The firewall market has always been full of options, with a number of vendors each offering a variety of models. This is truer today than ever, with cybersecurity companies now developing firewalls for the cloud — for example, the Microsoft Azure Firewall and the SonicWall NSv.
If you’re curious about the differences between the two, you’re not alone. To help shed some light, we’ve put together a short guide on which product is best in which situation, and why you’d pick one over the other.
Microsoft Azure Firewall
Before Azure Firewall, there were Azure Network Security Groups (NSG). NSGs are often auto-generated when deploying a new compute resource. NSGs serve the same purpose as access lists on routers and switches, but they directly pre-empt critical resources. Unlike old style access lists, NSGs are stateful filters: for convenience, rules only have to be written in the client-to-server direction. NSGs offer similar features to firewalls of the late 90s, sufficient for basic packet filtering.
The Azure Firewall itself is primarily a stateful packet filter. Packet filters, regardless of whether they’re stateful or stateless, have no visibility into the actual data stream that is transported over the network. They have become much less effective, as virtually everything on the Internet uses port 80 (HTTP) and 443 (HTTPS) today. They also miss application identification and decoding.
With the introduction of Azure Firewall, Microsoft appeared to monetize on NSGs, but added only a small bit of new functionality — for example, rudimentary application-layer rules and Network Address Translation (NAT). Application-layer rules in Azure Firewall can ONLY filter web traffic by URL name by looking into the application layer’s HTML header, and for encrypted traffic by doing a reverse name lookup.
This is, by firewall standards, less than a percent of what a NGFW like the SonicWall NSv can do. Deep packet inspection is one of the core requirements for getting visibility to encrypted data. TLS 1.3 is partially supported on Azure Firewall. The TLS tunnel from client to the firewall is based on TLS 1.2.
The user can enable intrusion prevention services, but Microsoft does not provide many details on this service. Microsoft neither reveals the number of signatures supported, nor discloses how often these signatures are updated. There is no sandbox or in-memory analysis of zero-day threats.
Moreover, Network Address Translations normally allow for the mapping of any part of source/destination IP and source/destination ports. Azure natively supports the one-to-one mapping of private IPs to public IPs. Beyond that, Azure Firewall only adds the mapping of destination ports, which has very limited use in reality because most services run over port 80 and 443 and do not accept different ports. Other NAT combinations are often used to merge networks of trade partners, but corporate acquisitions are not supported.
Managing and reporting tend to be problematic in the Azure Firewall. NSGs can generate traffic logs, but you need a third party to review them. This is mostly useful for debugging. Azure Firewall has a monitoring resource, but it only gives you an overview — meaning it’s not useful for audits or troubleshooting.
Managing Azure Firewall is very similar to managing NSG and must be done via typical Azure settings management. Once you set it, you cannot change it.
You may be used to the quirks of Azure user interface, but imagine using it to manage a large rulebase with groups, nested objects and the need to periodically clean it up while you grow it — for example, changing the names of objects. This is close to impossible with Azure Firewall. Plus, Azure Policy does not offer any structured policy elements, such as object-based rule creation or nested objects.
SonicWall NSv Series Virtual Firewall
SonicWall’s NSv Series virtual firewall provides all the security advantages of a physical firewall with the operational and economic benefits of virtualization — including system scalability and agility, speed of system provisioning, simple management and cost reduction.
Modern firewalls such as the NSv Series, also known as next-generation firewalls (NGFWs), offer application-layer filtering on top of stateful socket filtering. Instead of just filtering out some traffic going to TCP ports 80 or 443 — the two ports utilized by almost all internet traffic — you can filter on the actual traffic flowing over these ports and distinguish between legitimate traffic and malware.
NSv delivers full-featured security tools to shield all critical components of the private/public cloud environments from resource misuse attacks, cross-virtual-machine attacks, side-channel attacks, and common network-based exploits and threats. With infrastructure support for reliable distributed clustering and scaling, the SonicWall NSv Series ensures system resiliency, operational uptime, service delivery and availability, and conformance to regulatory requirements.
NSv is available for VMware ESXi, and also runs for lab use on VMware Workstation and VMware Fusion, Hyper-V, KVM, AWS and Azure. You will find the same features on the virtual and cloud versions as you find on the appliances, including Deep Packet Inspection (DPI) and Gateway Anti-Virus (GAV), with real-time cloud support and our award-winning, patented RTDMI™ in-memory scanner, which captures dormant malware and zero-day threats. NSv is rated by the independent NetSecOPEN as one of the most effective next-generation firewalls on the market.
|General Features||NSv||Azure NSG||Azure FW|
|Stateful packet filtering|
|Zone based security||X|
|Protection of multiple networks||X||X|
|Socket based security||X||X||X|
|CIDR and port range definitions||X||X||X|
|Custom Protocol ID||X|
|Deny vs Discard||X|
|Azure storage||Azure storage|
|Network Address Translation|
|Basic Static NAT||X||X||X|
|Port Address Translation||X||X|
|Basic Dynamic Address Translation||X||X||X|
|Surgical NAT combination||X|
|Next-generation security services|
|Gateway Anti Virus (GAV)||X|
|Intrusion Detection and Prevention (IPS)||X||X (basic)|
|Inspection of encrypted traffic||X (SSL and SSH)|
|SSL Server offloading||X|
|RTDMI and 0-day threats||X|
|OSPF and BGP||X|
|Log Analytics||NSv NSM||Third party||Azure Monitor|
|Bandwidth logging||IPFIX Syslog Inside VM||Azure storage|
In addition, the SonicWall NSv Series offers three major features that take NGFWs into the 21st century. SonicWall NSv has the ability to intercept, decode, inspect and reencode encrypted traffic so that an intruder cannot evade the firewall altogether (DPI-SSL). It also features the ability not just to classify known traffic into good or malicious, but also to detonate and test unknown traffic in real-time in a safe sandbox environment (Capture ATP). Finally, with RTDMI, it has the ability to analyze malicious software that lays undetected and dormant until some trigger activates it.
These three features cover a large percentage of today’s malware — malware for which traditional signature-based filters such as the Azure Firewall are not effective.
NSv can also terminate VPN tunnels, either to a physical office, vendor or work-from-home employee, or within the cloud. In addition, NSv is a fully functional security router. Besides standard dynamic routing protocols, it also offers smart routing according to traffic content and congestion.
As far as reporting and analytics, NSv is the clear winner. In addition of a clean and easy to operate WebUI, SonicWall NSv offers highly scalable rule management, monitoring and analytics via cloud-based SonicWall NSM, managing hundreds or thousands of instances.
In short, Azure Firewall offers the sort of functionality you can find on a $100, big-box-purchased broadband router. It offers none of the many features that you find on an enterprise firewall — and for that matter, not a lot of valuable functionality over free NSGs.
Do yourself a favor: Save your organization some money and look at an actual cloud-based firewall. If you are familiar with managing enterprise firewalls, the SonicWall NSv is an instinctive choice for a cloud firewall.