Next generation firewalls solutions in AWS Marketplace

Enhance network security through stateful, application aware, deep-packet inspection and intrusion prevention and detection using third-party software.

Quickly procure and deploy purpose-built solutions

A layered defense is crucial when implementing a network security strategy. A next generation firewall (NGFW) allows you to add a layer of network-centric capabilities to enhance the security of your cloud environment. NGFWs offer multiple security tools in a single solution that is easy to manage and deploy, adding simplicity, visibility, and operational efficiency to your network security architecture.

A NGFW isn’t just a “revamped” firewall. It’s optimized for the scale and scope of cloud operations that your enterprise needs. Although all NGFW offerings serve the same broader purpose, there isn’t a one-size-fits-all solution. We'll explore some crucial questions that your team can use to clearly define your security priorities, accelerate your search, and streamline your NGFW deployment.

Need assistance choosing the right NGFW solution for your organization's unique cloud security needs and use cases? Our experts are here to help.

Discover the benefits of implementing a more sophisticated approach to security

  • Many organizations are required to comply with various regulations and standards (such as ISO/IEC 27001 or PCI-DSS). An NGFW can be an integral component of your overall security approach, helping to satisfy compliance requirements by providing features such as historical event tracking, logging, and monitoring.
  • An NGFW often comes equipped with intrusion detection systems (IDS) and intrusion prevention systems (IPS), application awareness, and sandboxing capabilities that can assist in handling advanced threats, including malware, phishing, and zero-day exploits.
  • Not only does an NGFW observe “typical” ports and protocols, it also provides more intensive protocol examination, application awareness, and deep packet inspection.
  • Most NGFW solutions come equipped with centralized management capabilities, which means you can deploy multiple firewalls but manage and configure them from a single location. This helps stretched teams maintain a robust network security presence. Security teams can focus on priority tasks with simplified management.
  • An NGFW in the cloud provides all the above capabilities, with the added benefit of being implemented within your cloud stack. It isn’t just cloud-deployed—it’s also cloud visible. Whether you’re running serverless functions or a complex network of storage and virtual machines, an NGFW can quickly be implemented in critical observation locations, providing robust network security with less downtime.

Traditional vs. Next Generation Firewall: What’s the difference?

Feature

Next generation firewall

Traditional firewall


Recognizes network protocols

Filters traffic based on IP address and port

Supports routing protocols

Incorporates signature- and behavior-based analytics to identify malicious traffic

Offers protection at various stack levels and with multiple capabilities

Is application-aware

Provides improved visibility

Helps streamline regulatory compliance

Potentially reduces security expenses

Enhances business continuity

Traditional firewall

  • Recognizes network protocols
  • Filters traffic based on IP address and port
  • Supports routing protocols
  • Increasingly less effective against sophisticated malware

Next generation firewall

Includes the functionality of a traditional firewall, plus:

  • Incorporates signature- and behavior-based analytics to identify malicious traffic
  • Offers protection at various stack levels and with multiple capabilities
  • Is application-aware
  • Provides improved visibility
  • Helps streamline regulatory compliance
  • Potentially reduces security expenses
  • Enhances business continuity

Considerations when choosing a NGFW

A direct path to NGFW implementation requires knowing where your business currently stands and where it wants to go, then applying those parameters to the current range of available solutions—to find the best fit for your organization’s infrastructure and security goals.

Review these considerations to get started:

  • Technical capabilities are a great gatekeeper for deciding on the right firewall for your organization, as these requirements will directly inform your selection of a firewall vendor.

    Start by answering a few key technical questions to establish a foundation for your NGFW requirements:

    • Can our existing architecture accommodate an NGFW?
    • Do we have compliance requirements?
    • Do our applications have special requirements?
    • Do we need our firewall to be application-aware?
    • Do we want our firewall to manage a site-to-site virtual private network (VPN)?
  • This decision will refine your list of potential vendors and provide key information to your vendor.

    Which of the following best describes your team?

  • The best placement for your NGFW in your cloud environment depends on many factors, including traffic patterns, bandwidth requirements and availability, and the cloud services you have chosen to use. The NGFW should be placed in a location that provides maximum coverage and protection with little to no impact on performance.

    NGFW placement is largely dependent on your cloud network topology and security requirements. Rather than there being a single, correct placement, it’s more about asking “What works for my team?”

    At your perimeter for Ingress and Egress

    Firewalls in AWS

    This is a traditional home of a firewall. Utilizing a common Ingress and Egress point allows you to fully inspect and control traffic both in and out of your network. This is also a popular architecture when your firewall is managed by a partner even if they aren’t in AWS. A partner firewall can be fully managed by the partner and control the traffic destined to your workloads in different accounts. Egress inspection is useful for detecting and preventing malicious traffic, being part of your Data Loss Prevention program, or simply providing control,visibility, and monitoring to the internet from your network.

    Firewalls in AWS
    Firewalls in AWS

    In front of workloads and other gateways

    Firewalls in AWS

    Strategically positioning firewalls in your network in AWS is a common practice. These firewalls can add extra layers of protection by inspecting traffic as it enters your VPC but before it reaches your workload. This can be especially useful for meeting compliance requirements such as PCI and HIPAA, whether it’s for a group of virtual servers, a dedicated application, or a load-balancer. The firewall placed in front of it can terminate TLS, inspect traffic for malicious behavior,apply Intrusion Prevention, and forward it on to your workload helping you fulfill both security and compliance requirements.

    In your network for east-west inspection

    Firewalls in AWS

    Take control of east-west traffic in your internal network including in AWS Transit Gateway. By placing firewalls in a dedicated Inspection VPC attached to your Transit Gateway, you can inspect some or all of the traffic between VPCs that are also attached to the Transit Gateway. Inter-VPC communications can now be enforced by your security team through your firewall policy. Traffic can be inspected for malicious behavior or logged for forensic analysis. A firewall that supports TLS termination can be leveraged to get deeper layer-7 visibility.

    Firewalls in AWS

    If you’re unsure of the ideal placement of your NGFW, this will be an important discussion to have with your potential vendor.

  • Budget considerations are complex and can require long evaluations to ensure you’ve covered every aspect of the project. They might also influence whether you reconsider a firewall option that includes all the technical requirements on your initial wish list. 

    In addition to licensing costs, consider the following:

    • Do we have any blind spots in our cost estimate for implementing the solution?
    • Will we need to pay for staff training?
    • How much input will we need from a consultant, and at what cost?
    • Will there be data-processing costs involved for the traffic we’ll need to inspect?
    • Will other cloud services be required for your implementation, and will they have associated data-processing costs?

    Expert corner

    “During my career I’ve learned that budgeting for projects is a bit of an art. Your costs can be more than just licensing. It’s also the need to train staff, hire consultants,or even buy additional software. Don’t let hidden expenses surprise you!”

    Geoff Sweet
    Senior Security Solutions Architect,AWS

  • Specific timeline considerations include:

    • Although it may be a relatively short turnaround to turn on new firewalls, can the same be said for the architectural work required to begin routing traffic through them?
    • Will there be a lot of testing and work needed to put our NGFW in line with our traffic?
    • If the changeover requires an outage, will we need to review and adhere to our downtime policies?
    • Will our staff need training to get the expertise to operate, maintain, and report on our NGFW?

    Once you’ve estimated these time requirements, consider framing them against the earlier decision over your preferred deployment style. With a clearer idea of the timeline, you can look back to reassess whether this conflicts with what your internal teams can realistically manage. 

    If your internal teams can fully execute and manage an NGFW implementation, how much bandwidth will that leave them to maintain regular business operations? Or, if your teams require additional training to manage deployment and maintenance, will that investment be more beneficial than passing those tasks along to a third party? These answers may shift your thinking about your preferred deployment style.

    Developing a forecast of your expected time-spend ahead of deployment can help to clarify expectations, and save you that time—and more—in the long run.

    Expert corner

    "Time is the one asset that cannot be gained back. Know your team’s bandwidth and capabilities. Let them prioritize time, gaining the most value for their hours—not their dollars."

    Matt Bromiley
    SANS Digital Forensicsand Incident Response Instructor

Now that you know where you’re headed, choose the solution that will take you there

The NGFW solutions available in AWS Marketplace combine multiple integrated security functions, such as IDS/IPS, VPN gateways, antivirus and anti-bot controls, application control, secure sockets layer (SSL), and TLS inspection, and web filtering.
AWS Network Firewall
By AWS
AWS Network Firewall
  • Native AWS solution
  • ANF handles scaling up based on throughput
  • Multiple deployment models
  • Stateless and stateful rules to optimize traffic

Demo video

CloudGuard Network Security
By Check Point Software Technologies
CloudGuard Network Security
  • 99.8% malware prevention as verified by independent test lab
  • Manage security consistently across on-prem, AWS, and hybrid-clouds
  • Single pane of glass for visibility, policy management, and control

Demo video

Fortinet FortiGate Next-Generation Firewall
By Fortinet Inc.
Fortinet FortiGate Next-Generation Firewall
  • Enforce Zero Trust policies
  • Automate deployment and management of security
  • Comprehensive scanning of traffic to and from the cloud
  • Integrate your Secure SD-WAN with AWS
VM-Series Next-Gen Virtual Firewall w/ Advanced Security Subs
By Palo Alto Networks
VM-Series Next-Gen Virtual Firewall w/ Advanced Security Subs
  • Deep integration with AWS
  • Application-based policy enforcement
  • Central management with Panorama
  • Threat prevention from viruses, worms, malware, and more
Discover more NGFW solutions  

Key benefits of using third-party solutions available in AWS Marketplace

Tap the largest provider community

Extend the benefits of AWS by using capabilities from familiar solution providers you already trust. These providers have proven success securing different stage of cloud adoption, from initial migration through ongoing day to day management.

Reduce risk without losing speed

Quickly procure and deploy solutions that find and address vulnerabilities, detect intrusions, and enable faster response to incidents while minimizing business disruptions.

Integrate easily with AWS

Count on security tools that are designed for AWS interoperability to follow security best practices.