Gary Sockrider
Director, Security Solutions
What is a Next-Generation Firewall (NGFW)?
Next-generation firewalls (NGFW) represent a significant advancement in cybersecurity. This stateful security appliance is designed to protect against a wide range of modern cyberattacks. It builds upon the traditional firewall by incorporating additional defensive layers and capabilities, such as application-level inspection, advanced intrusion prevention, filtering, intelligence, and reporting. While combining this functionality into a single solution sounds good, there can be considerable downsides. All this functionality requires significant resources and if every feature is enabled the cost can be enormous both in terms of hardware (CPU, memory, storage, etc.) and software licensing.
An NGFW can provide stout defenses against many types of attacks. However, they struggle to defend against state-exhaustion DDoS attacks as a stateful device. This requires a stateless solution positioned outside of the firewall to provide extra defense, preserving availability.
The Role of Next-Generation Firewalls in Modern Cybersecurity
The NGFW can detect many types of cyber threats quickly and effectively. This swift detection enables enterprises to keep their networks functioning properly and securely. Powered by deep packet inspection (DPI), NGFWs can detect and block suspicious traffic from entering a network.
NGFWs are proficient in defending against many zero-day attacks and advanced malware. By detecting the actions of potentially malicious traffic, the intelligence NGFWs utilize can often identify and block malicious traffic based on behavior. However, once a state exhaustion DDoS attack is launched against an NGFW, they struggle to keep up. This is combated by integrating the NGFW with an advanced DDoS protection solution to protect the network from several types of cyber threats.
Essential Considerations for NGFWs
Enterprises must consider the risks when relying solely on stateful solutions to defend networks. Stateful devices have finite storage capabilities in their state tables, which DDoS attacks can rapidly overwhelm. Whether the NGFW is hardware-based or software-based, it needs supplemental protection from a stateless appliance in order to provide maximum protection.
Next-Gen Firewalls and DDoS Attacks
As state exhaustion DDoS attacks are launched against NGFWs, their state tables rapidly fill up with bogus TCP connection requests. In order to proxy the connections, the firewall is required to maintain a record of every request in the state table until the three-way TCP handshake is completed or times out. Once the state tables are full, they are unable to accept any new connection requests, thus preventing all legitimate traffic from passing. Pairing a powerful NGFW with a stateless solution, like NETSCOUT Arbor Edge Defense (AED), is the best way to reap the benefits of an NGFW without allowing your enterprise network to be vulnerable to DDoS attacks.
Why You Need an NGFW...and more!
NGFWs keep your network safe from several types of cyberattacks, making them a necessary component of any cybersecurity stack. That said, they are not a "silver bullet" for combatting all types of attacks against your network and applications. To build a robust security tool stack, an enterprise should pair an NGFW with AED to accomplish the goal of protecting the network from common threats, including DDoS attacks. Additionally, AED can offload a sizable portion of the firewall’s workload, delivering a more efficient, effective solution while also reducing overall cost.