A next-generation firewall not only offers more security but also helps with the consolidation of existing security systems. At the end of the day, it also helps to eliminate unnecessary costs.

IT security is almost unrecognisable compared to the situation just a few years ago. The networks used by companies are in a constant state of change. There are new applications and services to be integrated. And then there are innovations such as the Internet-of-Things and Cloud computing plus an ever-growing number of users who need to securely access the IT environment from both the inside and the outside from an ever-expanding collection of devices. And of course, we mustn’t forget the constantly high pressure from cyber-attackers, to which no network is immune. Both criminal and, in some cases, state-sponsored hackers are constantly trying to find gaps in established lines of defence and exploit them for their own purposes.

Security also at application level

In most cases, conventional firewalls are no longer able to handle these radical changes in the environment. Vendors such as Cisco Systems, Palo Alto Networks and Juniper Networks have reacted and developed new firewalls that not only guard ports and protocols but also cover the application layer in their protective measures. Modern next-generation firewalls (NGFWs) also examine the content of the transmitted data stream and no longer rely on largely rigid rules previously used for permitting and forbidding connections.

In the last few years, numerous new function have been developed to protect networks more effectively against attackers. Classical packet filters and Network Address Translation (NAT) were followed by Stateful Inspection and the possibility of dynamic packet filtering. The next step was the development of UTM (Unified Threat Management) appliances, which no longer only served as a firewall but, for the first time, also covered antivirus, IDS (Intrusion Detection System), IPS (Intrusion Prevention System), VPN (Virtual Private Networking), content filters and even load balancing.

However, it was not long before performance issues emerged. That is why UTM appliances are still mainly aimed at small and medium-sized enterprises (SMEs). Next-generation firewalls were developed for larger enterprises. They provide much more performance and throughput, and they focus on inspection of the application layer or Layer 7. In addition, they cover the Network Layer, Transport Layer, Session Layer and Presentation Layer, that is to say, all layers from three to seven in the OSI (Open Systems Interconnection) model, which means they ensure comprehensive protection.

In our capacity as specialists for the products of Cisco Systems, Palo Alto Networks and Juniper Networks, we have prepared an initial overview of the portfolio of the three leading network and security vendors, which we present below.

Next-generation firewalls from Cisco Systems

Cisco’s products range from relatively small NGFW solutions like the ASA-5500X through to offers for service providers and larger computer centres such as the FirePOWER 9000 Series. The ASA-5500X features a firewall throughput of up to 1,750 MBit/s and a threat inspection rate of up to 1,250 MBit/s and is aimed at small to medium-sized enterprises as well as larger firms wishing to protect their branches. Besides the stateful firewall, these NGFWs also support Application Visibility and Control, NGIPS (Next-Generation Intrusion Prevention System), Advanced Malware Protection and URL filtering.

The FirePOWER Series is aimed at larger enterprises requiring a firewall throughput of 2 to 225 GBit/s and threat inspection of 2 to 90 GBit/s. In addition to the functions provided by the ASA-5500X, this product also features dedicated protection against DDoS attacks, for example.

The Cisco Adaptive Security Virtual Appliance (ASAv) and the Cisco Next-Generation Firewall Virtual (NGFWv) are suitable for Software-Defined Networks and virtual infrastructures. They have been optimised for the Cloud (for example AWS and Azure) and heterogeneous computer centre environments; they also support virtual solutions from VMware, Hyper-V and KVM. The throughput of this firewall solution reaches up to 10 GBit/s.

Next-generation firewalls from Palo Alto Networks

Palo Alto Networks was founded in the United Sates in 2005 and specialises in network security and firewalls with a clear focus on NGFWs. The Palo Alto Networks portfolio ranges from NGFW appliances for SMEs up to high-performance solutions for service providers and large computer centres. The smallest model is currently the PA-200, which achieves a firewall throughput of 100 MBit/s and a threat prevention throughput of 50 MBit/s. Further appliances in this performance class are the PA-220 and PA-500, which provide up to 500 MBit/s in firewall throughput and up to 150 MBit/s in threat prevention throughput.

Palo Alto Networks has a particularly large number of models in the medium range, and it is impossible to list them all here. Here are a few examples: PA-850 with a firewall throughput of up to 1.9 GBit/s and a threat prevention throughput of up to 780 MBit/s and, at the top end of the scale, the PA-5280, whose firewall performance is 68 GBit/s and threat prevention performance up to 30 GBit/s. The NGFWs of the PA-7000 Series are high-end devices that achieve up to 200 GBit/s in their firewall throughput and up to 100 GBit/s in threat prevention.

Palo Alto Networks also offers NGFWs such as the VM-50, VM-100 and VM-700. They provide a performance of up to 16 GBit/s in firewall throughput and up to 8 GBit/s in threat prevention throughput. They support VMware NSX, ESXi and vCloud Air. If they wish, customers can also obtain these services directly from the Cloud using the GlobalProtect Cloud Service, which enables NGFW protection for employees on the road.

 

Next-generation firewalls from Juniper Networks

Juniper Networks is a further manufacturer with a broad range of next-generation firewalls. After Cisco Systems, it is the world’s second largest supplier of network equipment. Even the entry-level NGFWs in the SRX300 Series achieve a firewall throughput between 1 and 5 GBit/s. That makes the appliances suitable for smaller to medium-sized enterprises as well as for branches of larger firms spread over a large area. Juniper Networks’ product range also includes the SRX550 and SRX1500, which feature a throughput of 5.5 to 10 GBit/s. The SRX4000 is available in two versions, with firewall throughputs of 20 and 40 GBit/s.

Moreover, Juniper Networks has even more powerful solutions in its portfolio. The SRX5400 achieves 65 GBit/s, the SRX4600 95 GBit/s, the SRX5600 130 GBit/s and the SRX5800 an impressive 320 GBit/s. 2 TByte/s can even be reached thanks to the Express Path mechanism offered by Juniper Networks. The latter devices are therefore suitable for high-end computer centres, extensive collections of IoT devices and for the new 5G networks. Furthermore, the NGFWs from Juniper Networks are equipped with extended functions such as IPS, antivirus, antispam and URL filtering.

The manufacturer also offers virtual versions of its NGFW solutions. On the one hand, there is the vSRX Virtual Firewall, which provides the same functions as the physical products but is much more scalable and supports speeds up to 100 GBit/s. On the other hand, Juniper Networks also supplies the cSRX Container Firewall for container environments based on Docker. In comparison to the virtual version, this option impresses with a lower overhead and a smaller footprint.

Conclusion

Next-generation firewalls provide considerable value added compared to classical solutions for protecting the perimeter, whose concept is now seen as out of date. Besides the classical firewall functions, modern NGFWs also cover antivirus, antispam, IPS, IDS, VPN and a whole lot more – while delivering a high level of performance as the vendors Cisco Systems, Palo Alto Networks and Juniper Networks prove with their products.

A next-generation firewall raises security in your network to the next level. Contact us, and we will help you to choose the most appropriate NGFW solution for your enterprise.