Why legacy firewall is not good enough?

Given the subject matter and content of the client meetings I have attended lately, we always had a question in the headline as part of the conversation. Of course, the formulations are always different, but the essence has not changed. “Why my firewall after all these years of exploitation suddenly is not good enough protection?” Well, there are many answers and it would be irrational to write a detailed analysis here, and I will do my best to explain in some brief and clean form why this investment is justified.

Conventional firewalls are simply soldiers. Good, obedient and loyal. They will never do anything until you give them an explicit order and they will obey unconditionally. What does this mean exactly? Well, for example, if you order him to forbid access to a resource, he will blindly listen to you no matter what the consequences are (even if the result is lost access to the device itself). So, a real example of Spartan upbringing.

The Next Generation Firewall (NG-Firewall) is everything like its predecessor, but with additional capabilities, that is, the same soldier upgraded with radio. The added value you pay for is precisely this radio link (well partially), by which a soldier receives information on all known movements of the enemy. He still won’t do anything on his own, without an explicit order, but he’ll be much more prepared to respond to all kinds of attacks described to him in advance. Likewise, this soldier of ours is capable of eavesdropping and deciphering the communication that takes place on the battlefield around him. So, there is practically no incomprehensible information for him. And nowadays, given the technological level of the modern world, this sounds impressive, isn’t it?

Let’s leave the impressions aside. Let’s talk objectively. Do you get a completely secure IT system? The answer in one word is – NO! There is no such system, at least not yet. So why invest so much in something that doesn’t provide me with a peaceful sleep? As paradoxical as it may sound, the answer is savings. Time, labor, administration, and actualization. The NG firewall license that collects threat data allows the user to access a vendor’s database held up to date by teams of hundreds of people. So, at the price of the license you get:

  • A team that tracks security trends globally
  • A team that monitors and tests a large portion of client applications and potential “holes” in them
  • A team that monitors the “health” of websites
  • A team that recognizes viruses
  • A team that recognizes patterns of unwanted behavior
  • A team that analyzes mail traffic
  • A team that can decrypt encrypted communications
  • A team that monitors all points used to evade security mechanisms
  • And much more …

If all these people should be hired to keep the legacy firewall populated with all this information, the cost would be multiple. And again, the question is whether all this could be done within one business day, but also within 24 hours?

Now that we know what we are getting and what are the possibilities in general, it is our turn to go a little deeper and analyze the current situation:

Appliance scaling

The first big and good thing is that the price of hardware went down in the last 2 years. Vendors have made a pretty good move by changing the offer, and now all leading vendors have devices designed for all segments (yes, even for micro locations of 5 employees) at very affordable prices. This doesn’t mean that quality has dropped, but simply the technological progress of hardware manufacturers has made possible such a fall in prices. Components are cheaper day by day. Specialized chip manufacturers (ASIC / SoC) are growing, and so is the competition. All this is in favor of end users.


At one time, the implementation of UTM (which is the precursor to these current NGFWs) into infrastructure was a serious headache for everyone. Most often, the result is that more than half of the features end up in disabled status. The performance was much lower, and all the inspections that were carried out introduced a lot of delays in data transmission. Now the picture is completely different. The appliances are equipped with monstrous processors, dedicated chips (cryptography, SD-WAN, DPI, etc.) with multiplied amount of memory (both working and internal). Manufacturers have significantly improved and optimized the operating systems of the appliances, which also contributed to the performance and user experience of the administrator.

Creation of eco-system

Most vendors have realized that the user does not want to administer their system from 50 different sites / consoles / portals. The user wants one point of management over the entire infrastructure. This was the basis of the initiative to put security corporate components (NGFW, AV, mail protection, DLP, etc.) under one roof to protect employees as effectively as possible. Because of this initiative, all these components exchange information about the status of the resources they are protecting and work together to respond as quickly as possible in the event of any incident, thereby reducing the risk of greater harm. One console for all this. Pretty impressive, isn’t it?

In addition to the components talking to each other within the corporate IT system, they have another good feature, namely that they exchange information about identified threats through publicly available threat exchange centers. Vendors have finally realized that it is not an advantage of who knows what, but how to use what they know to protect the user.

These 2 types of communication provide the best explanation for the security eco-system, which is necessary after all, given the increasing number of attacks on a daily basis.

Customer need and IPS

Legislation, the number of attacks, encrypted traffic, intelligent viruses (polymorphic eg) are real pressures on the security of every system that projects panic-modes on each of us. This was not the case until a few years ago. That’s why a regular firewall had a purpose then. Now the situation is completely different. Hacking is no longer primarily targeted at institutions that can provide financial benefit. The attacks are now massive, they don’t pick targets, targeted attack happens rarely (at least in our territory). Deep-web sites where you can buy various hacking services also provide DDoS attacks of different volumes, so maybe while reading this your computer without your knowledge sends requests to a site because it is part of a bot network? Or someone is using your computer to try hacking the Pentagon? Such cases are not recognized by the ordinary firewall because usually the zone-based firewall for the local network thinks it can be “trusted”. Even if there is no conscious need for this step, it is good enough that you read this text as informational resource and realize that there are various dangers in the wild of the Internet. This information will create a need to further secure yourself. Don’t wait for an incident to happen, as it is the worst-case scenario that can hit you. Yes, after all, the bottom line is: I need an IPS.

Encrypted traffic

… is story for itself. From the idea of ​​protecting ourselves against attacks and “tapping” on the client-server relation, we came to the fact that this does not give us any security, because hackers have joined this trend. Malware is distributed through infected servers within an encrypted connection, and a device that is unable to peek inside that connection has no chance of stopping such an attack. Someone will say: well, I have an anti-virus on my computer. When a virus enters your network, it is highly likely that it will find a place to stay, fall asleep, and when ordered start the attack. Or maybe give access to your network. Or maybe download some illegal content from your addresses. Or maybe it already does?

Web control

With this service you can precisely restrict access to content on the Internet using predefined categories. You can prevent employees from accessing unwanted sites, applications, protocols … You also reduce the possibility of leakage of information from the corporation. You reduce the possibility of problems caused by “accidentally clicking” on an advertisement / link / etc. … It is simple that only resources that you consider adequate can be accessed from your network.

Secure access to resources via VPN

All NGFW devices have integrated remote access support for the network they are protecting. In addition to being very reliable and easy to use, it will also provide detailed logon access rights. So, if someone already must work from a remote location, you will have a precise insight of when, where and what is being accessed.

What is NGFW not?

He is not almighty. It will not solve all your potential risks, but it will give you a good idea of ​​what is going on in your network and what is the behavior and habits of your employees. It will prevent access to spam. It will do an anti-virus traffic inspection (both plain and encrypted).

It is not primarily intended to protect publicly available services. The fact is that some solutions may provide some basic reverse proxy features, but NGFW is primarily someone that will make your internal network more secure. It will protect it according to its capabilities on the Internet border, but if you are interested in this topic in more detail, let us know.