The NGFW today: A staple of network security in spite of challenges

By Jason Pappalexis

Some technologies are revolutionary—so much so that in less than a generation, it is difficult to imagine living without them. Take, for instance, the automobile. In 1908, the first production Model T Ford was completed. By 1927, close to 15 million had been built, steadily approaching the “ . . . a car in every garage” goal set by Henry Ford himself (in the 1920s, there were likely far fewer garages). Fast forward to the smartphone—first released in the early 2000s, they are now ubiquitous—in the hands of everyone from toddlers to the elderly.

Today, cars and cellphones are pretty much considered essential for modern living. Can the same be said for current next generation firewall (NGFW) technology within IT security architectures?

As the logical evolution of the traditional packet inspection firewall, the NGFW grabbed hold of the prime spot at the network edge, and it hasn’t let go. And for good reason—its broad feature set provides value across organizational teams; for example, network operations (tunneling, routing, etc.), IT security (inspection, application control, decryption, etc.), and even human resources (per user behavior control through URL categorization, etc.). NGFWs are flexible products, which makes them “sticky” in terms of deployment.

However, the technology is not without challenges. When multi-function systems are deployed within latency-sensitive environments, accurate capacity planning is critical. Given the number of variables within enterprise traffic and general uncertainty about how activating NGFW features will impact performance, many organizations oversize. (Nearly one third of respondents in the 2018 NSS Labs Network Security Study (1) indicated that their organization targets 50% above peak throughput requirements for sizing.) This can be expensive. What’s more, enterprises are so latency averse that it is not uncommon for devices to be configured in monitor mode in order to further reduce their risk‑-but this is at the cost of security.

There is also uncertainty regarding a product’s actual security effectiveness. The largest proportion of respondents in the 2018 NSS Labs Network Security Study reported their minimum acceptable security efficacy is in the range of 95% to 99%,(2) but expectations of protection and actual protection do not appear to always align. NSS’ 2018 testing reveals inconsistent average exploit block rates over time (3) and mishandling of exploits delivered by web-based scripts.(4) Expect to see the number of script threats increase as their success rate becomes more widely known. (e.g., Trend Micro recorded a spike in malicious JavaScript in January 2019; the spike reached 55.4% in Japan and 14.7% in the US.)

Cloud form factors (both virtual appliance and as a service) introduce more unknowns. Do these form factors provide the same protection as traditional on-premises appliances? Perhaps more importantly, do they protect threat vectors that are uniquely associated with the enterprise use of cloud resources? While cloud NGFW technologies are being considered by enterprises for deployment in their IT security architectures, the market is still young and actual deployments vary. In the future, enterprise requirements for cloud-based and cloud-delivered NGFWs are likely to have a significant impact on the growth of this technology.

While the challenges discussed here are not inhibiting NGFW adoption, they do provide an opportunity for vendors to set realistic expectations and inform enterprise customers of product gaps, which will help the customers plan properly and reduce risk. Network inspection technology remains essential in today’s IT security architectures, and it is important for enterprises to understand the technology’s capabilities as it continues to evolve.

NSS Labs has published a series of Intelligence Briefs on security controls in the US enterprise. The NSS Labs Intelligence Brief on NGFW offers visibility into current enterprise requirements for the technology. The paper is available to subscribers to our research library.

  1. 2018 NSS Labs Network Security Study was conducted in the Fall of 2018 and targeted 151 full-time US enterprise IT security professionals representing 28 US industries with a median IT security budget of US$10M – $50M.

  2. The largest proportion of respondents (31.1%) in the 2018 NSS Labs Network Security Study reported minimum efficacy in range 95% to 99%.

  3. 2018 NSS Labs Evolution of Product Testing: Firewall

  4. 2018 NSS Labs Investigative Report: The Impact of Code Obfuscation and Web Delivery Encoding on NGFW Scanning Accuracy