According to Palo Alto, in order to be classified a Next Generation Firewall (NGFW) the appliance must meet five main requirements:
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify users regardless of IP address
3. Protect in real-time against threats embedded across applications
4. Fine-grained visibility and policy control over application access/functionality
5. Multi-gigabit, in-line deployment with no performance degradation.
This might seem like a tall order to fill but Palo Alto offers a range of NGFWs that meet all of these requirements.
The main short-coming of traditional firewalls (or Intrusion Prevention Systems (IPS)) is that their effectiveness has drastically eroded in the face of more complex and evolving threats. With threats being introduced into networks from a variety of sources (applications, encrypted traffic, etc.) it is important to reassess whether or not you want to have a variety of appliances on your network or consolidate into a NGFW which will provide all the functions of a legacy IPS plus the more granular control for applications.
To summarize, the advancement of threats dictates a new set of requirements for complete intrusion prevention (not just intrusion detection). While NGFWs should include the traditional set of IPS requirements they should also address the new types of threats organizations are seeing. These requirements can be broken into three separate high-level considerations:
1. Control - Shrink the attack surface by limiting the scope to the applications that you actually need and use.
2. Protection - Prevent all types of threats by expanding the horizon of vulnerability exploits (viruses, malware, botnets, dangerous URLs, phone-home behavior, tunneled applications, encrypted traffic, compressed traffic and files, etc.). Allow more granular control of applications and the use of them (limiting apps to certain users, controlling bandwidth usage, disabling certain application features, etc.)
3. Performance - Do all of the above at multi-gigabits per second throughput with low latency with real world traffic and with full scanning enabled to protect both servers and clients.
Click here to read more about Palo Alto's Next Generation Firewalls