Journey from Legacy to Next Generation Firewalls - NGFW

Written by LUMINIS. Posted in IT & Networking Blog

Corporate networks are encountering the highest levels of change in the recent history. Users require anywhere, anytime access to the network from a variety of company-owned and personal mobile devices. In addition, software applications have evolved to be highly dynamic and multi-faceted, blurring the line between business applications and personal ones that may increase the company's exposure to Internet-based threats. 

As a result, most organizations are facing difficulty in achieving an optimum balance between the productivity gains and the security implications poised by the productivity tools & apps.

Security Balance

The scenario warrants that the smarter organizations must adopt a new approach of IT security that unifies the network's streamlined security operations, without abandoning any time-tested method such as Secure Sockets Layer (SSL), Anti-Viruses, Intrusion-Prevention Systems (IPS), Virtual Private Networks (VPN), and firewalls, etc.

Firewalls have been a first line of defense in network security for over 25 years. They establish a barrier between secured and controlled internal networks that can be trusted, and untrusted outside networks such as the Internet.

Development Phases of Firewall

A firewall is a system or device or group of systems that manages the access between two or more networks. A firewall filters the incoming and outgoing traffic against the predefined security rules. It can be hardware, software, or both which can be place between the networks or on the specific host. Firewall technology emerged in the late 1980s when the Internet was a fairly new technology in terms of its global use and connectivity. The predecessors to firewalls for security were the routers used in the late 1980s.

Evolutions in the Internet and their usage, also provided the opportunities to the growth of the cybercrime. These evolutions forced the IT security vendors to make continuous changes and evolve in their approach to security overall.

Evolution in Firewall

Even modern firewalls have retained all the key functions of threat detection and prevention till date. Let us discuss those in brief.

Packet Filtering

A firewall can use packet filtering to limit information that enters a network and information moving from one segment of a network to another. Packet filtering uses access control lists (ACLs), which allow a firewall to accept or deny access based on packet types and other variables.

Packet Filtering Firewall

Stateful Inspection Firewall

A stateful inspection firewall allows or blocks traffic based on state, port, and protocol. It monitors all activity from the opening of a connection until it is closed. Filtering decisions are made based on both administrator-defined rules as well as context, which refers to using information from previous connections and packets belonging to the same connection. Limits information that is allowed into a network based not only on the destination and source addresses, but also on the contents of the state table.

Stateful Packet Filtering Firewall

Application-Aware Inspection

The security appliance inspects packets above the network layer. The security appliance securely opens and closes negotiated ports for legitimate client-server connections through the firewall. Protocols such as FTP, H.323, SQL, etc. need to negotiate connections to dynamically assigned source or destination ports through the firewall.

Application Inspection Firewall

Proxy Firewall

An early type of firewall device, a proxy firewall serves as the gateway from one network to another for a specific application. Proxy servers can provide additional functionality such as content caching and security by preventing direct connections from outside the network. However, this also may impact throughput capabilities and the applications they can support.

Proxy Firewall

Unified Threat Management (UTM) Firewall

A UTM device typically combines, in a loosely coupled way, the functions of a stateful inspection firewall with intrusion prevention and antivirus. It may also include additional services and often cloud management. UTMs focus on simplicity and ease of use.


Before the development of the Next-Generation firewalls, all of the previous legacy security models, essentially operated with the following four steps:

  1. Picking up a large sample of potential malwares at frequent intervals
  2. Prioritizing and processing these samples based on some algorithms and feedback
  3. Creation of Anti-Malware Signatures for effective detection
  4. Distribution of these Signatures to the end-points

Legacy security Production models


Next-Generation Firewall (NGFW)

Modern firewalls have evolved beyond simple packet filtering and stateful inspection. Most companies are deploying next-generation firewalls to block modern threats such as advanced malware and application-layer attacks.

The biggest difference between a traditional firewall and a NGFW is the fact that these newer devices are application aware. Traditional firewalls rely on common application ports to determine the applications that were running and the types of attacks to monitor. In an NGFW device, it is not assumed that a specific application is running on a specific port. The firewall itself must be able to monitor the traffic from layers 2 through 7 and make a determination as to what type of traffic is being sent and received.

The most common example is the current use of HTTP, port 80. Traditionally this port is used for only HTTP traffic, but this is no longer the case and a large number of different applications use this port to transport traffic between an end-device and a central server. There are a number of different ways that common ports can be used for these different types of traffic with one of the most common ones being tunneling. With tunneling, traffic is tunneled within the traditional HTTP data field and is de-encapsulated at the destination. From a traditional firewall's perspective, this looks like simple HTTP web traffic, but to a NGFW its true purpose is found at the firewall before it is able to reach the destination. If it is something that is allowed by the NGFW's policy, then the firewall will be allowed to pass traffic. If it isn't, then the firewall will block the traffic.

According to Gartner, Inc.'s definition, a next-generation firewall must include:

While these capabilities are increasingly becoming the standard for most companies, NGFWs can do much more.

Aspects of Next Generation Firewall -GNFW


Introduction to ASA : Cisco’s Next-Gen Firewalls

Like most other next-generation firewalls, Cisco's ASA Next-Generation Firewalls deliver application awareness and user identity capabilities, for enhanced visibility and control of network traffic.

Cisco ASA is a comprehensive management solution that:

ASA provides security administrators with end-to-end visibility across the security network, including top-level traffic patterns, detailed logs, and the health and performance of Cisco ASA devices. Users can simplify cost and complexity with Cisco Prime Security Manager, which manages ASA’s Next-Gen Firewall Services, to unify core Cisco ASA functions (including firewall and NAT) and Cisco Next-Generation Firewall Services for distributed deployments.

In addition, Cisco ASA Next-Generation Firewall Services enable administrators to:

ASA -NGEW Features


ASA-X is well beyond Typical Next Generation Firewall

Cisco® ASA Next-Generation Firewall Services is a suite of modular security services that run on the Cisco ASA 5500-X Series Next-Generation Firewalls (5512-X, 5515-X, 5525-X, 5545-X, 5555-X, and 5585-X with Security Services Processor SSP-10, SSP-20, SSP-40, and SSP-60). Cisco ASA Next-Generation Firewall Services include Cisco Application Visibility and Control (AVC), Web Security Essentials (WSE), and Intrusion Prevention System (IPS). They blend a proven stateful inspection firewall with next-generation firewall capabilities and network-based security controls for end-to-end network intelligence and streamlined security operations.

Cisco's ASA Next-Generation Firewalls

In general, ASA with Next Generation Firewall Services delivers unprecedented benefits to the organization:

Unprecedented Network Visibility

Cisco ASA Next-Generation Firewall Services gives security administrators greater visibility into the traffic flowing through the network, including the users connecting to the network, the devices used, and the applications and websites that are accessed.

Cisco Security Intelligence Operations Centers (SOCs)
Cisco ASA Next-Generation Firewall Services use Cisco security technologies to provide actionable intelligence to security administrators. For example, Cisco AnyConnect9 clients provide information on the type and location of a mobile device before it can access the network Cisco ASA Next-Generation Firewall Services also use global threat intelligence from Cisco Security Intelligence Operations Centers (SOCs) to provide zero-day threat protection.

Along with Cisco security technologies throughout the network, Cisco ASA Next-Generation Firewall Services deliver end-to-end network visibility for superior security control. These services include:

Featured Article

ASA Visibility and Control -NGFW

Cisco ASA Next-Generation Firewall Services with Cisco Cisco Web Security Essentials (WSE)

It is a next-generation web security service that addresses these needs. Cisco WSE provides enterprise-class, context-aware web security capabilities to the industry's most proven stateful inspection firewall for end-to-end network intelligence and streamlined security operations. Cisco WSE blends robust content-based URL filtering with the near-real-time global threat and web reputation analysis from Cisco SIO. Cisco WSE enables organizations to enforce reputation-based web security policies and robust content-based URL filtering to enable differentiated access policies based on user, group, device, and role.

Cisco ASA Next-Generation Firewalls with IPS

It provides context-driven threat detection and mitigation. The simplified operation puts focus on threat prevention rather than on detection parameters. Inputs from the Cisco AVC and WSE security services optimize the Cisco IPS's operation and efficacy to provide holistic threat prevention.

Comprehensive Security Architecture

Cisco ASA Next-Generation Firewall Services extend the Cisco ASA platform to provide unprecedented visibility and control. Support for Layer 3 and Layer 4 stateful firewall features, including access control, network address translation, and stateful inspection, enables organizations to keep existing stateful inspection firewall policies that are essential for a host of compliance regulations, while adding Layer 7 context-aware rules that can act intelligently on contextual information Cisco ASA Next-Generation Firewall Services pull in local intelligence from the Cisco AnyConnect Secure Mobility Client and near-real-time global threat intelligence from Cisco SIO.

Cisco Security Architecture

A proven firewall platform, combined with the power of local and global threat intelligence, provides a comprehensive, dynamic security architecture that is capable of addressing an organization's evolving security needs to enable growth, extensibility, and ongoing innovation.

Threat-focused NGFW

Last but not the least, these firewalls include all the capabilities of a traditional NGFW and also provide advanced threat detection and remediation. With a threat-focused NGFW you can:

Cisco Systems has a long history in network security that spans multiple changes to firewall technology, including packet filtering, stateful inspection, deep packet inspection (DPI), and next-generation firewalls. Cisco is now moving further forward with its new Firepower NGFW.


This newest addition of FirePOWER services makes the greatest enhancement to this portfolio of Next-Gen Firewall Services from Cisco.

We would present Cisco FirePOWER next-gen solutuions in our next article.  

In the meantime, please share what do you think about NGFWs as well as ASA-X?




This article is written & published by Ms. Meena, Senior Manager - IT, at Luminis Consulting Services Pvt Ltd, India. She can be reached at Email:  and/or Linkedin: 



Blog Subscription Image





I want to subscribe to following blogs: *

IT & Networking Blog
Process Improvement Blog
Leadership Management Blog
Education Training Blog