NGFW - Not Grandpa's Firewall
by Daniel Ayoub (daniel@ayoub.it)
When you think 25 years are enough to understand a technology, think a gain.
Firewalls have been around for nearly a quarter century. Still, some folks don't fully understand the technology, much less how it has changed and where it stands today.
As you would expect, the term "firewall" is a reference to the safety barrier installed in structures to stop blazes from spreading throughout the building. In the late-1980s, researchers developed a packet filtering system which could be used to inspect traffic as it crossed the network; "good" traffic was allowed in and "bad" traffic was dropped by the filtering system.
Good traffic was defined based upon specific rules set up by the system administrator such as protocol, port, and MAC/IP addresses. If a packet came through the system that didn't match the predetermined filtering rules, it would be deemed "bad" and got blocked. These first-generation firewalls operated at Layer 2 and Layer 3 of the OSI model.
The term "firewall" was adopted to describe the technology since the new packet filtering system provided a type of virtual barrier for traffic entering the network.
The second-generation firewalls from the early-1990s contained the same packet filtering technologies of their predecessors, but also incorporated the concept of Stateful Packet Inspection (SPI).
Through this feature, the firewall builds a table in memory to track connection streams. As new streams (sessions) are generated from the Local Area Network (LAN) and headed (out) for the Wide Area Network (WAN), the firewall created entries in its "state table."
When traffic was sent back (in) from the WAN to the LAN, the firewall looked in its memory table for the matching outgoing session. If it found a match, the traffic was permitted and passed along to its destination. If no matching entry was found, the traffic was dropped and stopped from entering the LAN. Second-generation firewalls still operated at Layers 2, 3, and 4 of the OSI model.
Today, features like packet filtering and stateful packet inspection have been commoditized to the point that they're incorporated into cheap off-the-shelf consumer grade integrated router/switch combination devices. Stateful packet inspection and packet filtering are still present but as processing power grew, so did the capabilities of firewalls.
Today's third-generation firewalls are more of a smorgasbord of technologies rolled into one than earlier generations. Their features heavily rely on the concept of Deep Packet Inspection (DPI). With DPI, the firewall inspects the contents of each packet that it passes. This provides the firewall with an entirely new level of intelligence and opens the door to a whole slew of possibilities.
Thanks to deep packet inspection, features like intrusion prevention, malware detection, gateway anti-virus, traffic analytics, and application control are all possible. Modern firewalls also incorporate technologies like IPsec VPN, SSL VPN, and SSL decryption right out of the same box.
Today's Next-Generation Firewalls (NGFW) inspect the payload of packets and match signatures for nefarious activities like known vulnerability, exploit attacks and viruses, as well as malware on the fly. Deep packet inspection also means that administrators can create very granular permit/deny rules for controlling specific applications and websites (example: Yahoo! Instant Messenger-chat is allowed but file transfers through YIM are not).
Since the contents of packets are inspected, exporting all sorts of statistical information is also possible. This means admins and management can now easily mine the traffic analytics to perform capacity planning, troubleshoot problems, or monitor what sites individual employees are viewing throughout the day.
Where things will go next is anyone's guess, but one thing's for sure: these are definitely not grandpa's firewall.