What is a next-generation firewall?

It's all about widening the 5-tuple

If there is a simple way to describe the difference between a next-generation firewall and a traditional firewall, it is "more detailed controls." In firewall terms, people talk about "widening the 5-tuple."

Palo Alto earns short list status

Firewall managers like to use the term "5-tuple," borrowing "tuple" from the world of databases. The "5-tuple" means the five items (columns) that each rule (row, or tuple) in a firewall policy uses to define whether to block or allow traffic: source and destination IP, source and destination port, and protocol.

For example, to allow traffic to a Web server at from the Internet, a typical 5-tuple would include source IP and port of "any" (or "*"), destination IP of, destination ports of 80 and 443, and destination protocol of TCP — with an action of "allow." There's variation in every firewall on the market, but at the core of every one you'll find a set of rules that look more-or-less like that: 5-tuples.

Next-generation firewalls "widen" the firewall rule base by adding elements (columns) to each 5-tuple, starting with "application" and "user identity" and perhaps going wider still, factoring in other elements such as "reputation."

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.