The Evolution of Firewalls: From Packet Filtering to Machine Learning-Powered NGFWs

Firewalls date back to the early days of the internet as a means of controlling outside access to an enterprise’s internal resources as well as communicating outside the on-premises network. Now, networks are accessible in far more ways, by far more devices, in a variety of locations. Enterprises must consider the internet and WAN technologies, IoT and mobile devices, branch offices and remote workers, and much more.

As networks and the devices have evolved, so too have firewalls. Where once they were primarily reactive, now they have become more proactive. We’ll follow the evolution of firewalls from the earliest generation of packet filtering devices to unified threat management (UTM) devices, through next-generation firewalls (NGFW), to the most revolutionary firewalls yet: ML-Powered NGFWs.

The Early Generations

The first firewalls appeared on the scene in the early 1990s, with this first generation offering a set of simple rules that controlled outside access to internal company resources. The firewall was a packet-filtering system that inspected the information in the packets by looking at the destination address, its protocol, and the port number used. If the traffic did not match the packet filter’s rules, the firewall would take action, either by dropping the packet without a response or rejecting the packet with a notification to the sender.

These early firewalls evolved to “stateful” filters, which kept track of connections between computers, and could retain data packets until enough information was available to make a judgment about their state. They also added a “connection state” rule that made filtering easier since they could determine if a packet was part of a new or existing connection.

The Second Generation: Unified Threat Management

As the need for application awareness arose in the early 2000s, many vendors added application visibility and additional security features to their stateful inspection firewalls to create UTM devices. UTM firewalls generally combine firewall, gateway antivirus, and intrusion detection and prevention capabilities into a single platform.

The UTMs’ stateful packet inspection allowed inbound and outbound traffic on the network, while a web proxy filtered content and scanned with antivirus services. A separate intrusion prevention system (IPS) detected and blocked malicious traffic. Virtual private network (VPN) servers incorporated into the UTM could connect remote offices and allow remote users to access corporate resources. Finally, spam filtering acted on junk emails and phishing attempts.

UTMs brought many disparate network security technologies together into a single appliance for ease of deployment and lower cost. However, there was no native integration between the different "modules" or "blades," which led to gaps in security, low performance, and complex policy management.

The Third Generation: Next-Generation Firewalls
In 2008, Palo Alto Networks delivered the industry’s first next-generation firewall (NGFW).

Unlike UTMs, true NGFWs offered natively integrated capabilities, including application, user, and content awareness; intrusion prevention; web security; and more, in addition to stateful firewall capabilities. Most importantly, NGFWs offered user identity awareness and protection. This is significant since, according to the 2020 Verizon Data Breach Investigations Report (DBIR), 80% of hacking breaches involved brute force or the use of lost or stolen credentials.

NGFWs provide deep visibility and control based on application, user, and content. They also offer support for secure, encrypted traffic via SSL/TLS decryption technology, ensuring that sensitive data is readable only between trusted entities. Plus, NGFWs are able to detect and prevent advanced attacks by identifying evasive techniques and automatically counteracting them. Antivirus and malware protection is updated automatically as new threats are discovered, helping to keep networks safer than ever. Finally, NGFWs offered deployment flexibility, available in both physical and virtual form factors to fit a variety of deployment scenarios and performance needs.

Making NGFWs Proactive: ML-Powered NGFWs

The latest firewall to date made its debut in 2020, when Palo Alto Networks introduced the first ML-Powered Next-Generation Firewall. This firewall leverages machine learning to deliver proactive, real-time, and inline zero-day protection.

The ML-Powered NGFW takes a proactive approach to network security, rather than the reactive approach of earlier generations of firewalls. The ML-Powered NGFW uses machine learning models to identify variants of known attacks as well as many unknown cyberthreats so organizations can prevent the majority of zero-day malware inline. The NGFW provides complete device visibility, behavioral anomaly detection, and native enforcement to secure IoT devices without the need for additional sensors or infrastructure. As it collects a wide variety of telemetry information from the network, the ML-Powered NGFW will recommend appropriate security policies. Organizations can view and adopt the IoT security policy recommendations for safe device behavior. This helps save time, reduce the chance of human error, and better secure IoT devices. In essence, the ML-Powered NGFW uses machine learning and analytics to continuously learn and proactively improve an enterprise’s security posture across multiple fronts.

ML-Powered NGFWs can help organizations:

• Boost prevention with inline ML-based malware and phishing prevention and zero-delay signature updates. ML-Powered NGFWs use machine learning models to identify variants of known attacks as well as many unknown cyberthreats so organizations can prevent the majority of zero-day malware inline. Signature updates are delivered within seconds, once ML-based analysis is complete.
• See and secure all devices, including IoT. ML-Powered NGFWs provide device visibility, behavioral anomaly detection, and native enforcement to secure IoT devices without the need for additional sensors or infrastructure.
• Optimize security with ML-based security policy recommendations. As it collects a wide variety of telemetry information from the network, the ML-Powered NGFW can recommend appropriate security policies. Enterprises can view and adopt the IoT security policy recommendations for safe device behavior.

Raising the Bar

Cyberattacks continue to grow more frequent, with more variants and speed. Manual responses to attacks aren’t enough to keep an enterprise network safe. At the same time, users need greater access to more resources, from more locations, than ever.

Where the focus of firewalls previously was to shorten the time to react to a new attack, an added device, or the need for a new policy change, now the focus is on proactively preventing attacks. A new type of firewall, the ML-Powered Next-Generation Firewall has emerged that uses machine learning and analytics to disrupt the industry, enabling organizations to prevent unknown threats, see and secure everything – including IoT – and reduce errors with automatic policy recommendations.

Want to learn how Palo Alto Networks is leveraging machine learning to protect enterprises from tomorrow’s threats? Read our ebook 4 Key Elements of an ML-Powered NGFW. Also watch our launch event on demand to learn how Palo Alto Networks is delivering intelligent network security with the world’s first ML-Powered NGFW, PAN-OS 10.0, and more than 70 innovative capabilities.

Resources: https://enterprise.verizon.com/resources/reports/dbir/