Business to Business, or B2B networks are pervasive within Financial Services network environments. They are also highly vulnerable to attack. One reason is that these networks are often woefully unprotected. Some organizations have implemented simple firewall capabilities into these B2B networks, and most have VPNs. But because performance is paramount, security is often seen as a bottleneck; so many of these networks are often only secured using simple router ACLs (RACLs) and NAT. Seriously.
With the global transition to digital business impacting these organizations, these networks are now becoming both more complex, and need to accommodate more users, devices, traffic, and applications than ever before. At the same time, many Financial Services companies are moving their network into co-locations, and interconnecting them with carriers and partners. Not only does this make it difficult to see and manage this distributed environment, it has significantly expanded the possible attack surface that can be exploited by cybercriminals
Because of the compound challenge of increasing complexity, coupled with decreasing visibility across the distributed network, cybercriminals are increasingly successful at targeting businesses with the latest sophisticated attacks. The RACLs and poorly managed NAT infrastructures still currently being employed to secure these networks do little to protect business-critical environments from today’s determined attackers.
The question that needs to be asked is, “how can I increase my security without degrading the performance of my network and applications?”
In addition to looking at the latest generation of ultra-high performance security devices, organizations need to consider implementing stateful network segmentation with improved session management and traffic inspection to see threats, contain breaches, and control the spread of malware-based attacks. This segmentation strategy can be introduced in steps to improve security effectiveness across the network.
First, segment the network as much as you can at network line rates with low latency. Start by segmenting B2B networks, DMZs, lines of business, and countries. If you are co-locating and interconnecting with third parties, these connections also need to be stateful and segmented. A product supporting low latency and jitter can secure and segment all your voice and collaboration technology. And you can also segment 10GE and 40GE network connections with high performance, low latency, layer 4 technologies. A properly configured network with firewalls with strong network support will easily allow you to create these sorts of segmentation, and they can be deployed faster than any other security technology.
Next, turn on IPS inline in the network. Traditionally, due to performance limitations, this was either cost prohibitive or actually not possible. As little as 18 months ago, for example, it could cost upwards of $100K to get 3Gbps of IPS performance. Now, you can now enable 40Gps of inline IPS for half that cost, allowing deep packet inspection of your traffic at a much more cost-effective price point. Enabling inline IPS will increase your security analytics and user behavior analysis, thereby significantly increasing your ability to detect and thwart Advanced Persistent Threats (APTs) without the complexity of updating legacy endpoints.
Finally, implement an integrated security fabric that allows your network to appear as a single entity from a security policy, threat response, and logging perspective. This in turn allows you to increase orchestration that improves security visibility end-to-end across your increasingly distributed networked environment.
Fortinet’s full suite of integrated and collaborative security solutions can provide the infrastructure tools you need to implement a comprehensive, high-performance, centrally managed, and cost-effective strategy to improve your security effectiveness, without compromising business performance or agility. Beyond individual security components, however, Fortinet now offers a cooperative Security Fabric that ties together Fortinet and third-party security solutions into an integrated and collaborative security architecture that spans the entire distributed network.