Business & Technology

Robust Security with Intent-based Segmentation 

By Muhammad Abid and Alex Samonte | February 06, 2019

If you are a network practitioner, you have likely implemented—or at least considered implementing—segmentation based on IP subnets, VLANs, or VXLANs in the network. While these techniques allow administrators to separate IT assets using network semantics, they do not inherently include security, meaning there are no in-built mechanisms in place to perform authentication, admission control, and trust assessment.   

So while you may have separated one traffic stream from another, you have actually only tackled a tiny fraction of the larger problem of needing to combine the isolation of network and IT assets with granular access controls, and then integrating that with high-performance advanced security. Planning, designing, and maintaining such a strategy can quickly exhaust limited IT and security resources. Fortunately, Intent-based Segmenation is a solution to this multi-dimensional problem, which includes the following.

  1. The First dimension of an effective segmentation strategy covers where the segmenation is applied and encompasses all prevailing micro, macro, application, and nano-segmentation techniques. Additionally, it also needs to extend to physical endpoints and devices that are unable to run any agents—for example, chromebooks and multi-functional printers. Because Intent-based Segmenation covers all of the network and infrastrcuture assets of a modern organization, it is far more comprehensive than traditional segmentation solutions.
  2. The Second dimension covers how trust is established and monitored. Intent-based Segmentation not only employs existing network and identity based mechanisms, but it can also incorporate more agile and innovative mechanisms like business logic. Further, trust can be continuously monitored by a third party trust engine, and is communicated to FortiGate devices using Fabric Connectors for dynamically adjusting and enforcing security policies. FortiGates can also allow or disallow access to network resources after receiving changing risk and trust assessments derived from suspicous user behavior and actions.
  3. The Third dimension covers what security inspections need to be applied to the traffic. This could be as simple as providing full visibility, or as in-depth as providing comprehensive security. Having the option to dynamically apply full security analysis and protection is necessitated by the fact that trusted users can unknowingly become infected with malware, and worse, provide a platform for hackers to penetrate, thereby defying the established boundaries of trust. This includes the ability to inspect encrypted traffic at network speeds. By some estimates, as much as 65% of global data traffic is now encrypted, and if you are not performing full inspection then you are not actually seeing or securing your traffic.

Powered by our patented Security Processing Units (SPUs), FortiGate devices provide the industry’s most cost effective and highest-performing full inspection against-mandated ciphers, combined with comprehensive threat protection to enable and secure Intent-based Segmentation that extends from endpoint devices to the branch and campus, and out to the distributed data center and multi-cloud environments. 

To that end, Fortinet today announced, a new series of high-performance FortiGate Next-Generation Firewalls (NGFWs), comprised of the FortiGate 3600E, FortiGate 3400E, FortiGate 600E, and FortiGate 400E Series that enable organizations to implement Intent-based Segmentation deep into their security architecture.

  • Intent-based Segmentation allows organizations to achieve granular access control, continuous trust assessment, end-to-end visibility, and automated threat protection.
  • In addition to delivering Intent-based Segmentation, FortiGate 3600E offers 30Gbps of threat protection and 34Gbps of SSL inspection performance, while the FortiGate 3400E offers 23Gbps threat protection and 30Gbps SSL inspection performance.
  • Likewise, the FortiGate 600E offers Intent-based Segmentation with 7Gbps of threat protection and 8Gbps of SSL inspection performance. And the FortiGate 400E offers 5Gbps of threat protection and 4.8Gbps of SSL inspection performance along with Intent-based Segmentation functionality.

The SSL inspection performance of each of these solutions is the industry’s highest for their class. In addition, FortiGate has a longstanding history of earning NSS Labs Recommended ratings in the Next-Generation Firewalls group tests, with their high SSL inspection performance with minimal performance degradation cited as one of the reasons.

If you would like to discover the business benefits of deploying Intent-based Segmentation that includes improving security posture, reducing risks, achieving compliance, and more, read here.

Read more about the Fortinet Security Fabric and how Fortinet is delivering solutions for the Third Generation of Network Security