So what alternatives are there on the market today for companies to remedy problems such as those seen above? One possibility could be Secure Web Gateways.

At first glance, the difference between NGFWs and SWGs may seem rather small: both analyse incoming and outgoing network content, evaluate the origin and purpose of such content, or work for perimeter security, among other things. But even with the additional functionalities that an NGFW has, they still manifest performance limitations as seen above. Many SWGs are tailored to apply the missing features to the gateway's capabilities without hindering performance or increasing network complexity. Returning to the previous example of SSL traffic, the Distributed Gateway Platform offers the ability to examine this type of data while identifying priority traffic and regulating it as needed, avoiding network impacts especially during business peak hours. SWGs therefore not only outperform NGFWs when it comes to acting as a network gatekeeper, but also help to complement them by filling the gaps that still exist even after this latest evolution in comparison to classic firewalls, ensuring a revolutionary layered approach to cybersecurity for organizations that are adopting it.

In view of the project to be carried out in the "Network Management and Planning" subject, further research will be done on the inclusion of the devices seen, considering what aspects could be taken into account, and you will be kept informed of the progress made in subsequent posts. Thank you very much for the time spent on reading us!

Arturo Moseguí and Enric Sasselli