What is a Next-Generation Firewall (NGFW)?
A Next-Generation Firewall (NGFW) is an advanced Firewall that does not only filter network traffic on the basis of IP addresses, ports and protocols, but also performs deep inspection of applications, content and user behaviour.
In industrial environments, an NGFW combines traditional firewall functions with advanced security such as Protocol Filtering, IDS, Application Control and User-Based Access Control.
🧠 How does an NGFW work?
An NGFW integrates several security functions:
- Stateful inspection
- Monitors connections and tracks context (source, destination, status)
- Deep packet inspection (DPI)
- Analyses data traffic at the application layer (Layer 7), including industrial protocols such as Modbus, OPC UA, S7
- Protocol Filtering and Application Control
- Only permitted functions or commands per protocol are accepted
- User and role-based access control
- Links traffic to users via Active Directory, RADIUS or 802.1X
- Threat detection and blocking
- Often integrates with IDS, IPS, Threat Intelligence feeds, anomaly detection and SIEM
- Logging, monitoring and reporting
- Detailed visibility for Security Monitoring and audit purposes
🏭 Application in OT environments
| Application | Benefit in industrial networks |
|---|---|
| Segmentation of Zones and Conduits Model | Isolation of production areas, management networks and office IT |
| Filtering industrial protocols | Protection against unwanted S7/Modbus/OPC commands |
| Remote Access with user controls | Restricts access to engineering workstations or PLCs |
| Protection against malware and exploits | Prevents lateral movement via application-layer firewalling |
NGFWs are increasingly deployed at the boundary between IT and OT (e.g. between the Supervisory Network and Engineering Network).
🔐 Benefits of an NGFW
- Layered protection: at network and application level
- Suitable for hybrid environments: IT + OT + cloud
- Better visibility into traffic thanks to protocol and user context
- Integration with other tools: SIEM, EDR, Asset Inventory
⚠️ Considerations
- Not all NGFWs are OT-aware (industrial protocol support is required)
- Latency and complexity can increase in real-time networks
- Requires careful configuration and management to avoid false positives
📌 In summary
A Next-Generation Firewall is an indispensable element of modern industrial cybersecurity architecture. It combines deep visibility, advanced threat detection and network segmentation to make OT processes safer and more controllable.