Industry Trends

Beyond Border Protection - Securing Internal Networks With INFWs

By Jonas Tichenor | January 27, 2015

Network security has traditionally focused on border protection strategies - If you could keep the bad guys out, then your computers, users, and data were safe. As next-generation firewalls (NGFWs) and unified threat management (UTM) appliances hit the market, system administrators and security pros found themselves with a pretty effective combination of visibility and protection.

Now, though, we’re finding that an increasing number of attacks are coming from inside the network itself. Many of the headline-grabbing breaches in the last year began with a compromise that originated within the network instead of more traditional attacks by hackers attempting to breach a network from the outside. Hackers are also using social engineering and sophisticated spear phishing techniques more frequently to obtain confidential information and network credentials directly from employees. They can then launch attacks that bypass even the most sophisticated firewalls because employees unknowingly gave them de facto permission to do so.

As an example, when a company recently contracted with a team of penetration testers to evaluate their network security, the testers successfully compromised their network by sending a modified iPhone to a company and exploiting a vulnerable internal wireless connection. In another case, the testers sent a modified iPad to an executive and collected network credentials and personal information when he set up his “free gift for an excellent quarter”. The bottom line is that it’s no longer enough to simply protect a network at its edge and assume that the internal network is a trusted entity. These were just penetration tests, so the network and data were safe, but they clearly demonstrate ways that savvy hackers can exploit internal vulnerabilities instead of simply attacking the network perimeter.

A recent ZDNet post citing industry statistics noted that as many as 93% of US businesses were vulnerable to internal threats. And the emerging threats inside the network are exacerbated by the trend towards flat network architectures. There are simply fewer barriers in modern networks to lateral or “east/west” movement once hackers penetrate the network. Add to this the potential havoc that disgruntled employees, contractors, guests, and the new threat landscape of BYOD and BYOA and it’s time for a different approach. Enter the INFW (Internal Network Firewall).

By placing application-aware firewalls inside the network, administrators can detect internal threats based on internal traffic rather than hoping they catch telltale signs of a breach as data is being sent offsite. This allows much more rapid time to discovery, improving regulatory compliance, ensuring data security and integrity, and stopping the spread of malware regardless of the infection vector.

From a network architecture perspective, INFWs should be placed inline between logical and physical network segments, between key resources (e.g., servers with customer data) and the rest of the network, or to isolate endpoints that may be difficult to update (e.g., systems running Windows XP to accommodate legacy software). INFWs are also ideal candidates for top-of-rack applications in data centers. For each of these use cases to work effectively and efficiently, though, INFWs need to meet certain criteria. Clearly, sticking any firewall between switches and various endpoints or network segments isn’t going to do the trick. INFWs need:

●      Exceptional performance to accommodate wire-speed east/west traffic - Many firewalls are adapted for WAN speeds but can’t handle internal network speeds without becoming bottlenecks.

●      All of the expected protection capabilities inherent in NGFWs - Visibility is critical but actually being able to address threats in real-time is just as important

●      Easy deployment - Setting up firewalls very often involves IP allocation and network configuration. Organizations need to be able to add this level of protection seamlessly and quickly.

Right now, administrators can add a FortiGate NGFW to their network without rearchitecting by simply deploying the firewall inline between a core/distribution switch and the network segment they wish to protect. FortiGates can be installed in “transparent mode” which eliminates routing functions but leaves intrusion prevention, application control, and advanced threat protection in place. Regardless of the network architecture or existing threat protection they have in place, admins can gain instant visibility and protection on the internal network with virtually no hit to network performance and a dead-simple deployment. This also works in cloud environments with FortiGate virtual appliances.

All it takes is a few patch cables, a few minutes of setup, and an extra rack space - the latter isn’t even necessary in the cloud. Deploying and using an INFW may be the easiest way to dramatically improve security at a time when threats from within are as serious (if not more so) than attacks from outside the network. To read more about INFWs, potential deployment scenarios, and more, click here.

Join the Discussion