Industry Trends

Securing the Inner Network with Internal Segmentation Firewalls

By Bill Mc Gee | February 24, 2016

The threat landscape is constantly evolving, and advanced threats are getting better at slipping past perimeter security to reach the unprotected internal network. While edge firewalls do an excellent job of protecting the network border, they really aren’t foolproof, and they were never designed to help after a breach occurs.

Challenges include malicious code that manages to bypass perimeter defenses and sits dormant for months before launching an opportunistic attack on critical infrastructure, or a hack that quietly exfiltrates sensitive data and intellectual property. The point is that once an attack reaches the network interior there’s traditionally been very little in place to spot their presence or activities—let alone stop them. This is why some of the high-profile breaches you may have heard of went undetected for months, with damages snowballing into the tens of millions of dollars.

While increasing threat sophistication is one significant factor in the rising number of high-profile breaches, an expanding attack surface also figures into the current threat landscape. Today’s networking environments are becoming tremendously complex, including the implementation of IoT, the adoption of cloud-based services, and new networking architectures such as Software-Defined Networks (SDN) and now, Intent-Based Networks (IBN)—and with that complexity comes new risk. These networking trends have all helped erode the network perimeter, making it easier for threats to make it inside and go to town.

The third challenge is performance. In order to facilitate the speed and agility the latest networks require, internal networks are designed to be flat and open. The multi-gigabit speeds required for network traffic make it impractical for traditional firewalls and other types of perimeter security to operate internally (for one thing, they’d create an immediate bottleneck). At the same time, a flat and open internal architecture leaves everything stored in the network relatively unsecured—including trade secrets, private data, proprietary applications, intellectual property, customer data, and other sensitive assets.

So while traditional firewalls that provide strong perimeter defenses and access control are still critical to network security, they no longer provide sufficient protection. Additional measures need to be put in place to protect critical data and systems in the increasingly likely event that a breach occurs. Internal networks require specialized security designed for high-speed environments with unpredictable volumes of traffic moving laterally across the network.

The emergence of a new class of device removes the constraints and limitations of what a firewall can do for enterprises. Internal Segmentation Firewalls (ISFWs) are designed to drive security policy, enforcement, and monitoring deep into the network infrastructure to logically segment data and devices, and then protect those network segments from threats that penetrate the internal network.

ISFWs that sit at strategic points within the network offer greater visibility in terms of user traffic and data flow, and can limit damages in the event of a breach. ISFW architectures deliver maximum performance and maximum security, allowing security teams a simple way to manage policy for multiple devices while securing the enterprise’s internal network security. Dynamically created network segments can do things like keep IoT traffic separate from production data, or keep guests from accessing private corporate resources.

Besides traditional “north-south” segmentation, ISFWs can also protect “east-west” segmentation. Because of where it’s placed in the network, ISFWs can provide deep inspection and monitoring of traffic and applications crossing network segments. As hackers attempt to locate assets and data of value they spread laterally from one compromised host to the next. An ISFW segment the internal network to detect and restrict the lateral movement and propagation of malicious code, and can automatically isolate network segments or devices when malware infections are detected.

ISFWs also enable policy management for multiple devices to more effectively secure the enterprise’s internal network security. Different levels of visibility, control, and mitigation can be deployed across the network. The ability to put the security where you want it, when you want it is one of the greatest benefits of an ISFW.

With more security enforcement points in the network, device and policy management becomes especially critical. Policy-driven segmentation can control access to network segments, applications, and resources by automatically associating each user’s identity with security policies. When properly established, policy-based segmentation can effectively limit potential attack vectors and minimize threats and malware introduced by any individual user.

A user’s identity may be defined as a contextual set of attributes—including physical location, the type of device being used to access the network, or even the application being used. Once established, policy-driven segmentation policies can follow a user’s identity as it moves across the network, and automatically adapt as its context dynamically changes.

The association of a user profile upon which a specific security policy will be enforced should happen as close as possible to the source or access point. Therefore, all firewalls deployed at the various levels of the organization must have the ability to dynamically identify users and enforce the appropriate policies throughout the organization. In effect, the entire firewall infrastructure turns into an intelligent policy-driven segmentation fabric.

To further enhance the power of Fortinet’s ISFW solutions, they can be seamlessly integrated into the Fortinet Security Fabric. This allows them to collect, share, and respond to the latest threat intelligence, and immediately respond with other security technologies as part of a system-wide automated response to detected threats.

To learn more about how ISFW solutions are designed to solve today’s specialized security challenges, and can be a critical component of an integrated security fabric architecture, check out our technical white paper Security Where You Need It, When You Need It. It presents both a design approach and reference architecture for implementing an ISFW strategy for your enterprise.

Download the Security Where You Need It, When You Need It White Paper