In the early days of networking in order to implement security, the first technique developed was packet-filtering. In those days, we implemented routers (firewalls) that matched traffic at Layer3/4 using ACLs (and TCP/UDP ports) and either permitted or denied that traffic. The Network Administrator would deny ALL from outside –> inside by default and then had to explicitly permit trusted networks. Sometimes a deny ALL from inside –> outside was also created and is why some old school technologist still think the root cause of some issues is that ports must be opened going out.
Then over time, Firewalls became more sophisticated and ‘state-tables’ were born. The Firewall would by default deny ALL from the Internet and the Network Administrator did not have to explicitly permit trusted network… the Firewall had the ability to manage a ‘state-table’ of connections that originated from the inside and would dynamically permit the return traffic.
In the past several years, Firewalls have evolved into what manufacturers are calling Next-Generation Firewalls (NGFW). NGFWs include the typical functions of traditional packet-filtering firewalls as well as well as second-generation statefull inspection Firewalls. However, NGFWs have a goal to include inspection all the way up to the Application Layer (Layer7).
For example, Cisco’s 5500-X series Firewalls are considered NGFWs. I recently took a look at Cisco “FirePower” on the ASA5506-X. In July, 2013 Cisco purchased Sourcefire for $2.7B. Their software has been incorporated into Cisco’s ASA product line and provides IPS, Malware Protection, URL Filtering, and other features.
In my experience setting up the software on the 5506-X, the process was slow as the device took a lot of processing time to think. In addition ASDM can be used on the 5506-X for Firesight configuration (but it only contains a subset of the full Firesight Management Center, a VMware VM provided by Cisco).
