Internal segmentation firewalls: Securing the inner network
The good news is that edge firewalls do an excellent job of protecting the network border. The bad news is that they can’t help after a breach occurs. Once malware enters the network, it can move laterally virtually unopposed. The key to securing your client’s network, data and application services is to place ‘edge’ protection inside their network to create barriers that allow legitimate traffic to pass whilst stopping any unauthorised activities.
Internal networks have been designed to be flat and open. But it has been impractical to deploy edge firewalls internally due to latency and cost. As a result, data and application services - including trade secrets, private data, proprietary applications and other sensitive assets - residing on internal networks have remained relatively unsecured. Added to the mix is the fact that advanced threats are getting better at slipping past perimeter security to reach the unprotected internal network.
ISFW architecture delivers maximum performance and maximum security while offering the flexibility of being placed anywhere in the enterprise. In addition, ISFWs offer streamlined processes to manage individual policies for multiple devices and secure the enterprise’s internal network security with minimal management overheads.
Segmentation is key
Until recently, effective segmentation hasn’t been practical. Performance, price and overheads have been problematic for implementing a good segmentation strategy. But these barriers are no longer valid.
“ISFWs can handle traditional ‘north-south’ segmentation as well as emerging ‘east-west’ segmentation,” continues Fox. “Because they can be placed anywhere inside the network, ISFWs can focus on monitoring activities that move around the internal portions of the enterprise network. If hackers attempt to locate assets and data of value by spreading laterally from one compromised host to another, the ISFW identifies this activity as suspect and restricts the lateral movement and propagation of malicious code.”
One network - multiple policies
ISFWs can also manage individual policies for multiple devices. Network managers can configure different levels of visibility, control and mitigation for internal segments within the network. Not all ISFW policies require the same level of inspection so managers have much more flexibility as to how and where they set activity thresholds. The ability to put the security where you want it, when you want it is one of the greatest benefits of an ISFW.
With more security enforcement points within the network, device and policy management becomes more critical. Policy-driven segmentation controls access to the network, applications and resources by automatically associating each user’s identity - attributes such as physical location, the type of device used to access the network or the application used - with the security policies of a specific segment.
“ISFWs firewalls have the ability to dynamically identify users and enforce the appropriate policies throughout the network,” concludes Fox. “In effect, the entire firewall infrastructure turns into an intelligent policy-driven fabric that protects vital assets with less overhead, less latency and lower overall costs.”
To learn more about how ISFW solutions are helping to solve these sorts of problems and secure today’s networks, Fortinet has prepared a technical white paper ‘Security Where You Need It, When You Need It’ that presents both a design approach and architecture for implementing an ISFW strategy for your enterprise. Call Exclusive Networks and they’ll be happy to get you started.