Several years ago, firewalls were fairly simple devices — at their core, all they really did was block ports on a network. If an organization didn’t want users doing something like instant messaging, all administrators had to do was find out which ports were used for that activity and block them at the firewall.
There were a few problems back then, such as when both allowed and blocked applications needed to use the same port. But for the most part, firewalls simply blocked traffic wholesale without any real intelligence beyond what an administrator could program into the device.
Today, the fact that organizations need to use thousands of applications from a variety of devices means that blocking a port would almost certainly cause valid applications to stop working. And hackers can simply attack the ports that they know will be open, such as those commonly used for email.
Instead, firewalls have evolved to provide deep-packet inspection, intrusion detection and application identification. That means patterns are blocked, not just ports. Most attack programs use a certain pattern, if not a template, to try to penetrate a network. This includes actions such as cloaking a program’s true intentions, encrypting payloads and using the ports that other programs do, but for a different purpose. Other than when a hacker comes up with something new, these patterns are all fairly well known and can be blocked by a standard firewall, though a clever new attack can inflict a lot of damage before a firewall’s pattern blockers are updated.
Intrusion prevention system (IPS) capabilities help next-generation firewalls combat new attacks and ongoing threats. They’re able to identify individual applications and can find and block imposters trying to masquerade as valid programs. They also look for suspicious behaviors, such as a program trying to jump from an IPv4 to an IPv6 network, and restrict that activity. IPS devices can also be updated with new profiles and new scanning techniques.