Next-generation firewall (NGFW) vs. traditional firewall: How they differ

The purpose of any business firewall is to protect the network against intruders and to safeguard systems and data.

But not all firewalls are created equal. They all share the same basic goal, but specific features, capabilities and levels of sophistication can vary enormously.

The two most basic categories for enterprise-level firewalls are traditional and next-generation. Next-generation firewalls (NGFWs) are, as you might expect, the more advanced of the two types, offering the most robust protection for business networks.

Identify any vulnerabilities in your company's cloud security by taking our  free risk assessment. Take the assessment today.

But what are the differences between traditional and NGFWs, and how do they benefit your business?

Before we get into the finer details, it’s important to clarify that next-generation firewalling is not a new concept, despite what its name suggests. It is, however, the most advanced form of firewall that is currently available – and therefore the most recent.

The features of a traditional firewall

A traditional firewall is designed to police the flow of traffic that goes in and out of a network, based on port, protocol, source address and destination address.

When we talk about ‘traditional’ firewall features, we’re essentially talking about the functions that preceded NGFWs – functions such as:

  • Packet filtering, which ensures that incoming and outgoing packets are inspected before they are allowed to pass through. Packets that match the filter’s set of rules are forwarded; packets that do not are dropped.
  • Stateless inspection or stateful inspection, which refers to the way in which packets are inspected (more about that below).
  • Virtual private network (VPN) support, to keep the private network secure when users traverse public networks such as the internet.

Stateless or stateful?

Stateless inspection means that the firewall can only check each packet individually, and is unable to discern its wider context. Many traditional firewalls only operate on a stateless (or ‘state-unaware’) level.

The more sophisticated traditional firewalls have stateful inspection capability, which means that they can identify the operating state of packets that are trying to enter the network. In other words, they are ‘state-aware’ and can distinguish between the safe, the potentially unsafe and the outright malicious.

NGFWs, as we’ll cover further down, go one step further than standard stateful inspection.

The features of a next-generation firewall

NGFWs have many of the traditional firewall’s common functions – plus several more. In plain terms, NGFWs have more layers of security built into them, to protect against more sophisticated threats. Crucially, they go beyond the static inspection that traditional firewalls are limited to, instead having application-level control.

Application awareness

Application awareness enables an organisation to view packets through proper context, and set application-specific rules.

Intrusion prevention system (IPS)

An extension of the intrusion detection system (IDS), IPSs have the capability to actively block intrusions once detected – dropping malicious packets, and logging the IP addresses and blacklisting all future traffic from them.

Deep packet inspection (DPI)

Whereas standard packet filtering only reads the header of a packet, DPI ensures thorough inspection of the packet’s contents, including its source, which means that the NGFW is able to see the full context of each packet.

Don't be left vulnerable by outdated security technology

Modern businesses need modern protection. The cyber threat landscape is forever expanding along with innovations in technology, which unfortunately means that cyber criminals are far from finished. If anything, their job is getting easier.

It’s also essential not to fall foul of the common misconception that cloud-enabled businesses are automatically protected using their cloud-native security tools. That is not the case, the chosen cloud environment itself may be well-protected, but every organisation has a wider infrastructure – which may have its weak-spots, such as unsecured devices.

With it’s more sophisticated features for detecting and protecting against threats, next-generation firewalling is currently the most effective solution to enterprise cyber security in the cloud age.

Touch Secure: featuring NGFW

Touch Secure is our managed, cloud-based NGFW service, providing multiple levels of security for your network.

As a fully managed service, we take the burden of responsibility away from your in-house resource, enabling your staff to concentrate on the important day-to-day work that keeps your business running.

Find out more about Touch Secure.

Diagram of connected electronic devices

Enjoyed this content? Why not share it:

This content was about: IT Security

Working from home: the cybersecurity perspective

Working from home: the cybersecurity perspective

Amid the COVID-19 crisis, many businesses have made it a requirement for their employees to work from home. This means thousands of employees are accessing sensitive business applications and data...

Read more

Up next

Intercity Wins ISP Partner of the Year at the Vodafone Partner of the Year Awards