- AWS Marketplace›
- Solutions›
- Security
Next generation firewalls solutions in AWS Marketplace
Enhance network security through stateful, application aware, deep-packet inspection and intrusion prevention and detection using third-party software.
Purpose-built solutions
Quickly procure and deploy purpose-built solutions
A layered defense is crucial when implementing a network security strategy. A next generation firewall (NGFW) allows you to add a layer of network-centric capabilities to enhance the security of your cloud environment. NGFWs offer multiple security tools in a single solution that is easy to manage and deploy, adding simplicity, visibility, and operational efficiency to your network security architecture.
A NGFW isn’t just a “revamped” firewall. It’s optimized for the scale and scope of cloud operations that your enterprise needs. Although all NGFW offerings serve the same broader purpose, there isn’t a one-size-fits-all solution. We'll explore some crucial questions that your team can use to clearly define your security priorities, accelerate your search, and streamline your NGFW deployment.
What is a Next Generation Firewall (and why does it matter)?
In this on-demand webinar, security experts break down the myths and realities of NGFWs.
NGFW solutions
Discover the benefits of implementing a more sophisticated approach to security
Elevate Your Network Defense with Advanced Threat Protection and Intelligent Traffic Management
Traditional vs. Next Generation Firewall: What’s the difference?
|
Feature
|
Next generation firewall
|
Traditional firewall
|
|---|---|---|
|
Recognizes network protocols
|
|
|
|
Filters traffic based on IP address and port
|
|
|
|
Supports routing protocols
|
|
|
|
Incorporates signature- and behavior-based analytics to identify malicious traffic
|
|
|
|
Offers protection at various stack levels and with multiple capabilities
|
|
|
|
Is application-aware
|
|
|
|
Provides improved visibility
|
|
|
|
Helps streamline regulatory compliance
|
|
|
|
Potentially reduces security expenses
|
|
|
|
Enhances business continuity
|
|
|
Considerations when choosing a NGFW
A direct path to NGFW implementation requires knowing where your business currently stands and where it wants to go, then applying those parameters to the current range of available solutions—to find the best fit for your organization’s infrastructure and security goals. Review these considerations to get started:
Technical capabilities are a great gatekeeper for deciding on the right firewall for your organization, as these requirements will directly inform your selection of a firewall vendor.
Start by answering a few key technical questions to establish a foundation for your NGFW requirements:
- Can our existing architecture accommodate an NGFW?
- Do we have compliance requirements?
- Do our applications have special requirements?
- Do we need our firewall to be application-aware?
- Do we want our firewall to manage a site-to-site virtual private network (VPN)?
This decision will refine your list of potential vendors and provide key information to your vendor.
Which of the following best describes your team?
-
“We know exactly what we need, and we’re ready to move forward.”
Recommended deployment style: Self-managed
With little vendor interaction, your security team can spin up and deploy as many cloud based NGFWs as needed, often with little downtime.
-
“We want to maintain control over select elements, but would also feel more comfortable with expert guidance.”
Recommended deployment style: Partially managed
Cloud-based firewalls in AWS can be deployed with partial management options, allowing you to work with a trusted vendor on key needs, such as deployment or technical troubleshooting, while still maintaining control over some operational elements, like threat detection and response.
-
“We want to find a vendor that we can rely on for the entire NGFW implementation and maintenance.”
Recommended deployment style: Fully managed
A fully managed NGFW offers businesses the chance to implement robust network security—without overextending their existing security teams or hiring additional internal personnel.
The best placement for your NGFW in your cloud environment depends on many factors, including traffic patterns, bandwidth requirements and availability, and the cloud services you have chosen to use. The NGFW should be placed in a location that provides maximum coverage and protection with little to no impact on performance.
NGFW placement is largely dependent on your cloud network topology and security requirements. Rather than there being a single, correct placement, it’s more about asking “What works for my team?”
At your perimeter for Ingress and Egress
This is a traditional home of a firewall. Utilizing a common Ingress and Egress point allows you to fully inspect and control traffic both in and out of your network. This is also a popular architecture when your firewall is managed by a partner even if they aren’t in AWS. A partner firewall can be fully managed by the partner and control the traffic destined to your workloads in different accounts. Egress inspection is useful for detecting and preventing malicious traffic, being part of your Data Loss Prevention program, or simply providing control,visibility, and monitoring to the internet from your network.
In front of workloads and other gateways
Strategically positioning firewalls in your network in AWS is a common practice. These firewalls can add extra layers of protection by inspecting traffic as it enters your VPC but before it reaches your workload. This can be especially useful for meeting compliance requirements such as PCI and HIPAA, whether it’s for a group of virtual servers, a dedicated application, or a load-balancer. The firewall placed in front of it can terminate TLS, inspect traffic for malicious behavior,apply Intrusion Prevention, and forward it on to your workload helping you fulfill both security and compliance requirements.
In your network for east-west inspection
Take control of east-west traffic in your internal network including in AWS Transit Gateway. By placing firewalls in a dedicated Inspection VPC attached to your Transit Gateway, you can inspect some or all of the traffic between VPCs that are also attached to the Transit Gateway. Inter-VPC communications can now be enforced by your security team through your firewall policy. Traffic can be inspected for malicious behavior or logged for forensic analysis. A firewall that supports TLS termination can be leveraged to get deeper layer-7 visibility.
If you’re unsure of the ideal placement of your NGFW, this will be an important discussion to have with your potential vendor.
Budget considerations are complex and can require long evaluations to ensure you’ve covered every aspect of the project. They might also influence whether you reconsider a firewall option that includes all the technical requirements on your initial wish list.
In addition to licensing costs, consider the following:
- Do we have any blind spots in our cost estimate for implementing the solution?
- Will we need to pay for staff training?
- How much input will we need from a consultant, and at what cost?
- Will there be data-processing costs involved for the traffic we’ll need to inspect?
- Will other cloud services be required for your implementation, and will they have associated data-processing costs?
Senior Security Solutions Architect,AWS
Specific timeline considerations include:
- Although it may be a relatively short turnaround to turn on new firewalls, can the same be said for the architectural work required to begin routing traffic through them?
- Will there be a lot of testing and work needed to put our NGFW in line with our traffic?
- If the changeover requires an outage, will we need to review and adhere to our downtime policies?
- Will our staff need training to get the expertise to operate, maintain, and report on our NGFW?
Once you’ve estimated these time requirements, consider framing them against the earlier decision over your preferred deployment style. With a clearer idea of the timeline, you can look back to reassess whether this conflicts with what your internal teams can realistically manage.
If your internal teams can fully execute and manage an NGFW implementation, how much bandwidth will that leave them to maintain regular business operations? Or, if your teams require additional training to manage deployment and maintenance, will that investment be more beneficial than passing those tasks along to a third party? These answers may shift your thinking about your preferred deployment style.
Developing a forecast of your expected time-spend ahead of deployment can help to clarify expectations, and save you that time—and more—in the long run.
Now that you know where you’re headed, choose the solution that will take you there
Popular NGFW solutions
