PROTECTING YOUR NETWORK FROM THE INSIDE-OUT Internal Segmentation (ISFW)

WHITE PAPER WHITE PAPER: PROTECTING YOUR NETWORK FROM THE INSIDE–OUT – INTERNAL SEGMENTATION FIREWALL (ISFW)

PROTECTING YOUR NETWORK FROM THE INSIDE-OUT Internal Segmentation Firewall (ISFW)

TABLE OF CONTENTS

Summary ...... 3

Advanced Threats Take Advantage of the “Flat Internal” Network . . . . 4

The Answer is a New Class of Firewall – Internal Segmentation Firewall . . 4

ISFW Technology Requirements ...... 6

Conclusion ...... 7

2 SUMMARY

For the last decade organizations have The solution is a new class of firewall – KEY REQUIREMENTS been trying to protect their networks by Internal Segmentation Firewall (ISFW), n COMPLETE PROTECTION – building defenses across the borders of that sits at strategic points of the internal Continuous inside-out protection their networks. This includes the Internet network. It may sit in front of specific servers against advanced threats with a edge, perimeter, endpoint, and data center that contain valuable intellectual property or single security infrastructure

(including the DMZ). This “outside-in” a set of user devices or web applications n EASY DEPLOYMENT – approach has been based on the concept sitting in the cloud. Default Transparent Mode means that companies can control clearly defined no need to re-architect the Once in place, the ISFW must provide network and centrally deployed points of entry and secure their valuable instant “visibility” to traffic traversing into and managed assets. The strategy was to build a border and out of that specific network asset. This n HIGH PERFORMANCE – defense as strong as possible and assume visibility is needed instantly, without months Multi-gigabit performance supports nothing got past the firewall. of network planning and deployment. wire speed east-west traffic

As organizations grow and embrace the Most importantly the ISFW must also latest IT technology such as mobility and provide “protection” because detection is cloud the traditional network boundaries are only a part of the solution. Sifting through becoming increasingly complex to control logs and alerts can take weeks or months. and secure. There are now many different The ISFW needs to deliver proactive ways into an enterprise network. segmentation and real-time protection based on the latest security updates.

Not long ago, firewall vendors marked Finally, the ISFW must be flexible enough the ports on their appliances “External” to be placed anywhere within the internal (untrusted) and “Internal” (trusted). However, network and integrate with other parts of the advanced threats use this to their advantage enterprise security solution under a single because, once inside, the network is very pane of management glass. Other security flat and open. The inside of the network solutions can also provide additional visibility usually consists of non security-aware and protection. This includes the email devices such as switches, routers, and even gateway, web gateway, border firewalls, bridges. So once you gain access to the cloud firewalls, and endpoints. Further, network as a hacker, contractor, or even Internal Segmentation Firewalls need to rogue employee, then you get free access scale from low to high throughputs allowing to the entire enterprise network including all deployment across the global network. the valuable assets.

WHITE PAPER WHITE PAPER: PROTECTING YOUR NETWORK FROM THE INSIDE–OUT – INTERNAL SEGMENTATION FIREWALL (ISFW)

FIGURE 1 – ADVANCED THREAT LIFE CYCLE

External Internal Social Engineering Scan for vulnerabilities Zero Days Exploits Design emails Malicious URLs Customize , etc. Malicious Apps, more

1 Threat Vector Infection 2

Threat Production APP R + Recon

4 Extraction Communication 3

Package & Hide, Spread, Encrypt Stage Disarm, Access, Contact C&C, Disposal Update

INTERNAL NETWORK THE ANSWER IS A NEW CLASS Firewalls (DCFW) have arrived to provide OF FIREWALL – more than 100 Gbps of throughput. All of Cybercriminals are creating customized INTERNAL SEGMENTATION these firewalls have in common an approach attacks to evade traditional defenses, and FIREWALL (ISFW) designed to protect from the “outside-in.” once inside, to avoid detection and enable egress of valuable data. Once inside the Most firewall development over the past For rapid internal deployment and protection, network there are few systems in place to decade has been focused on the border, a new class of firewall is required – Internal detect or better still protect against APTs. the Internet edge, perimeter (host firewall), Segmentation Firewall (ISFW). The Internal endpoint, data center (DMZ), or the cloud. Segmentation Firewall has some different It can be seen from the threat life cycle in Figure This started with the stateful firewall but has characteristics when compared to a border 1 that once the perimeter border is penetrated, evolved to include Unified Threat Management firewall. The differences are laid out in figure 2. the majority of the activity takes place inside (UTM) for distributed networks, which brought the boundary of the network. Activities include together the firewall, intrusion detection, and disabling any agent-based security, updates antivirus. Later came the Next Generation from the botnet command, and control system, Firewall (NGFW), which included intrusion additional infection/recruitment and extraction of prevention and application control for the the targeted assets. Internet edge. More recently because of

the huge increase in speeds, Data Center

4 WHITE PAPER: PROTECTING YOUR NETWORK FROM THE INSIDE–OUT – INTERNAL SEGMENTATION FIREWALL (ISFW)

FIGURE 2 – FIREWALL TYPE DIFFERENCES

Deployment Mode ISFW NGFW DCFW UTM CCFW

Purpose Visibility & protection Visibility & protection High performance, low Visibility & protection for for internal segments against external threats latency network against external threats Service Providers and internet activities aprotection and user activities

Location Access Layer Internet Gateway Core Layer/DC Gateway Internet Gateway Various

Network Operation Mode Transparent Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode

Hardware Requirements Higher port density to GbE and 10GbE ports High speed (GbE/10 High GbE port density, High speed (GbE/10 protect multiple assets GbE/40 GbE/100) & integrated wireless GbE/40 GbE) & high port density, connectivity and POE high port density, hardware acceleration hardware acceleration

Security Components Firewall, IPS, ATP, (User-based) Firewall, Firewall, DDoS protection Comprehensive and Firewall, CGN, LTE Application Control VPN, IPS, Application extensible, client and & Control device integration

Other Characteristics Rapid Deployment – Integration with High Availability Different WAN High Availability near zero configuration Advanced Threat Connectivity Options Protection (Sandbox) such as 3G4G

services should be measured on a constant Traditional firewalls are usually deployed THE ISFW NEEDS TO PROVIDE basis with 3rd party test and certification in routing mode. Interfaces (ports) are well COMPLETE PROTECTION services. defined with IP addresses. This often takes The first element of security is visibility. And months of planning and deployment. This visibility is only as good as network packet is valuable time in today’s instant cyber knowledge. What does a packet stream THE ISFW NEEDS TO PROVIDE EASY attack world. An ISFW can be deployed look like for a specific application, where DEPLOYMENT in the network rapidly and with minimum did it come from, where is it going, even disruption. It must be as simple as powering The ISFW must be easy to deploy and what actions are being taken (download, on a device and connecting. It must be manage. Keeping it simple for IT means upload…). transparent to the network and application. being able to deploy with minimum configuration requirements and without The second and equally important element having to re-architect the existing network. THE ISFW NEEDS TO PROVIDE WIRE- is protection. Is the application, content The ISFW must also be able to protect SPEED PERFORMANCE or actions malicious? Should this type of different types of internal assets placed at Because internal segmentation firewalls are traffic be communicating from this set of different parts of the network. It could be a deployed in-line for network zoning, they assets to another set of assets? While this set of servers containing valuable customer must be very high performance in order to is very difficult across different content information or a set of endpoint devices meet the demands of internal or “east-west” and application types, it is an essential that may not be able to be updated with the traffic, and to ensure they do not become part of the ISFW. The ability to detect a latest security protection. a bottleneck at these critical points. Unlike malicious file, application, or exploit gives Additionally, the ISFW must be able to firewalls at the border that deal with Wide an enterprise time to react and contain the integrate with other parts of the enterprise Area Network (WAN) access or Internet threat. All of these protection elements must security solution. Other security solutions speeds of less than 1 gigabit per second, be on a single device to be effective. can also provide additional visibility and internal networks run much faster – multi- protection. This includes the email gateway, gigabit speeds. There, ISFWs need to Both visibility and protection are heavily web gateway, border firewalls, cloud operate at multi-gigabit speeds and be able reliant on a real-time central security threat firewalls, and endpoints. This all needs to to provide deep packet/connect inspection intelligence service. A question that always be managed with a ‘single pane of glass’ without slowing down the network. needs to be posed – how good is the approach. This allows security policies to be visibility and protection? Is it keeping up with consistent at the border, inside the network, the latest threats? That’s why all security and even outside the network in clouds.

5 WHITE PAPER: PROTECTING YOUR NETWORK FROM THE INSIDE–OUT – INTERNAL SEGMENTATION FIREWALL (ISFW)

ISFW TECHNOLOGY FIGURE 4 – Internal Segmentation Firewall - ISFW DEPLOYMENT (ISFW) DEPLOYMENT REQUIREMENTS INTERNAL CLOUD INTERNAL Data Center A FLEXIBLE NETWORK OPERATING Applications Virtual ISFW SYSTEM Campus Almost all firewall “deployment modes”

ISFW ISFW require IP allocation and reconfiguration Edge Data Center Firewall Firewall of the network. This is known as network (NGFW) (DCFW) INTERNET routing deployment and provides traffic ISFW ISFW visibility and threat prevention capabilities.

At the other end of the spectrum is sniffer Endpoint mode, which is easier to configure and Unified Threat Branch provides visibility, but does not provide Management protection. (UTM) INTERNAL Transparent mode combines the advantages of network routing and sniffer with cloud-based sandboxing, allowing modes. It provides rapid deployment and NETWORK SEGMENTATION – for the enforcement of policies that visibility plus, more importantly, protection. HIGH SPEED INTEGRATED SWITCHING complement standard border firewalls. This The differences are summarized in Figure 3. An evolving aspect of transparent mode real-time visibility and protection is critical is the ability to physically separate to limiting the spread of malware inside the

FIGURE 3 – FIREWALL TYPE DIFFERENCES subnetworks and servers via a switch. network.

NETWORK WIDE ISFW DEPLOYMENT Deployment Deployment Network High Traffic Threat EXAMPLE Mode Complexity Functions Availability Visibility Protection Network Most companies have set up border High L3-Routing 4 4 4 Routing protection with firewalls, NGFWs, and UTMs. These are still critical parts of Transparent Low L2-Bridge 4 4 4 network protection. However, to increase Sniffer Low X X 4 X security posture, Internal Segmentation Firewalls can be placed strategically A SCALABLE HARDWARE internally. This could be a specific set of Firewalls are starting to appear on the endpoints where it is hard to update security ARCHITECTURE market with fully functional, integrated or servers where intellectual property is Because internal networks run at much switches within the appliance. These new stored. higher speeds the ISFW needs to be firewalls, with many 10 GbE port interfaces, architected for multi-gigabit protection become an ideal data center “top-of-rack” throughput. Although CPU-only based solution, allowing servers to be physically SEGMENT ISFW DEPLOYMENT architectures are flexible they become and virtually secured. Also, similar switch- EXAMPLE bottlenecks when high throughput is integrated firewalls with a high density of The ISFW is usually deployed in the access required. The superior architecture still uses 1 GbE port interfaces become ideal for layer and protects a specific set of assets. a CPU for flexibility but adds custom ASICs separation of LAN subsegments. ISFWs Initially the deployment is transparent to accelerate network traffic and content should be able to fulfill both of these roles, between the distribution and access inspection. and as such should ideally have fully switches. Longer term the integrated functional, integrated switching capabilities. Because the ISFW is deployed in closer switching could take the place of the proximity to the data and devices, it may access and distribution switch and provide sometimes need to cope with harsher REAL-TIME SECURITY additional physical protection. environments. Availability of a more Internal Segmentation Firewalls must be ruggedized form factor is therefore another able to deliver a full spectrum of advanced requirement of ISFWs. security services, including IPS, application

visibility, antivirus, anti-spam, and integration

6 WHITE PAPER: PROTECTING YOUR NETWORK FROM THE INSIDE–OUT – INTERNAL SEGMENTATION FIREWALL (ISFW)

FIGURE 5 –INTERNAL SEGMENTATION FIREWAL (ISFW) DEPLOYMENT and having a complete picture of both internal and edge activity enhances all ere phases of a complete ATP framework. With internal network traffic often being several D reDrb c times the bandwidth of edge traffic, an ISFW n FortiGate wire can provide many more opportunities to limit intercept using the spread of the compromise from known transparent techniques and more high-risk items to be port pair passed to sandboxes for deeper inspection. n High speed interface connectivity CONCLUSION

cce c Advanced Threats are taking advantage of n IPS, ATP & the flat Internal network. Once through the App Control border defense there is little to stop their spread and eventual extraction of valuable D targeted assets. Because traditional firewalls have been architected to slower speeds of the Internet edge it’s hard to deploy these security devices internally. And firewall network configuration deployments (IP addresses) take a long time to deploy.

Internal Segmentation Firewalls are a new class of firewall that can be deployed rapidly ENHANCING ADVANCED Deployment of an ISFW can provide with minimum disruption while keeping THREAT PROTECTION WITH more complete visibility into the additional up the multi-gigabit speeds of internal INTERNAL VISIBILITY internal activity of the hackers once they’ve networks. Instant visibility and protection A proper approach to mitigating advanced compromised the edge. Lateral movement can be applied to specific parts of the threats should include a continuous cycle of can account for a significant portion of internal network. prevention, detection, and mitigation. Very the malicious activity as the hackers try to typically a next-generation firewall would identify valuable assets and extract data, serve as a key foundation of the prevention component, enabling L2/L3 firewall, intrusion prevention, application control and more to block known threats, while passing high-risk unknown items to a sandbox for detection. But with NGFW’s deployed traditionally at the network edge, this only provides partial visibility into the attack life cycle by primarily observing ingress and egress activity. FIGURE 5 – ADVANCED THREAT PROTECTION (ATP) FRAMEWORK

GLOBAL HEADQUARTERS EMEA SALES OFFICE APAC SALES OFFICE LATIN AMERICA HEADQUARTERS Inc. 905 rue Albert Einstein 300 Beach Road 20-01 Sawgrass Lakes Center 899 Kifer Road 06560 Valbonne The Concourse 13450 W. Sunrise Blvd., Suite 430 Sunnyvale, CA 94086 France Singapore 199555 Sunrise, FL 33323 United States Tel: +33.4.8987.0500 Tel: +65.6513.3730 Tel: +1.954.368.9990 Tel: +1.408.235.7700 www.fortinet.com/sales

Copyright © 2016 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. December 2016