5.5 Describe components of network security design
📘CCNP Encore (350-401-ENCORE-v1.1)
1. What Is a Next-Generation Firewall?
A Next-Generation Firewall (NGFW) is an advanced firewall that provides traditional firewall functions plus deep security inspection at the application, user, and content level.
Traditional firewalls only look at:
- Source IP
- Destination IP
- Port number
- Protocol
NGFWs go much deeper. They understand:
- Which application is being used
- Which user is generating the traffic
- Whether the traffic contains malware, exploits, or attacks
👉 Key idea for the exam:
An NGFW combines firewall + intrusion prevention + application awareness + threat detection in one device.
2. Why NGFWs Are Needed in Modern Networks
Modern IT environments use:
- Web applications
- Cloud services
- Encrypted traffic (HTTPS)
- Remote users
- APIs and microservices
Traditional firewalls cannot detect threats hidden inside allowed ports, such as:
- Malware over HTTPS (TCP 443)
- Unauthorized applications using allowed ports
- Attacks embedded in application traffic
NGFWs solve this by:
- Inspecting traffic beyond ports and protocols
- Understanding what the traffic actually is
3. Core Functions of a Next-Generation Firewall
3.1 Traditional Firewall Capabilities (Still Included)
NGFWs still perform all classic firewall tasks:
- Stateful packet inspection
- Access control rules (permit / deny)
- Network Address Translation (NAT)
- Zone-based firewalling
- Logging and monitoring
👉 Exam point: NGFW does NOT replace traditional firewall features — it extends them.
4. Application Awareness and Control
4.1 What Is Application Awareness?
Application awareness means the firewall can:
- Identify applications regardless of port
- Detect applications even when they use common ports like 80 or 443
Example IT use:
- Allow HTTPS access to internal web portals
- Block unauthorized file-sharing applications even if they use HTTPS
4.2 Application Control
NGFWs can:
- Allow specific applications
- Block unwanted applications
- Limit application features
Examples:
- Allow web-based email but block file uploads
- Allow collaboration tools but block screen sharing
👉 Exam keyword: Layer 7 inspection (Application Layer)
5. User Identity Awareness
5.1 What Is User-Based Policy?
Instead of creating rules based only on IP addresses, NGFWs can create rules based on:
- User identity
- User group
- Role
This is usually integrated with:
- Active Directory
- LDAP
- Identity services
Example:
- Allow finance users access to accounting servers
- Deny access to sensitive systems for guest users
👉 Exam point: NGFW can enforce security based on “who” not just “where.”
6. Intrusion Prevention System (IPS)
6.1 What Is IPS?
An Intrusion Prevention System (IPS):
- Detects known attacks
- Blocks malicious traffic in real time
NGFWs include built-in IPS functionality.
6.2 How IPS Works
IPS uses:
- Signatures (known attack patterns)
- Behavioral analysis
- Protocol inspection
IPS can detect:
- Exploit attempts
- Buffer overflows
- Command-and-control traffic
👉 Exam focus: NGFWs perform inline IPS, not just detection but prevention.
7. Malware Protection and Threat Detection
7.1 Malware Inspection
NGFWs inspect traffic for:
- Viruses
- Trojans
- Ransomware
- Spyware
They use:
- Signature-based detection
- Reputation databases
- Behavioral analysis
7.2 Advanced Threat Protection (ATP)
Modern NGFWs include:
- Sandboxing
- Zero-day threat detection
- File analysis
Files are:
- Detonated in a secure environment
- Analyzed for malicious behavior
- Blocked if harmful
👉 Exam point: NGFW protects against both known and unknown threats.
8. SSL/TLS Decryption and Inspection
8.1 Why Decryption Is Needed
Most modern traffic is encrypted (HTTPS).
If traffic is encrypted, threats can be hidden inside it.
NGFWs can:
- Decrypt SSL/TLS traffic
- Inspect the content
- Re-encrypt it before forwarding
8.2 Security Considerations
- Requires certificates
- Impacts performance
- May have privacy considerations
👉 Exam keyword: Encrypted traffic inspection
9. Content Filtering and URL Filtering
NGFWs can control:
- Website categories
- URLs
- Web content types
Examples:
- Block malicious websites
- Prevent access to known phishing sites
- Enforce acceptable-use policies
This is often integrated with:
- Threat intelligence feeds
- Cloud-based reputation services
10. Network Segmentation and Policy Enforcement
NGFWs support:
- Security zones
- Micro-segmentation
- Granular policy enforcement
Benefits:
- Limit lateral movement of threats
- Protect sensitive resources
- Apply different policies to different network segments
👉 Exam point: NGFW supports zero-trust and segmentation designs.
11. Visibility, Logging, and Reporting
NGFWs provide:
- Application usage reports
- User activity logs
- Threat dashboards
- Security alerts
This helps administrators:
- Understand traffic behavior
- Detect attacks early
- Meet compliance requirements
12. NGFW Placement in Network Design
NGFWs are commonly deployed:
- At the network perimeter
- Between internal security zones
- In data centers
- In front of critical servers
- At cloud or hybrid network edges
👉 Exam focus: NGFW is a core component of network security architecture.
13. NGFW vs Traditional Firewall (Exam Comparison)
| Feature | Traditional Firewall | NGFW |
|---|---|---|
| Port-based filtering | Yes | Yes |
| Application awareness | No | Yes |
| User identity policies | No | Yes |
| Intrusion prevention | No | Yes |
| Malware protection | No | Yes |
| SSL inspection | No | Yes |
👉 Exam takeaway: NGFW = Traditional firewall + advanced security features
14. Benefits of Next-Generation Firewalls
- Deep traffic visibility
- Strong threat prevention
- Application-level control
- User-aware policies
- Integrated security services
- Reduced attack surface
15. Key Exam Points to Remember
✔ NGFW operates mainly at Layer 7
✔ Combines firewall, IPS, malware protection, and application control
✔ Can identify applications and users, not just IPs
✔ Supports encrypted traffic inspection
✔ Essential component of modern network security design
16. One-Line Exam Definition
A Next-Generation Firewall is a security device that provides stateful firewalling plus application awareness, user identity control, intrusion prevention, and advanced threat protection.
