The term “next-generation firewall” (NGFW) was defined by Gartner in 2009, but the concept has been taking shape for years. NGFWs go beyond stateful inspection to provide application-level visibility and control that traditional firewalls cannot deliver.
What Makes a Firewall “Next-Generation”?
Gartner’s definition requires an NGFW to include: standard firewall capabilities (stateful inspection, NAT, VPN), application identification and full-stack visibility, integrated IPS, extra-firewall intelligence (directory services integration for user-based policies), and support for future updates without disruption.
Application Identification
The signature capability of NGFW is application identification. Traditional firewalls control traffic based on port and protocol — a rule that allows port 80 allows all HTTP traffic. NGFWs identify the application generating traffic regardless of port, so you can allow web browsing while blocking Skype even if it’s running on port 80.
User Identity
By integrating with Active Directory or LDAP, NGFWs can create policies based on user identity rather than IP address. You can allow the IT department to access cloud storage services while blocking the same access for other departments — even though they share the same IP subnet.