| | June 20169Internal Segmentation Firewalls Needed Traditionally, organizations deploy firewalls at the perimeter of the network for protection. Edge firewalls label all external traffic (i.e. Internet traffic) as untrusted, while designating all intra-network traffic as trusted, and handle them in two distinct ways. There are no grey areas; no ambiguity.Unfortunately the world isn't black and white anymore. With the rise of attacks originating from weak segments of the network, the line delineating trusted and untrusted traffic has blurred. Merely deploying firewalls at the edge of the network is no longer adequate - organizations need to re-architecture their network such that internal firewalling can restrict malware flow between different segments of the organization.According to research firm Forrester, enterprises have built strong perimeters, but well-organized cybercriminals have recruited insiders and developed new attack methods that easily bypass their current security protections. Security and risk professionals today must make security ubiquitous throughout the network, not just at the perimeter.Forrester advocates the zero trust security model, where the network is securely segmented, and all traffic is inspected and logged. With such a model, the information flow between an engineer and his/her marketing colleague seated next to each other, for example, will no longer proceed unchecked. Because these two employees are assigned to different network segments and an internal segmentation firewall (ISFW) is in place, proper policies will be applied and logs will be generated for any traffic traversing between the two departments.ISFW comprises two kinds of technologies - policy-based segmentation that identifies a user's parameters, and dynamically and consistently enforces a security policy controlling the user's access to enterprises resources; and firewall segmentation that divides up the internal network to enable traffic analysis, logging and full security control.An ISFW does not replace the edge firewall. Instead, an ISFW provides multiple touch points within a network in order to provide security between existing network boundaries, or create entirely new segments inside of existing network boundaries. It also improves visibility by letting IT management see all layers of the network in one pane of glass. Depending on the level of security needed between each network segment, the types of protection enabled will vary. Once a firewall is deployed into each segment of an enterprise network, its policy, logging and various modern detection features can help identify and quarantine users that have been compromised. Removing the Performance and Cost BarriersToday, however, attainable solutions exist. Modern firewalls that leverage custom ASIC chips can be fast enough to handle internal firewalling and be cost effective at the same time. Some may recall that per-port security was all the rage a few years ago, until implementation hurdles put an end to that promise. Current ISFW technology is a step towards reviving that promise. As technologies in switching and access port security evolves and performance improves, we will be able to combine them with ISFW to reach that goal.The concept of internal segmentation firewalling has put the network security industry on the cusp of an exciting era. Firms that want to take their operations - and their business - one step ahead of the competition should take advantage of it. With the rise of attacks originating from weak segments of the network, the line delineating trusted and untrusted traffic has blurredMichael Xie
< Page 8 | Page 10 >