Close

See How Your Peers Are Moving Forward in the Cloud

New research from CDW can help you build on your success and take the next step.

Click Here to Read the Report
Dec 23 2024
Security

An Agency’s Guide to Selecting a Next-Generation Firewall

From technical capabilities to future proofing your NGFW, we have you covered.
Adam Stone
by

Adam Stone writes on technology trends from Annapolis, Md., with a focus on government IT, military and first-responder technologies.

Agencies have decisions to make when it comes to next-generation firewalls due to budgetary and mission constraints. Nevertheless, NGFWs are a necessity for network security in the current cyberthreat environment.

The NGFW landscape offers a range of technical capabilities, and this guide is intended to help agencies make sense of it.

Why Modern Networks Demand Next-Generation Firewalls

An NGFW analyzes network traffic and blocks potential incursions. Unlike conventional firewalls, NGFWs offer more advanced features and more robust protections. This is vital in an increasingly complex networking environment.

Agencies today have not only on-premises infrastructure but also extensive cloud connections and an ever-expanding footprint of disparate endpoints. Within that complex network, “you’ve got edge ingress, egress, all of these use cases, even down to a workload level with microsegmentation,” says Rick Miles, vice president of product management, cloud and network security at Cisco. Conventional firewalling typically requires multiple solutions to address those risks.

Click the banner below to see how identity and access management can improve the user experience.

xs_iam_animated2_q424_na_desktop xs_iam_animated2_q424_na_mobile

 

“You end up in a spot where you have so many different firewalling technologies, and they aren’t communicating. You get gaps in the visibility,” Miles says. “It’s difficult to stay ahead of a lot of these threats.”

Next-gen solutions help to close those gaps.

Key Features of a Next-Generation Firewall

NGFWs provide a variety of significant defenses, including advanced threat protection, application and user awareness, and SSL/TLS traffic inspection.

ATP helps guard against attacks that target infrastructure weaknesses, “whatever the latest types of vulnerabilities may be,” says Glen Deskin, head of engineering for vertical solutions at Check Point Software Technologies. “With SQL injection, or some of these real-time attacks against application infrastructure that attackers have been taking advantage of, it’s shielding against those weaknesses.”

Rich Campagna, Senior Vice President of Products, Palo Alto Networks
Ransomware is a form of malware, and the malware service in a next-generation firewall will protect against that.”

Rich Campagna Senior Vice President of Products, Palo Alto Networks

Application and user awareness is layered into policy, adding context to user behaviors. “If I’m in sales and I go to access the finance application, that introduces some risk,” Deskin says. The awareness capability “is a mechanism for achieving things like least privilege. It’s also helpful in terms of incident response and investigation.”

SSL and TLS are the core mechanisms for encrypting the internet and other traffic. Encryption keeps data safe, but it limits defenders’ visibility. “To understand whether it’s legitimate or malicious, you have to decrypt it,” Deskin says. “A next-generation firewall will decrypt, analyze and then re-encrypt that traffic and allow it to continue on its way. It’s a mechanism for getting visibility into traffic that the organization otherwise would not be able to inspect.”

Cybersecurity Threats Addressed by NGFWs

Criminals and nation-state actors have clear ambitions when it comes to agency networks.

“As a malicious actor, if I want to do something bad, then I need to get something onto your machine,” Deskin says. “Or, I need to steal your credentials so I can load something onto your machine and spy on your computer.”

Click the banner below to follow the IT professionals who had the biggest impact on government in 2024.

FTQ4-itinfluencerlist-static-2024-clickhere-desktop FTQ4-itinfluencerlist-static-2024-clickhere-mobilep

 

A modern firewall solution can defend against the most common and perilous adversarial strategies: ransomware, phishing and exploiting cloud vulnerabilities.

“Ransomware is a form of malware, and the malware service in a next-generation firewall will protect against that,” says Rich Campagna, senior vice president of products at Palo Alto Networks. When a user clicks a suspicious link in a phishing email, the NGFW “will prohibit the user’s browser from going to that malicious site.”

Features such as ATP “will guard against vulnerabilities, including cloud vulnerabilities,” Campagna says. “It protects against threats — not only in the data center but also in the cloud — for remote users, Internet of Things and operational technology assets. It’s a comprehensive set of capabilities that guards against any threat that’s coming into the enterprise.”

Practical Factors in NGFW Selection

There are several ways to deploy NGFWs. Solutions can be hardware-based physical appliances or software-based virtual appliances, and they can be deployed in the cloud or in a hybrid physical-virtual combination.

BEST PRACTICES: Take these eight steps to ensure interoperability between your agency’s zero-trust tools.

From a practical standpoint, agencies need to consider integration with existing systems and ease of management. “Security efficacy is absolutely the top priority,” Campagna says. “That’s first and foremost.”

Ideally, that robust security will be delivered via an NGFW platform, a single solution that standardizes its fragmented firewalling tools. This approach “helps them gain some of the operational efficiencies that they otherwise lose when they’re working with disparate point products that don’t talk to each other,” Campagna says. That ease of use takes some of the pressure off IT teams that are already stretched thin.

Cost and Future Proofing Your Investment

Because of the federal budgeting process, agencies will likely not be able to revisit an NGFW with any frequency. Budget cycles are prolonged, and money is tight. That means agencies need to budget for an NGFW in a way that ensures longevity, by buying a future-proof solution.

Scalability is a factor worth considering, as network traffic will increase over time. Ideally, an NGFW solution will have the built-in ability to expand to meet future demand. With a scalable solution, “I can buy what I need today, and then as my needs grow, I can just add to it,” Deskin says.

DISCOVER: Native American tribes are defending their very heritage against ransomware.

A platform approach can also ensure that today’s NGFW can respond to the future threat of emerging exploits based on artificial Intelligence or quantum computing, Campagna says.

The platform provider can add enhanced features and capabilities to the existing solution over time, which “allows for increasing innovation and the introduction of new services,” Campagna says. “Agencies need to be looking for platforms that have been designed to add additional services, including FedRAMP-certified cloud capabilities.”

This helps agencies keep their defenses current during uncertain budget cycles. When enhancements are built into an existing platform that is already certified, “from a federal budgeting perspective, it becomes much easier to expand,” Miles says. “Rather than trying to bring some net-new thing in as a separate line item, it’s essentially a service that’s built into that platform.”

Igor Kutyaev/Getty Images

More On

Related Articles