PROTECTING YOUR NETWORK FROM THE INSIDE-OUT Internal Segmentation Firewall (ISFW)
WHITE PAPER WHITE PAPER: PROTECTING YOUR NETWORK FROM THE INSIDE–OUT – INTERNAL SEGMENTATION FIREWALL (ISFW)
PROTECTING YOUR NETWORK FROM THE INSIDE-OUT Internal Segmentation Firewall (ISFW)
TABLE OF CONTENTS
Summary ...... 3
Advanced Threats Take Advantage of the “Flat Internal” Network . . . . 4
The Answer is a New Class of Firewall – Internal Segmentation Firewall . . 4
ISFW Technology Requirements ...... 6
Conclusion ...... 7
2 SUMMARY
For the last decade organizations have The solution is a new class of firewall – KEY REQUIREMENTS been trying to protect their networks by Internal Segmentation Firewall (ISFW), n COMPLETE PROTECTION – building defenses across the borders of that sits at strategic points of the internal Continuous inside-out protection their networks. This includes the Internet network. It may sit in front of specific servers against advanced threats with a edge, perimeter, endpoint, and data center that contain valuable intellectual property or single security infrastructure
(including the DMZ). This “outside-in” a set of user devices or web applications n EASY DEPLOYMENT – approach has been based on the concept sitting in the cloud. Default Transparent Mode means that companies can control clearly defined no need to re-architect the Once in place, the ISFW must provide network and centrally deployed points of entry and secure their valuable instant “visibility” to traffic traversing into and managed assets. The strategy was to build a border and out of that specific network asset. This n HIGH PERFORMANCE – defense as strong as possible and assume visibility is needed instantly, without months Multi-gigabit performance supports nothing got past the firewall. of network planning and deployment. wire speed east-west traffic
As organizations grow and embrace the Most importantly the ISFW must also latest IT technology such as mobility and provide “protection” because detection is cloud the traditional network boundaries are only a part of the solution. Sifting through becoming increasingly complex to control logs and alerts can take weeks or months. and secure. There are now many different The ISFW needs to deliver proactive ways into an enterprise network. segmentation and real-time protection based on the latest security updates.
Not long ago, firewall vendors marked Finally, the ISFW must be flexible enough the ports on their appliances “External” to be placed anywhere within the internal (untrusted) and “Internal” (trusted). However, network and integrate with other parts of the advanced threats use this to their advantage enterprise security solution under a single because, once inside, the network is very pane of management glass. Other security flat and open. The inside of the network solutions can also provide additional visibility usually consists of non security-aware and protection. This includes the email devices such as switches, routers, and even gateway, web gateway, border firewalls, bridges. So once you gain access to the cloud firewalls, and endpoints. Further, network as a hacker, contractor, or even Internal Segmentation Firewalls need to rogue employee, then you get free access scale from low to high throughputs allowing to the entire enterprise network including all deployment across the global network. the valuable assets.
WHITE PAPER WHITE PAPER: PROTECTING YOUR NETWORK FROM THE INSIDE–OUT – INTERNAL SEGMENTATION FIREWALL (ISFW)
FIGURE 1 – ADVANCED THREAT LIFE CYCLE
External Internal Social Engineering Scan for vulnerabilities Zero Days Exploits Design phishing emails Malicious URLs Customize malware, etc. Malicious Apps, more
1 Threat Vector Infection 2
Threat Production APP R + Recon
4 Extraction Communication 3
Package & Hide, Spread, Encrypt Stage Disarm, Access, Contact Botnet C&C, Disposal Update
INTERNAL NETWORK THE ANSWER IS A NEW CLASS Firewalls (DCFW) have arrived to provide OF FIREWALL – more than 100 Gbps of throughput. All of Cybercriminals are creating customized INTERNAL SEGMENTATION these firewalls have in common an approach attacks to evade traditional defenses, and FIREWALL (ISFW) designed to protect from the “outside-in.” once inside, to avoid detection and enable egress of valuable data. Once inside the Most firewall development over the past For rapid internal deployment and protection, network there are few systems in place to decade has been focused on the border, a new class of firewall is required – Internal detect or better still protect against APTs. the Internet edge, perimeter (host firewall), Segmentation Firewall (ISFW). The Internal endpoint, data center (DMZ), or the cloud. Segmentation Firewall has some different It can be seen from the threat life cycle in Figure This started with the stateful firewall but has characteristics when compared to a border 1 that once the perimeter border is penetrated, evolved to include Unified Threat Management firewall. The differences are laid out in figure 2. the majority of the activity takes place inside (UTM) for distributed networks, which brought the boundary of the network. Activities include together the firewall, intrusion detection, and disabling any agent-based security, updates antivirus. Later came the Next Generation from the botnet command, and control system, Firewall (NGFW), which included intrusion additional infection/recruitment and extraction of prevention and application control for the the targeted assets. Internet edge. More recently because of
the huge increase in speeds, Data Center
4 WHITE PAPER: PROTECTING YOUR NETWORK FROM THE INSIDE–OUT – INTERNAL SEGMENTATION FIREWALL (ISFW)
FIGURE 2 – FIREWALL TYPE DIFFERENCES
Deployment Mode ISFW NGFW DCFW UTM CCFW
Purpose Visibility & protection Visibility & protection High performance, low Visibility & protection Network security for for internal segments against external threats latency network against external threats Service Providers and internet activities aprotection and user activities
Location Access Layer Internet Gateway Core Layer/DC Gateway Internet Gateway Various
Network Operation Mode Transparent Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode
Hardware Requirements Higher port density to GbE and 10GbE ports High speed (GbE/10 High GbE port density, High speed (GbE/10 protect multiple assets GbE/40 GbE/100) & integrated wireless GbE/40 GbE) & high port density, connectivity and POE high port density, hardware acceleration hardware acceleration
Security Components Firewall, IPS, ATP, (User-based) Firewall, Firewall, DDoS protection Comprehensive and Firewall, CGN, LTE Application Control VPN, IPS, Application extensible, client and & mobile security Control device integration
Other Characteristics Rapid Deployment – Integration with High Availability Different WAN High Availability near zero configuration Advanced Threat Connectivity Options Protection (Sandbox) such as 3G4G
services should be measured on a constant Traditional firewalls are usually deployed THE ISFW NEEDS TO PROVIDE basis with 3rd party test and certification in routing mode. Interfaces (ports) are well COMPLETE PROTECTION services. defined with IP addresses. This often takes The first element of security is visibility. And months of planning and deployment. This visibility is only as good as network packet is valuable time in today’s instant cyber knowledge. What does a packet stream THE ISFW NEEDS TO PROVIDE EASY attack world. An ISFW can be deployed look like for a specific application, where DEPLOYMENT in the network rapidly and with minimum did it come from, where is it going, even disruption. It must be as simple as powering The ISFW must be easy to deploy and what actions are being taken (download, on a device and connecting. It must be manage. Keeping it simple for IT means upload…). transparent to the network and application. being able to deploy with minimum configuration requirements and without The second and equally important element having to re-architect the existing network. THE ISFW NEEDS TO PROVIDE WIRE- is protection. Is the application, content The ISFW must also be able to protect SPEED PERFORMANCE or actions malicious? Should this type of different types of internal assets placed at Because internal segmentation firewalls are traffic be communicating from this set of different parts of the network. It could be a deployed in-line for network zoning, they assets to another set of assets? While this set of servers containing valuable customer must be very high performance in order to is very difficult across different content information or a set of endpoint devices meet the demands of internal or “east-west” and application types, it is an essential that may not be able to be updated with the traffic, and to ensure they do not become part of the ISFW. The ability to detect a latest security protection. a bottleneck at these critical points. Unlike malicious file, application, or exploit gives Additionally, the ISFW must be able to firewalls at the border that deal with Wide an enterprise time to react and contain the integrate with other parts of the enterprise Area Network (WAN) access or Internet threat. All of these protection elements must security solution. Other security solutions speeds of less than 1 gigabit per second, be on a single device to be effective. can also provide additional visibility and internal networks run much faster – multi- protection. This includes the email gateway, gigabit speeds. There, ISFWs need to Both visibility and protection are heavily web gateway, border firewalls, cloud operate at multi-gigabit speeds and be able reliant on a real-time central security threat firewalls, and endpoints. This all needs to to provide deep packet/connect inspection intelligence service. A question that always be managed with a ‘single pane of glass’ without slowing down the network. needs to be posed – how good is the approach. This allows security policies to be visibility and protection? Is it keeping up with consistent at the border, inside the network, the latest threats? That’s why all security and even outside the network in clouds.
5 WHITE PAPER: PROTECTING YOUR NETWORK FROM THE INSIDE–OUT – INTERNAL SEGMENTATION FIREWALL (ISFW)
ISFW TECHNOLOGY FIGURE 4 – Internal Segmentation Firewall - ISFW DEPLOYMENT (ISFW) DEPLOYMENT REQUIREMENTS INTERNAL CLOUD INTERNAL Data Center A FLEXIBLE NETWORK OPERATING Applications Virtual ISFW SYSTEM Campus Almost all firewall “deployment modes”
ISFW ISFW require IP allocation and reconfiguration Edge Data Center Firewall Firewall of the network. This is known as network (NGFW) (DCFW) INTERNET routing deployment and provides traffic ISFW ISFW visibility and threat prevention capabilities.
At the other end of the spectrum is sniffer Endpoint mode, which is easier to configure and Unified Threat Branch provides visibility, but does not provide Management protection. (UTM) INTERNAL Transparent mode combines the advantages of network routing and sniffer with cloud-based sandboxing, allowing modes. It provides rapid deployment and NETWORK SEGMENTATION – for the enforcement of policies that visibility plus, more importantly, protection. HIGH SPEED INTEGRATED SWITCHING complement standard border firewalls. This The differences are summarized in Figure 3. An evolving aspect of transparent mode real-time visibility and protection is critical is the ability to physically separate to limiting the spread of malware inside the
FIGURE 3 – FIREWALL TYPE DIFFERENCES subnetworks and servers via a switch. network.
NETWORK WIDE ISFW DEPLOYMENT Deployment Deployment Network High Traffic Threat EXAMPLE Mode Complexity Functions Availability Visibility Protection Network Most companies have set up border High L3-Routing 4 4 4 Routing protection with firewalls, NGFWs, and UTMs. These are still critical parts of Transparent Low L2-Bridge 4 4 4 network protection. However, to increase Sniffer Low X X 4 X security posture, Internal Segmentation Firewalls can be placed strategically A SCALABLE HARDWARE internally. This could be a specific set of Firewalls are starting to appear on the endpoints where it is hard to update security ARCHITECTURE market with fully functional, integrated or servers where intellectual property is Because internal networks run at much switches within the appliance. These new stored. higher speeds the ISFW needs to be firewalls, with many 10 GbE port interfaces, architected for multi-gigabit protection become an ideal data center “top-of-rack” throughput. Although CPU-only based solution, allowing servers to be physically SEGMENT ISFW DEPLOYMENT architectures are flexible they become and virtually secured. Also, similar switch- EXAMPLE bottlenecks when high throughput is integrated firewalls with a high density of The ISFW is usually deployed in the access required. The superior architecture still uses 1 GbE port interfaces become ideal for layer and protects a specific set of assets. a CPU for flexibility but adds custom ASICs separation of LAN subsegments. ISFWs Initially the deployment is transparent to accelerate network traffic and content should be able to fulfill both of these roles, between the distribution and access inspection. and as such should ideally have fully switches. Longer term the integrated functional, integrated switching capabilities. Because the ISFW is deployed in closer switching could take the place of the proximity to the data and devices, it may access and distribution switch and provide sometimes need to cope with harsher REAL-TIME SECURITY additional physical protection. environments. Availability of a more Internal Segmentation Firewalls must be ruggedized form factor is therefore another able to deliver a full spectrum of advanced requirement of ISFWs. security services, including IPS, application
visibility, antivirus, anti-spam, and integration
6 WHITE PAPER: PROTECTING YOUR NETWORK FROM THE INSIDE–OUT – INTERNAL SEGMENTATION FIREWALL (ISFW)
FIGURE 5 –INTERNAL SEGMENTATION FIREWAL (ISFW) DEPLOYMENT and having a complete picture of both internal and edge activity enhances all er e phases of a complete ATP framework. With internal network traffic often being several D re D r b c times the bandwidth of edge traffic, an ISFW n FortiGate wire can provide many more opportunities to limit intercept using the spread of the compromise from known transparent techniques and more high-risk items to be port pair passed to sandboxes for deeper inspection. n High speed interface connectivity CONCLUSION