What is SD-WAN NGFW (Next Generation Firewall)?

Businesses constantly evaluate new technologies against their organisational security policy to combat the latest threats and sophisticated attacks across branch office and remote users. One of the most commonly discussed security products is the next generation Firewall, known as NGFW. Next Generation Firewall services and technology consolidates anti-virus features, application awareness, deep stateful inspection capability, real-time web application firewall, cloud-based protection systems and awareness tools that are visible via sophisticated and comprehensive reporting.

“One of the most commonly discussed security products is the next generation Firewall, known as NGFW.”

NGFW is available from both traditional security companies as SD WAN with SASE vendors.

Where requirements exist to access cloud applications from users located within the branch-office and remote locations, Software WAN with NGFW consolidates both network VPN and security in one device or client.

As with almost every networking or security product, NGFW technology is cloud-based which positions devices to retrieve the most up to date configuration policies wherever they are located.

What is the Gartner SD WAN SASE security model?

The Gartner SASE combines SD-WAN with cloud-based security (CASB, SWG, FWaaS and ZTNA). SASE is a concept brought to the market by Gartner. It represents the convergence of networking and security by combining CASB, DNS protection, Firewall-as-a-services, SD WAN and ZTNA delivered via cloud service infrastructure. The SASE framework (Secure

Netify's SD-WAN & SASE Network Security BlogRobert Sturt

Why is network security an important topic?

Private MPLS WAN services are in decline due to the aforementioned change in working across public applications. And, consequently, Internet traffic is increasing significantly every 12 months. With news channels reporting state-sponsored security attacks, malware and advanced multi-vector threats, it becomes obvious why advanced prevention solutions are required.

The business cost is high with data breaches costing an average of $3.92 million for the average corporate.

What exactly is Next Generation Firewall and how does the cybersecurity technology apply to SD WAN VPN?

NGFW is used by IT teams to collectively describe Enterprise-grade Firewall services which are positioned to protect businesses against the threats seen today. We have categorised the main elements to help understand 'security effectiveness' across next-generation capability.

Threat intelligence.

Security vulnerability requires real time threat assessment with cloud-based access to the very latest data. Vendors are required to protect against known threats and potential vulnerabilities as they take shape. NGFW improves upon the legacy Firewall which cannot keep up with the world in which users operate today. Threat detection with an intrusion prevention system is provided by the use of sandboxing, anti-phishing and anti-virus.

Identity control and inspection.

The use of Microsoft Active Directory integrates well with how NGFW deals with identifying users and controlling network resources. Organisations that use Active Directory can group users and apply policy control with access restriction based on identity. NGFW takes the concept of identity to a new level by leveraging zero trust access which involves identifying the user using different attributes. IPS (Intrusion Protection System) examines network traffic flows to flag and detect exploits which could cause open network access and denial of service for a particular web application.

Application control.

Traditional Firewalls and routers were capable of identifying IP addresses, ports and protocols using stateful packet inspection. The average WAN generates IP traffic to hundreds of applications creating both threats but also trends over time. When network issues occur or a threat is identified, the ability to view users and data on a real-time basis means high-risk applications can easily be identified and removed from the WAN.

Cloud support and deployment.

Automation and orchestration of security via cloud management models is critical to the success of NGFW. In addition to the ease of deployment, instant updates are required to deal with the nature of real-time threats which exist. The Network Union recommends understanding reporting and analysis product features associated with cloud-based threat protection as false positives (genuine apps which may look like malicious traffic) continue to create heavy administration for IT teams.

Deep packet inspection.

DPI (Deep Packet Inspection) inspects both the IP header and the actual packet contents to ensure any unwanted protocols, spam and viruses are stopped prior to entering the network. DPI operates at the OSI application level to conduct packet filtering and block them in real-time. The deep packet examination feature is a major benefit for organizations with the need to assign multiple policies both to users and applications.

Should you investigate standalone NGFW or SD WAN with security capability?

With SD WAN vendors implementing SASE security solution features, IT teams are challenged to understand whether to use SD WAN VPN with NGFW or to select from standalone NGFW vendor solutions. Which option is best suited to your organisation is typically dictated by the complexity of your business requirements.

In many cases, organisations may have already invested in security products or services. When this scenario occurs, IT teams are reluctant (for obvious reasons) to select SD WAN vendors with built-in NGFW capability. The alternative is an SD WAN vendor that integrates with an existing NGFW solution via API access, resulting in control of security and WAN via one management interface.

What is the BTnet Fortinet Firewall? (NGFW)

When choosing a BT leased line, your business has two options. The first is the Cisco Meraki route which is an out of the box solution which is easy to deploy and is pre-configured with set policies. The majority of new and BT upgrade customers opt for the Meraki edge

Netify's SD-WAN & SASE Network Security BlogRobert Sturt

Silver Peak is perhaps a good example of SD WAN (encrypted traffic) and NGFW integration, creating a single capability. With Silver Peak, customers can manage Zscaler with API access via the SD WAN interface.

Security requirements are often more complex when the Enterprise is globally distributed. Vendors such as Checkpoint, Fortinet and others offer significant experience and resources to deal with large global Enterprise security which may not be met by the more vanilla offerings from SD WAN products.

Conversely, simpler networks will benefit from selecting an SD WAN vendor with SASE in one device. Deployment, orchestration and ongoing management is made much easier via a consolidated approach resulting in less onus on the IT team and ultimately less expense.