All Articles

What is a Next Generation Firewall?

A Next Generation Firewall is a security device, evolution of a stateful firewall, that is application aware, capable to recognize and block applications according to specific patterns and fingerprints peculiar of the application itself. Its security paradigm is to prevent users from bypassing the layer of defense by mean of consolidated methods such as mapping the malicious application on standard ports known to be accepted, or using anonymous proxies (such as the well known TOR).  

• Unlike a traditional firewall, which enforces the access control by mean of the (IP Address – Port numbers – protocol type) parameters.
• Next Generation Firewall enforces the (user – application) paradigm such that, in a traditional firewall security model, policies allow or deny specific protocols for specific IP addresses. 
• In NGFW security model, policies allow or deny specific applications for specific users, group users, domains or maybe security zones authenticated in external repositories (Active Directory, LDAP or Radius), That’s what is called Identity Awareness feature.

What is a Web Application Firewall?

A Web Application Firewall is a security device whose main task is to protect web servers and web application by inspecting the flowing traffic and also inspecting HTTP/HTTPS for typical attacks at layer 7 such as SQL Injections, Buffer Overflow, Cross Site Scripting (XSS), File Inclusion, Cookie Poisoning, Schema Poisoning, Defacements, etc.

• Web application firewalls also provide protection against DDoS but do not enforce access control in the traditional meaning of the term.
• They only protect the server farm behind them, adopting signature based or anomaly detection or reputation based detection algorithms but, unlike a network IPS they focus on HTTP/HTTPS.
• They act like proxy and, because of their ability to inspect HTTPS traffic (by importing the original certificate of the target server), they may perform also other functions such as SSL offloading and server load balancing.
• Also important: a web application firewall do not inspect (and should not allow) other traffic than HTTP/HTTPS.   

What is the difference between a NGFW and a WAF?

This is a million dollar question: a NGFW is a user and application oriented firewall, a WAF is a server and HTTP/HTTP oriented security equipment.

• They are very different as far as their role and deployment are concerned: usually the best deployment for a NGF is to protect outgoing traffic from misuse by users, the only deployment for a WAF is in front of the target server farm to protect incoming HTTP/HTTPS traffic.
• Typical location for a WAF is in a dedicated DMZ and forcibly behind a traditional traffic that should deny other traffic than HTTP/HTTPS).

If we want to deploy a NGFW, do we need to deploy it in conjunction with a traditional firewall? 

It depends, although the original NGFWs were conceived as dedicated devices, preferably deployed in conjunction with a “traditional” stateful firewall.

The current technology trend is to bring the application control features on top of stateful inspection (and UTM) functions, so definitively nearly all the security vendors are now able to provide application visibility and control as native functions or with additional licenses.

On the other hand application control corresponds to a stateful inspection brought to layer 7 of the OSI Model. 

What if we want to deploy a WAF, do we need to deploy it in conjunction with a traditional firewall?

Absolutely yes. A WAF does not provide access control neither is capable to check other protocols than HTTP/HTTPS (by default not even to forward them).                                       

If we have an IPS, do we need a WAF as well?

A traditional Network IPS scans all the traffic on the network so it cannot have the same granularity and depth for HTTP/HTTPS threats than a WAF.

• IPSs interrogate traffic against signatures and anomalies, WAFs interrogate the behavior and logic of what is requested and returned. A WAF acts as a reverse proxy (although, like an IPS, several WAF technologies may also active in passive mode), instead an IPS typically listens to traffic in transparent mode. 
• Web Applications Firewalls are a special breed of product used to detect attacks against web applications in more depth than an Intrusion Prevention System.
• WAFs can be used in our environments to provide enhanced protection to web applications/servers. Using a WAF is a good way to augment our IPSs and provide another layer of protection for our Defense-In-Depth architecture.

So definitively when do we need to deploy a NGFW and when do we need to deploy a WAF?

• Deploy a NGFW when you want to protect your network from misuse by users avoiding bandwidth hogging and usage of insecure applications which could bring malware inside the organization. 
• Deploy a WAF, in conjunction with traditional Firewall, IPS or UTM, when you have to protect your web applications (and partially also the back-end databases) from HTTP/HTTPS threats.

So, at the end, if you will need to enhance your security level you will not have to choose between a WAF and NGFW, but simply to decide which is the best device according to your needs. In this case the following table may be helpful!

Post Author: Noha Nabil Mohamed, Network Security Engineer, QNB Group

This post was initially posted here & has been reproduced with permission.