Firewall and Next-Generation Firewall (NGFW): Understanding network protection
From the classic packet-filter firewall to the next-generation firewall (NGFW) with deep packet inspection, IPS, SSL inspection, and application control. Configuration examples, firewall generations, and guidance on which solution is right for which business.
Table of Contents (5 sections)
Firewalls are the foundation of network security—and at the same time the most commonly misunderstood security tool. "We have a firewall" means little today without context: Which generation? How is it configured? What does it log? What can't it do?
The 4 Generations of Firewalls
Generation 1: Packet Filter (1988)
How it works:
Checks: Source IP, Destination IP, Source Port, Destination Port, Protocol
Decision: ALLOW or DENY
No context: each packet is considered in isolation
Example rule (iptables):
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -j DROP # Block the rest
Weaknesses:
→ No state context (stateless)
→ SYN flood possible
→ No understanding of application protocolsGeneration 2: Stateful Inspection (1993)
Functionality:
Tracks connection state (Connection State Table)
TCP: SYN → SYN-ACK → ACK → Connection "established"
Only allows packets for existing connections
Advantage over Gen 1:
→ SYN flood detectable (no connection without complete handshake)
→ FIN scans detectable (FIN without prior connection)
→ Return traffic automatically allowed
Weaknesses:
→ No understanding of application protocols
→ Tunneling through allowed ports (HTTP/HTTPS on ports 80/443)
→ No content inspectionGeneration 3: Application Layer / Proxy (1990s)
Functionality:
Terminates connection completely (as a proxy)
→ Understands HTTP, FTP, SMTP protocols
→ Can allow/block HTTP methods (GET, POST)
→ Circuit-level gateway vs. application-level proxy
Advantage:
→ Prevents protocol anomalies
→ Detects HTTP tunneling (e.g., DNS over HTTP)
Weakness:
→ Slow (processes every packet in full)
→ HTTPS cannot be inspected without SSL inspectionGeneration 4: NGFW - Next-Generation Firewall (2000s to present)
NGFW combines:
✓ Stateful Inspection (Gen 2)
✓ Deep Packet Inspection (DPI)
✓ Application Control (Layer 7)
✓ Intrusion Prevention System (IPS)
✓ SSL/TLS Inspection (Man-in-the-Middle within the organization’s own network)
✓ User Identity Awareness (user instead of IP)
✓ Threat Intelligence Integration (URL filtering, IP reputation)
✓ Sandboxing (analyzing suspicious files)Core NGFW Functions
Deep Packet Inspection (DPI)
Packet filter: checks headers (IP, TCP)
DPI: checks ENTIRE packet content (payload)
Example: Port 443 (HTTPS)
Packet filter: allows everything on port 443
NGFW with SSL inspection: decrypts → checks content → makes a decision
DPI can detect:
→ C2 beaconing patterns even over HTTPS
→ Malware signatures in files (including compressed ones)
→ SQL injection in HTTP requests
→ DNS tunneling in the DNS protocolApplication Control (Layer 7)
NGFW understands applications, not just ports:
Instead of a rule: "TCP Port 80 ALLOW"
NGFW rule: "Facebook: DENY, LinkedIn: ALLOW only profile (no video)"
Examples:
→ Allow Teams, but no file transfers
→ Block WhatsApp Web
→ YouTube: only business channels
→ Prioritize (no) / throttle (yes) gaming traffic
→ Block Tor and VPN client protocols
Works even if the application changes ports
or uses HTTPS (with SSL inspection)SSL/TLS Inspection
Problem: 90%+ of traffic is HTTPS
→ Traditional firewalls only see encrypted packets
→ Malware uses HTTPS for C2 (Command & Control)
→ Exfiltration via HTTPS cannot be detected
NGFW SSL Inspection (Man-in-the-Middle):
Client → NGFW: Client thinks it is communicating with the web server
NGFW → Server: NGFW establishes the connection
NGFW decrypts, inspects, and re-encrypts
→ Malware is visible!
Data protection considerations:
→ Private websites (banking, doctor) must be excluded
→ Employees must be informed about SSL inspection (BetrVG §87)
→ Bypass categories: Banking, Healthcare, Government, Password managersIntrusion Prevention System (IPS)
IPS in NGFW:
→ Signature-based: blocks known attack patterns
→ Behavior-based: detects anomalies
→ CVE-based: blocks current exploits
Examples:
→ EternalBlue exploit (MS17-010): signature present → block
→ Log4Shell payload in HTTP request: IPS detects → block
→ Port scan detection: 50 ports in 10 seconds → Alert + Block
Difference between IDS and IPS:
IDS: detects and alerts (no action)
IPS: detects, alerts, AND automatically blocksNGFW Vendors Compared
| Vendor | Popular for | Strengths |
|---|---|---|
| Fortinet FortiGate | SMB + Enterprise | ASIC-based (very fast), value for money |
| Palo Alto Networks | Enterprise | Market leader, best app control |
| Check Point | Enterprise | Strong management, many features |
| Cisco Firepower | Cisco shops | Integration with Cisco infrastructure |
| Sophos XGS | SMB | Simple management, good SOHO options |
| pfSense/OPNsense | SMB, home network | Open source, free, community support |
Firewall Configuration: Best Practices
Basic Rules (Defense in Depth)
Default Deny Principle:
DENY everything by default
Then explicitly ALLOW what is necessary
→ No "ALLOW ALL" as the last rule!
Least Privilege:
Only allow the ports and protocols that are truly needed
Workstations → Servers: only on application ports (443, 8080)
Not: Workstations → Servers on all ports
Logging:
Log ALL DENY actions
Regularly analyze ALLOW logs (what is communicating where?)
Log retention: min. 90 days (BSI IT-Grundschutz), 1 year recommendedZone Model
DMZ (Demilitarized Zone):
Publicly accessible servers (Web, Mail, DNS)
Between the Internet and the intranet
Intranet:
Internal systems, workstations, printers
No direct Internet access from servers (Proxy!)
Management Zone:
Firewall management, SIEM, monitoring
Accessible only to IT admins
Guest Zone:
Visitor Wi-Fi
Internet only, no access to intranet
Rules between zones (example):
Internet → DMZ: 443 ALLOW (Web), 25 ALLOW (Mail)
DMZ → Intranet: only to backend APIs (8080)
Intranet → Internet: via proxy (http/https)
Guest → Intranet: DENY
Management → all zones: ALLOW (for admins)Common firewall misconfigurations
Error 1: "ALLOW ANY ANY" or "ALLOW ALL to Internet"
→ No protection against exfiltration or C2
Error 2: Management interface accessible from the Internet
→ CVE against firewall web interface → complete access
Error 3: RDP (Port 3389) allowed from the Internet
→ Brute-force attacks and RDP vulnerabilities can be exploited
Error 4: No logging or logs retained for too short a period
→ Incident response is blind
Error 5: Default admin password not changed
→ Default credentials for all vendors available online
Error 6: No regular firmware updates
→ CVE-2023-27997 (Fortinet, CVSS 9.8): all appliances with default configuration are vulnerableWAF vs. NGFW
NGFW:
→ Protects network perimeter
→ Layers 3–7, general network protection
→ Not specialized in HTTP/web applications
WAF (Web Application Firewall):
→ Specifically protects web applications
→ Deep HTTP analysis: XSS, SQLi, CSRF, OWASP Top 10
→ No network protection outside of HTTP
Combination:
NGFW + WAF: optimal protection
NGFW protects network access
WAF protects web applications from Layer 7 attacksSources & References
Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
Geschäftsführender Gesellschafter der AWARE7 GmbH mit langjähriger Expertise in Informationssicherheit, Penetrationstesting und IT-Risikomanagement. Absolvent des Masterstudiengangs Internet-Sicherheit an der Westfälischen Hochschule (if(is), Prof. Norbert Pohlmann). Bestseller-Autor im Wiley-VCH Verlag und Lehrbeauftragter der ASW-Akademie. Einschätzungen zu Cybersecurity und digitaler Souveränität erschienen u.a. in Welt am Sonntag, WDR, Deutschlandfunk und Handelsblatt.
10 Publikationen
- Einsatz von elektronischer Verschlüsselung - Hemmnisse für die Wirtschaft (2018)
- Kompass IT-Verschlüsselung - Orientierungshilfen für KMU (2018)
- IT Security Day 2025 - Live Hacking: KI in der Cybersicherheit (2025)
- Live Hacking - Credential Stuffing: Finanzrisiken jenseits Ransomware (2025)
- Keynote: Live Hacking Show - Ein Blick in die Welt der Cyberkriminalität (2025)
- Analyse von Angriffsflächen bei Shared-Hosting-Anbietern (2024)
- Gänsehaut garantiert: Die schaurigsten Funde aus dem Leben eines Pentesters (2022)
- IT Security Zertifizierungen — CISSP, T.I.S.P. & Co (Live-Webinar) (2023)
- Sicherheitsforum Online-Banking — Live Hacking (2021)
- Nipster im Netz und das Ende der Kreidezeit (2017)
IT-Grundschutz-Praktiker (TÜV) IT Risk Manager (DGI) § 8a BSIG Prüfverfahrenskompetenz Ausbilderprüfung (IHK)
