Internet connection point protection 

Deep Packet Inspection (DPI): The NGFW analyses the content of each packet, which makes it possible to detect malicious code, suspicious activity or attacks hidden in encrypted traffic (e.g. HTTPS).

Example: company notices that employees are reporting network performance issues. NGFW analyses the packets and discovers that one of the computers is generating a huge amount of outbound traffic. It turns out that the computer has been infected with a botnet sending spam. NGFW blocks the suspicious traffic and reports the incident to administrators.

Analysis at the application layer: NGFW firewalls identify and control specific applications (e.g. Facebook, Dropbox), regardless of port or protocol, allowing them to be blocked or restricted according to security policies.

Example: in the organisation, employees use Dropbox to transfer files, resulting in a potential risk of data leakage. NGFW identifies Dropbox-related traffic and limits its bandwidth to strictly defined hours of operation.

Sandboxing: suspicious files uploaded to the network can be isolated and analysed in a sandbox environment before being passed on.

Example: an IT employee opens an attachment in an email that appears to be an invoice. NGFW automatically uploads the file to a sandbox, where it is identified as ransomware. NGFW blocks the file and prevents infection.

Zero-day threat detection: NGFW uses artificial intelligence mechanisms and Threat Intelligence bases to detect new, previously unknown threats.

Example: hackers attempt to exploit a new vulnerability in the server software. The NGFW, through artificial intelligence mechanisms, detects an anomaly in the behaviour of network traffic and automatically blocks connections to the attacker's servers before data leakage can occur.

Blocking malicious files: automatic blocking of downloads of infected files or content from unauthorised sources.

Example: when downloading a file from an unauthorised website, NGFW recognises it as part of known malware and automatically blocks the download, displaying a warning to the user.

Intrusion Detection and Prevention System (IDS/IPS): NGFWs integrate IDS/IPS functionality to detect and automatically block intrusion attempts, such as port scanning or attacks on web applications.

Example: Cybercriminals attempt to launch an attack on the company's web server using SQL Injection. NGFW detects malicious requests in HTTP traffic and blocks them in real time, protecting the data stored in the database.

Protection against DDoS: built-in protection mechanisms against DDoS attacks reduce the possibility of network or server overload.

Example: An e-commerce company falls victim to a DDoS attack during a sale. NGFW identifies and rejects bot-generated traffic, allowing only real customers access.

Preventing the exploitation of security vulnerabilities: The NGFW monitors and blocks attempts to exploit known vulnerabilities (e.g. server software attacks or application vulnerabilities).

Example: Hackers attempt to exploit a known software vulnerability on an FTP server. NGFW immediately blocks the attempted connection and the administrator is notified to update the software.

Identity management: integration with authentication systems (e.g. LDAP, Active Directory) makes it possible to control which users have access to specific resources and applications.

Example: The company uses Active Directory to manage employee access. NGFW allows control of which teams can access which applications, e.g. the sales department can access the CRM but not the financial system.

Role-Based Access Control policies: administrators can define which applications, services or resources are available to specific user groups (e.g. finance, IT).

Example: NGFW prevents trainees from accessing social media, but allows them to be used by the marketing department for professional purposes.

Multi-factor authentication (MFA): NGFW may require additional user authentication to enhance access security.

Example: An employee attempting to log in from an unusual location (e.g. another country) must confirm his or her identity with an SMS code. NGFW enables this additional security step.

SSL/TLS decryption: NGFWs decrypt and analyse encrypted traffic for threats, such as malware hidden in downloads or phishing in websites.

Example: company notices that some employees are visiting suspicious HTTPS pages. NGFW decrypts the traffic, detecting that these pages are trying to install a keylogger. Access is immediately blocked.

Content filtering of HTTPS traffic: the ability to block dangerous or unauthorised websites, even if they use encryption.

Example: at school, students try to access sites with forbidden content. NGFW blocks such sites, even if they use SSL/TLS encryption.

URL filtering: blocking access to malicious websites based on up-to-date threat databases (Threat Intelligence).

Example: The employee clicks on a link in an email that looks like a message from the bank. The NGFW identifies that the landing page is associated with phishing and blocks access to it.

Preventing spoofing: NGFW analyses email traffic to block attempts to impersonate trusted domains or email addresses.

Example: Cybercriminals send emails impersonating a company's CFO, requesting that funds be transferred to a fraudster's account. NGFW detects the difference in domains and blocks the messages.

Example: An employee of a construction company receives an e-mail with a suspicious attachment marked as an invoice. The mail protection system sends the suspicious file for analysis in a sandbox environment, which detects hidden ransomware. The NGFW immediately blocks further attempts to download this attachment and communication with Command & Control (C2) servers, which would be used by the malware in the event of infection.

Application filtering: the ability to block or restrict specific applications, such as torrents, unauthorised instant messaging, social media or online games.

Example: in the company, employees start using instant messaging applications such as WhatsApp on company computers, increasing the risk of data leakage. NGFW identifies the traffic associated with the app and blocks it for the finance and legal departments, but allows its use in the customer service department.

Capacity control: limiting the use of bandwidth by less important applications, thus securing resources for critical services.

Example: At school, NGFW detects that students are playing online games during school hours, which slows down the system. The firewall limits bandwidth for traffic generated by gaming applications, leaving bandwidth for educational purposes.

Content filtering: blocking access to unwanted content such as gambling sites, phishing sites or harmful content.

Example: pharmaceutical company blocks access to gambling and pornographic sites on the corporate network, as well as phishing sites, using NGFW's content filtering function.

Real-time updates: NGFWs regularly download information about new threats, such as IP addresses used for attacks, new malware signatures or malicious domains.

Example: logistics company notices that one of its employees has opened an email with a suspicious link. NGFW, using its Threat Intelligence database, immediately blocks communication with the domain identified as malicious, preventing data theft.

Proactive protection: blocking known threats before they can reach the corporate network

Example: The financial organisation uses NGFW, which automatically identifies and blocks suspicious IP addresses used to spread malware before hackers connect to the company's network.

Cloud protection: NGFWs secure traffic between the corporate network and the public cloud (e.g. AWS, Azure, Google Cloud), protecting against attacks on cloud resources.

Example: An online shop that stores customer data on AWS servers deploys NGFW to monitor traffic between local servers and cloud resources, blocking attacks on web applications and attempts to take over administrative accounts.

Network segmentation: creating security zones that restrict the flow of traffic between different environments (on-premise, cloud, DMZ).

Example: technology organisation, which has both on-premise servers and resources in Google Cloud, uses NGFW to create security zones. Traffic between the cloud and the company's internal network is monitored and filtered, reducing the risk of lateral attacks if one part of the infrastructure is breached.

Real-time blocking: suspicious IP addresses, malicious domains or attacking devices are automatically blocked.

Example: employee accidentally downloads a suspicious file from a malicious IP address. NGFW automatically detects traffic coming from an address believed to be the source of the malware and blocks it immediately, preventing the threat from spreading across the network.

Dynamic rule updates: NGFWs can automatically update firewall rules in response to new threats or incidents.

Example: during a phishing attack on a large corporation, NGFW automatically updates the security rules, adding new phishing domains to the list of blocked addresses, even before the threat has had time to spread.