PROTECTING YOUR NETWORK FROM THE INSIDE-OUT

Similar documents
WHITE PAPER. Protecting Financial Services Networks From the Inside-Out. Internal Segmentation Firewall (ISFW)

FortiCore. FortiCore 3600E, 3700E and 3800E

FortiCore E-Series. SDN Security Appliances. Highlights. Securing Software Defined Networking (SDN) Architectures. Key Features & Benefits

methods of attack detection built on customized hardware vs. signature based methods built on standard CPU/RAM WHAT IS A DDOS ATTACK?

THE CRITICAL ELEMENTS OF AN IoT SECURITY SOLUTION

DELINEATING THE CORNERSTONES OF A SECURE WIRELESS SOLUTION

FortiVoice Enterprise Phone Systems

FortiVoice Enterprise Phone Systems

FortiFone IP Telephones

FortiGate 3800D Series

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

FIREWALL BEST PRACTICES TO BLOCK

Juniper Sky Advanced Threat Prevention

JUNIPER SKY ADVANCED THREAT PREVENTION

FortiVoice Enterprise

FortiClient (Android) - Release Notes VERSION 5.4.0

Juniper Sky Advanced Threat Prevention

FortiADC with MS Exchange 2016 Deployment Guide

FortiSwitch Secure Access Series

FortiFone IP Telephones

Software-Defined Secure Networks in Action

Securing Your Microsoft Azure Virtual Networks

Total Threat Protection. Whitepaper

WHITE PAPER. Applying Software-Defined Security to the Branch Office

Verizon Software Defined Perimeter (SDP).

FortiVoice Enterprise

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

PrecisionAccess Trusted Access Control

FortiADC Transparent Mode Configuration Guide VERSION 1.0.0

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

FortiMail AWS Deployment Guide

Business Strategy Theatre

Securing Your Amazon Web Services Virtual Networks

THE CRITICAL COMMUNICATIONS COMPANY CYBER SECURITY AS A SERVICE

Networking Drivers & Trends

NetDefend Firewall UTM Services

WatchGuard Total Security Complete network protection in a single, easy-to-deploy solution.

10 ways to securely optimize your network. Integrate WAN acceleration with next-gen firewalls to enhance performance, security and control

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Building a Software-Defined Secure Network for Healthcare

Advanced Threat Protection Buyer s Guide GUIDANCE TO ADVANCE YOUR ORGANIZATION S SECURITY POSTURE

SOLUTION GUIDE. Hybrid WAN Solutions with FortiWAN. The cost-effective way to deliver the WAN bandwidth and redundancy your organization demands

AKAMAI CLOUD SECURITY SOLUTIONS

ForeScout ControlFabric TM Architecture

AT&T Endpoint Security

WHITE PAPER ARUBA SD-BRANCH OVERVIEW

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

WHITE PAPER. AirGap. The Technology That Makes Isla a Powerful Web Malware Isolation System

Fortinet, Inc. Advanced Threat Protection Solution

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

Segmentation for Security

Say Yes to BYOD How Fortinet Enables You to Protect Your Network from the Risk of Mobile Devices WHITE PAPER

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

CyberP3i Course Module Series

Meraki 2014 Solution Brochure

NETWORKING &SECURITY SOLUTIONSPORTFOLIO

Extending Enterprise Security to Public and Hybrid Clouds

Secure & Unified Identity

CISNTWK-440. Chapter 5 Network Defenses

INSIDE. Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server. Enhanced virus protection for Web and SMTP traffic

Cisco Self Defending Network

USG2110 Unified Security Gateways

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

Application Intelligence and Integrated Security Using Cisco Catalyst 6500 Supervisor Engine 32 PISA

IBM Next Generation Intrusion Prevention System

Paloalto Networks PCNSA EXAM

Identity-Based Cyber Defense. March 2017

SYMANTEC DATA CENTER SECURITY

BUILDING A NEXT-GENERATION FIREWALL

Security by Default: Enabling Transformation Through Cyber Resilience

Gladiator Incident Alert

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

INFINIT Y TOTAL PROTECTION

FortiTester 2.1. Handbook

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Juniper Sky Enterprise

Achieve deeper network security

Protecting Your Digital Business: The Case for Next-Generation Intrusion Prevention

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Security for SIP-based VoIP Communications Solutions

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

IBM Security Network Protection Solutions

align security instill confidence

Synchronized Security

Meraki Solution Brochure

Kaspersky Open Space Security

SECURITY FOR SMALL BUSINESSES

SONICWALL SECURITY HEALTH CHECK SERVICE

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Place graphic in this box

Angelo Gentili Head of Business Development, EMEA Region, PartnerNET

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Fortinet Antennas. Product Offerings DATA SHEET. FAN-612R Sector/Patch Outdoor. FAN-612N Sector/Patch Outdoor. FAN-500N Point-to-Point Outdoor

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

SONICWALL SECURITY HEALTH CHECK PSO 2017

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Transcription:

PROTECTING YOUR NETWORK FROM THE INSIDE-OUT Internal Segmentation Firewall () WHITE PAPER

PROTECTING YOUR NETWORK FROM THE INSIDE-OUT Internal Segmentation Firewall () TABLE OF CONTENTS Summary... 3 Advanced Threats Take Advantage of the Flat Internal Network... 4 The Answer is a New Class of Firewall Internal Segmentation Firewall...4 Technology Requirements... 6 Conclusion... 7 2

SUMMARY For the last decade organizations have been trying to protect their networks by building defenses across the borders of their networks. This includes the Internet edge, perimeter, endpoint, and data center (including the DMZ). This outside-in approach has been based on the concept that companies can control clearly defined points of entry and secure their valuable assets. The strategy was to build a border defense as strong as possible and assume nothing got past the firewall. As organizations grow and embrace the latest IT technology such as mobility and cloud the traditional network boundaries are becoming increasingly complex to control and secure. There are now many different ways into an enterprise network. Not long ago, firewall vendors marked the ports on their appliances External (untrusted) and Internal (trusted). However, advanced threats use this to their advantage because, once inside, the network is very flat and open. The inside of the network usually consists of non security-aware devices such as switches, routers, and even bridges. So once you gain access to the network as a hacker, contractor, or even rogue employee, then you get free access to the entire enterprise network including all the valuable assets. The solution is a new class of firewall Internal Segmentation Firewall (), that sits at strategic points of the internal network. It may sit in front of specific servers that contain valuable intellectual property or a set of user devices or web applications sitting in the cloud. Once in place, the must provide instant visibility to traffic traversing into and out of that specific network asset. This visibility is needed instantly, without months of network planning and deployment. Most importantly the must also provide protection because detection is only a part of the solution. Sifting through logs and alerts can take weeks or months. The needs to deliver proactive segmentation and real-time protection based on the latest security updates. Finally, the must be flexible enough to be placed anywhere within the internal network and integrate with other parts of the enterprise security solution under a single pane of management glass. Other security solutions can also provide additional visibility and protection. This includes the email gateway, web gateway, border firewalls, cloud firewalls, and endpoints. Further, Internal Segmentation Firewalls need to scale from low to high throughputs allowing deployment across the global network. KEY REQUIREMENTS COMPLETE PROTECTION Continuous inside-out protection against advanced threats with a single security infrastructure EASY DEPLOYMENT Default Transparent Mode means no need to re-architect the network and centrally deployed and managed HIGH PERFORMANCE Multi-gigabit performance supports wire speed east-west traffic WHITE PAPER

FIGURE 1 ADVANCED THREAT LIFE CYCLE Scan for vulnerabilities Design phishing emails Customize malware, etc. External Internal Social Engineering Zero Days Exploits Malicious URLs Malicious Apps, more Threat Production + Recon 1 Threat Vector Infection 2 APP URL 4 Extraction Communication 3 Disposal Package & Encrypt Stage Hide, Spread, Disarm, Access, Contact Botnet C&C, Update INTERNAL NETWORK Cybercriminals are creating customized attacks to evade traditional defenses, and once inside, to avoid detection and enable egress of valuable data. Once inside the network there are few systems in place to detect or better still protect against APTs. It can be seen from the threat life cycle in Figure 1 that once the perimeter border is penetrated, the majority of the activity takes place inside the boundary of the network. Activities include disabling any agent-based security, updates from the botnet command, and control system, additional infection/recruitment and extraction of the targeted assets. THE ANSWER IS A NEW CLASS OF FIREWALL INTERNAL SEGMENTATION FIREWALL () Most firewall development over the past decade has been focused on the border, the Internet edge, perimeter (host firewall), endpoint, data center (DMZ), or the cloud. This started with the stateful firewall but has evolved to include Unified Threat Management (UTM) for distributed networks, which brought together the firewall, intrusion detection, and antivirus. Later came the Next Generation Firewall (NGFW), which included intrusion prevention and application control for the Internet edge. More recently because of the huge increase in speeds, Data Center Firewalls (DCFW) have arrived to provide more than 100 Gbps of throughput. All of these firewalls have in common an approach designed to protect from the outside-in. For rapid internal deployment and protection, a new class of firewall is required Internal Segmentation Firewall (). The Internal Segmentation Firewall has some different characteristics when compared to a border firewall. The differences are laid out in figure 2. 4

FIGURE 2 FIREWALL TYPE DIFFERENCES Deployment Mode NGFW DCFW UTM CCFW Purpose Visibility & protection for internal segments Visibility & protection against external threats and internet activities High performance, low latency network aprotection Visibility & protection against external threats and user activities Network security for Service Providers Location Access Layer Internet Gateway Core Layer/DC Gateway Internet Gateway Various Network Operation Mode Transparent Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode Hardware Requirements Higher port density to protect multiple assets GbE and 10GbE ports High speed (GbE/10 GbE/40 GbE/100) & high port density, hardware acceleration High GbE port density, integrated wireless connectivity and POE High speed (GbE/10 GbE/40 GbE) & high port density, hardware acceleration Security Components Firewall, IPS, ATP, Application Control (User-based) Firewall, VPN, IPS, Application Control Firewall, DDoS protection Comprehensive and extensible, client and device integration Firewall, CGN, LTE & mobile security Other Characteristics Rapid Deployment near zero configuration Integration with Advanced Threat Protection (Sandbox) High Availability Different WAN Connectivity Options such as 3G4G High Availability THE NEEDS TO PROVIDE COMPLETE PROTECTION The first element of security is visibility. And visibility is only as good as network packet knowledge. What does a packet stream look like for a specific application, where did it come from, where is it going, even what actions are being taken (download, upload ). The second and equally important element is protection. Is the application, content or actions malicious? Should this type of traffic be communicating from this set of assets to another set of assets? While this is very difficult across different content and application types, it is an essential part of the. The ability to detect a malicious file, application, or exploit gives an enterprise time to react and contain the threat. All of these protection elements must be on a single device to be effective. Both visibility and protection are heavily reliant on a real-time central security threat intelligence service. A question that always needs to be posed how good is the visibility and protection? Is it keeping up with the latest threats? That s why all security services should be measured on a constant basis with 3rd party test and certification services. THE NEEDS TO PROVIDE EASY DEPLOYMENT The must be easy to deploy and manage. Keeping it simple for IT means being able to deploy with minimum configuration requirements and without having to re-architect the existing network. The must also be able to protect different types of internal assets placed at different parts of the network. It could be a set of servers containing valuable customer information or a set of endpoint devices that may not be able to be updated with the latest security protection. Additionally, the must be able to integrate with other parts of the enterprise security solution. Other security solutions can also provide additional visibility and protection. This includes the email gateway, web gateway, border firewalls, cloud firewalls, and endpoints. This all needs to be managed with a single pane of glass approach. This allows security policies to be consistent at the border, inside the network, and even outside the network in clouds. Traditional firewalls are usually deployed in routing mode. Interfaces (ports) are well defined with IP addresses. This often takes months of planning and deployment. This is valuable time in today s instant cyber attack world. An can be deployed in the network rapidly and with minimum disruption. It must be as simple as powering on a device and connecting. It must be transparent to the network and application. THE NEEDS TO PROVIDE WIRE- SPEED PERFORMANCE Because internal segmentation firewalls are deployed in-line for network zoning, they must be very high performance in order to meet the demands of internal or east-west traffic, and to ensure they do not become a bottleneck at these critical points. Unlike firewalls at the border that deal with Wide Area Network (WAN) access or Internet speeds of less than 1 gigabit per second, internal networks run much faster multigigabit speeds. There, s need to operate at multi-gigabit speeds and be able to provide deep packet/connect inspection without slowing down the network. 5

TECHNOLOGY REQUIREMENTS A FLEXIBLE NETWORK OPERATING SYSTEM Almost all firewall deployment modes require IP allocation and reconfiguration of the network. This is known as network routing deployment and provides traffic visibility and threat prevention capabilities. At the other end of the spectrum is sniffer mode, which is easier to configure and provides visibility, but does not provide protection. Transparent mode combines the advantages of network routing and sniffer modes. It provides rapid deployment and visibility plus, more importantly, protection. The differences are summarized in Figure 3. FIGURE 3 FIREWALL TYPE DIFFERENCES FIGURE 4 Internal Segmentation Firewall - DEPLOYMENT () DEPLOYMENT Endpoint Campus INTERNAL Edge Firewall (NGFW) NETWORK SEGMENTATION HIGH SPEED INTEGRATED SWITCHING Branch CLOUD An evolving aspect of transparent mode is the ability to physically separate subnetworks and servers via a switch. Virtual Applications INTERNET Unified Threat Management (UTM) INTERNAL INTERNAL Data Center Firewall (DCFW) with cloud-based sandboxing, allowing for the enforcement of policies that complement standard border firewalls. This real-time visibility and protection is critical to limiting the spread of malware inside the network. Data Center Deployment Mode Network Routing A SCALABLE HARDWARE ARCHITECTURE Deployment Complexity Network Functions Because internal networks run at much higher speeds the needs to be architected for multi-gigabit protection throughput. Although CPU-only based architectures are flexible they become bottlenecks when high throughput is required. The superior architecture still uses a CPU for flexibility but adds custom ASICs to accelerate network traffic and content inspection. Because the is deployed in closer proximity to the data and devices, it may sometimes need to cope with harsher environments. Availability of a more ruggedized form factor is therefore another requirement of s. High Availability Traffic Visibility High L3-Routing 4 4 4 Transparent Low L2-Bridge 4 4 4 Sniffer Low X X 4 X Threat Protection Firewalls are starting to appear on the market with fully functional, integrated switches within the appliance. These new firewalls, with many 10 GbE port interfaces, become an ideal data center top-of-rack solution, allowing servers to be physically and virtually secured. Also, similar switchintegrated firewalls with a high density of 1 GbE port interfaces become ideal for separation of LAN subsegments. s should be able to fulfill both of these roles, and as such should ideally have fully functional, integrated switching capabilities. REAL-TIME SECURITY Internal Segmentation Firewalls must be able to deliver a full spectrum of advanced security services, including IPS, application visibility, antivirus, anti-spam, and integration NETWORK WIDE DEPLOYMENT EXAMPLE Most companies have set up border protection with firewalls, NGFWs, and UTMs. These are still critical parts of network protection. However, to increase security posture, Internal Segmentation Firewalls can be placed strategically internally. This could be a specific set of endpoints where it is hard to update security or servers where intellectual property is stored. SEGMENT DEPLOYMENT EXAMPLE The is usually deployed in the access layer and protects a specific set of assets. Initially the deployment is transparent between the distribution and access switches. Longer term the integrated switching could take the place of the access and distribution switch and provide additional physical protection. 6

FIGURE 5 INTERNAL SEGMENTATION FIREWAL () DEPLOYMENT DISTRIBUTION/ CORE LAYER LOCAL SERVERS ACCESS LAYER To Internet Access Switch / VLAN Core/Distribution Switch USER NETWORK DEVICES FortiGate wire intercept using transparent port pair High speed interface connectivity IPS, ATP & App Control and having a complete picture of both internal and edge activity enhances all phases of a complete ATP framework. With internal network traffic often being several times the bandwidth of edge traffic, an can provide many more opportunities to limit the spread of the compromise from known techniques and more high-risk items to be passed to sandboxes for deeper inspection. CONCLUSION Advanced Threats are taking advantage of the flat Internal network. Once through the border defense there is little to stop their spread and eventual extraction of valuable targeted assets. Because traditional firewalls have been architected to slower speeds of the Internet edge it s hard to deploy these security devices internally. And firewall network configuration deployments (IP addresses) take a long time to deploy. ENHANCING ADVANCED THREAT PROTECTION WITH INTERNAL VISIBILITY A proper approach to mitigating advanced threats should include a continuous cycle of prevention, detection, and mitigation. Very typically a next-generation firewall would serve as a key foundation of the prevention component, enabling L2/L3 firewall, intrusion prevention, application control and more to block known threats, while passing high-risk unknown items to a sandbox for detection. But with NGFW s deployed traditionally at the network edge, this only provides partial visibility into the attack life cycle by primarily observing ingress and egress activity. Deployment of an can provide more complete visibility into the additional internal activity of the hackers once they ve compromised the edge. Lateral movement can account for a significant portion of the malicious activity as the hackers try to identify valuable assets and extract data, Internal Segmentation Firewalls are a new class of firewall that can be deployed rapidly with minimum disruption while keeping up the multi-gigabit speeds of internal networks. Instant visibility and protection can be applied to specific parts of the internal network. FIGURE 5 ADVANCED THREAT PROTECTION (ATP) FRAMEWORK GLOBAL HEADQUARTERS Fortinet Inc. 899 Kifer Road Sunnyvale, CA 94086 United States Tel: +1.408.235.7700 www.fortinet.com/sales EMEA SALES OFFICE 905 rue Albert Einstein 06560 Valbonne France Tel: +33.4.8987.0500 APAC SALES OFFICE 300 Beach Road 20-01 The Concourse Singapore 199555 Tel: +65.6513.3730 LATIN AMERICA HEADQUARTERS Sawgrass Lakes Center 13450 W. Sunrise Blvd., Suite 430 Sunrise, FL 33323 Tel: +1.954.368.9990 Copyright 2016 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. December 2016

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback