At the minimum, an NGFW should include the following:

1. Gateway Anti-Malware and Anti-Spyware Service. This type of software inspects all email file attachments, FTP downloads and real-time applications such as IM and P2P for total file-based threat control. As a result, zero-day attacks are prevented with dynamically updated databases and an extensive list of malware and virus signatures. And, because all threats are blocked at the gateway, users are completely prevented from downloading malware in the first place.
2. Intrusion Prevention. Application vulnerabilities, buffer overflows and blended threats can open up your network to exploits, making intrusion prevention a necessary technology. An NGFW can scan all network traffic for worms, Trojan horses, software vulnerabilities, backdoor exploits, and other types of malicious attacks. Utilizing a comprehensive signature database, the Intrusion Prevention Service (IPS) engine protects against an array of network-based application vulnerabilities and exploits. Deployed to protect against both internal and external threats, it can monitor the network for malicious or anomalous traffic, then block or log traffic based on predefined and automatically updated conditions. By focusing on known malicious traffic, Dell SonicWALL IPS decreases false positives while increasing network reliability and performance.
3. Application Intelligence, Control and Visualization/Deep Packet Inspection. Application intelligence is a foundational component of a Next-Generation Firewall. It is what enables the identification of individual applications within network traffic, ideally irrespective of port, protocol or evasive tactic. Coverage should be both broad and deep in terms of the variety of applications and the specific functions within them that can be distinguished, and is typically based on the presence of an extensive application-signature library and the resources to maintain it. The Application Control is a critical tool in determining who gets access to which applications and by which priority; this control and load-balancing tool is instrumental in maintaining network performance and ensuring that business-critical apps and data aren’t playing second fiddle to the latest viral YouTube video. One of the most impactful advances on the security side that NGFWs provide concerns the deep packet inspection; it is also one that should be investigated with extra care when upgrading. Our approach is through patented Reassembly-Free Deep Packet Inspection™ (RFDPI), which scans every packet, across every protocol and interface, to identify and control over 3,500 applications and individual application functions. This approach has no reliance, dependence or limitation relative to the ports and protocols being used, and can optionally be extended to SSL-encrypted traffic as well. The productivity as well as the security advantages are compelling here because RFDPI can maintain granular control over applications, prioritize or throttle bandwidth and deny website access through its constantly expanding signature database, which currently recognizes over 3,500 applications and millions of malware threats.

A key consideration when upgrading to NGFWs is performance. While the increased levels of inspection and protection are critical, so is the expectation of multigigabit-speed throughput performance; NGFWs must deliver massively scalable throughput if they are to enable the highest-performance networks. Dell SonicWALL, for example, has implemented a multicore architecture to accelerate the processing of network traffic. Businesses should not — and cannot — be willing to compromise protection and visibility for performance.

NGFW Adoption

Given the threat environment out there, Gartner and other experts predict that the enterprise will certainly be the first to adopt the NGFW, as part of their existing refresh cycles. But the fact remains that organizations large and small should not tolerate older firewalls that may be vulnerable to malware that could inflict great harm on their business. If that sounds alarmist, then take a look at these recent statistics: