.png)
NGFW vs. WAF. What’s the Right Firewall for You?
It’s not exactly news to say that AI, ML and increasingly sophisticated cybercriminals because the frequency of cyberattacks and effectiveness of threat vectors to increase multi-fold over the past 12 months. It is also common knowledge that AWS users are prime targets.
Although most North American organisations are using the cloud to some degree, even if it’s just for application access, the very nature of the cloud is presenting challenges for organisations without internal IT expertise.
It is estimated that 87% of organisations are currently using a multi-cloud strategy, or are planning to adopt one before the end of 2024, and that 72% of organisations are already using a hybrid cloud approach.
These complex and dynamic architectures rewrite the security equation. Traditional data centres defend against perimeter threats, but cloud networks have no perimeter to separate trusted users, device or application access from unscrupulous attackers. Despite the many warnings from cybersecurity experts in the past 15 years or so… Pause for a second.
Yes, it has been that long! Amazon introduced the cloud in 2006. Microsoft Azure and AWS developed functional private clouds in 2010. The following year, IBM launched SmartCloud and Apple introduced iCloud.
As we were saying, despite the many warnings from cybersecurity experts, over 40% of organisations with 1000 employees or less (which describes 99% of Canadian companies), still do not understand the importance of protecting their perimeter. The expectation is that the carrier/provider will do so. You can read more about this, as well as about cloud outages and tips for protecting your cloud in our April 15, 2021 blog post.
Unfortunately, the concept of implied trust is obsolete in the cloud. This is the reason why the zero trust security model was introduced. Overly simplified, this approach limits access, reducing the attack surfaces to get smaller and smaller surfaces needing to be protected.
Regardless of where you are in your cloud journey, you need a firewall to protect your cloud. And that’s where it can be confusing for some. The question often being asked today: What’s the difference between NGFW and WAF… and aren’t they both just firewalls?
NGFW vs. WAF
Just in case you need reminding, NGFW stands for Next Generation Firewall and WAF stands for Web Applications Firewall.
As both technologies are indeed called “firewalls”, it’s easy understand where there is confusion around WAFs and NGFAs. The real difference is where are they are active (where they interact with traffic), and how they help protect your cloud and any information stored there or accessed through it.
An NGFW works at the network edge. In addition to all the features and benefits you get with traditional firewalls, NGFW technologies have been enhanced to include:
- Intrusion Prevention Systems (IPS) which not only block malware, but actively scan network traffic looking for threats.
- Use of AI and ML to continuously update threat recognition and protection.
- Deep packet Inspection (DPI): With this approach, the body of each data packet is analysed, not just the header, as is the case with most traditional firewalls.
- Traffic blocking based on the applications being accessed.
Adapting an analogy that is being used quite frequently these days, “Think of an NGFW as being the door to your home, and the WAF as keys to the individual bedrooms used by you and your roommates.”
I think it is an apt analogy and, like living and shared accommodations, your valuables are better protected when you have both types of protection. In many organisations, NGFWs and WAFs are managed by separate teams.
One of the biggest reasons is that a WAF is used more by the teams responsible for the apps, including developers. These specialists live and breathe the application, so they are best able to develop policies to address the vulnerabilities of each app. They are also best qualified to sound the alarm when cross-site scripting (XSS), broken authentication and other such attacks prompt unusual app behaviour.
When the app is ready s to be deployed, it is often passed to the IT security team. In our opinion, it is better to implement a formal DevSecOps program, so that security is embedded into the development process. Regardless, it is critical that there be collaboration between all teams involved in protecting the network, its applications and its data.
All that being said, for most organisations having a strong NGFW can be sufficient.
One of our partners, Palo Alto Networks, is a leader in this space (and so classified by Gartner), and one we recommend when appropriate.
Its NGFW firewalls can be deployed for cloud platforms like AWS or Azure and virtual machines or containers. The firewalls are governed by Panorama, Palo Alto Networks’ centralized firewall management platform, which provides unified rulemaking and visibility.
One of the comments we often hear: “Think that Palo Alto solutions are excellent, but they are sooo expensive!”. Palo Alto heard the same frame frequently, too, so PAN commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying Palo Alto Networks Software Firewalls. You can view the report here.
One Last Point in terms of Strategic Planning
According to the 2022 Gartner Magic Quadrant for Network Firewalls report:
“By 2026, more than 60% of organizations will have more than one type of firewall deployment, which will prompt adoption of hybrid mesh firewalls.
By 2026, over 30% of the new deployments of distributed branch-office firewalls will be of firewall-as-a-service offerings, up from less than 10% in 2022.”
In the 2024 Gartner Magic Quadrant for Security Service Edge report, it says:
“By 2025, 80% of enterprises will have adopted a strategy to unify web, cloud services, and private application access using a SASE/SSE architecture, up from 20% in 2021.”
If you have questions about firewalls, or would like an outside assessment of your security posture, please feel free to contact us: [email protected], or call 1.877.238.9944.
.webp)