SECURITY. FROM THE INSIDE OUT.
NEW BREACH DEFENSE STRATEGIES
Security Without Compromise
INTRODUCTION 1
SECTION 1: THE PERIMETER ISN’T ENOUGH 2
SECTION 2: NEW DEFENSES: THE INTERNAL FIREWALL 5
SECTION 3: HOW TO CHOOSE AN ISFW 8
CONCLUSION 10
CONTENTS
Breaches have moved from the domain of the CIO
or CISO to the CEO. Boards of Directors and other
external bodies are now asking their corporations
some strong questions: What contingencies are in
place to protect against an advanced attack or a
data breach? What strategies have you implemented
for dealing with an incident if it does penetrate your
infrastructure?
This is strategic now. CEOs and Boards have elevated
the discussion to calculating risk and building effective
solutions to prepare for what many see as inevitable.
Here we’ll discuss why the traditional perimeter-based
protection strategies are no longer enough and why
deploying specialized “internal segmentation” firewalls
throughout your organization may help give your
network the edge it needs to respond and react to
today’s advanced threats.
INTRODUCTION
1 INTRODUCTION
01
Not too long ago, access to the Internet was very
tightly controlled. A typical enterprise network may
have consisted of a couple redundant links to the
Internet and all traffic would flow through a single
point. This allowed enterprises the ability to deploy
a perimeter firewall between the Internet and all its
evils and the safety of your internal network. Today
though, the picture is much different. With the rapid
proliferation of devices, the rise of BYOD, the use of
the cloud and cloud technologies, and the Internet of
Things the attack surface available to attackers can no
longer be contained. It’s simply not enough to set up
a firewall on the perimeter of your network and cross
your fingers. That approach is no longer effective.
Threats today continue to evolve and increase in
volume, and your network defenses must adapt to
meet this new reality.
THE PERIMETER ISN’T ENOUGH
2 THE PERIMETER ISN’T ENOUGH
$Companies are spending more money than ever
on network security. With that in mind, you may
be wondering why breaches are still happening.
Enterprises have typically focused the majority of
their security spend on the data center and the
core network. After all, that’s where the bulk of the
company’s sensitive data exists! But attackers are
clever. They’re not focusing all of their energy and
resources on the data center anymore, at least not
directly. Attackers are spending considerable time
compromising endpoints and other systems outside
of the core network. An attacker will compromise
an endpoint user, steal their credentials, and then
use that access to begin to move laterally around
the network. They will often explore and map out
devices and systems in close proximity to their initial
entry point and look for ways to compromise other
systems, elevate their privileges, exploit unpatched
vulnerabilities on internal systems, plant more malware
and steal data. Once the attacker has gathered up
the information they’ve stolen, they’ll use that earlier
research to find a stealthy way of absconding with all
their plunder.
3 THE PERIMETER ISN’T ENOUGH
What happens when an attacker gets through?
Various analyses from many sources all agree that
right now, it can take a long time before a breach is
discovered and an attacker stymied. The costs to
your business could be in the millions—forensics,
remediation, legal costs, additional defenses--they
all could cost your organization untold amounts of
money. And the impact on your reputation and brand?
That could be incalculable.
Why aren’t current firewall deployments enough
anymore? Attackers are able to leverage more and
more techniques to evade perimeter protection, but
in many cases they don’t need to. As we mentioned
earlier, there are more ways into a network than ever.
All have the potential to bypass the protection at the
perimeter.
Today’s security strategy requires you to have an
understanding that effective security requires the
construction of internal defenses as well as protecting
the perimeter. Monitoring your internal traffic is
arguably as critical today as monitoring the traffic
coming in from the Internet as a whole. So what can a
security team do today to bolster their defenses?
4 THE PERIMETER ISN’T ENOUGH
02
As part of an effective defense strategy, you need to be
able to effectively segment your network into smaller
“chunks,” keeping teams with unique job functions
separate. For example, your development teams
likely have no reason to access systems relating to
accounting, and your HR systems probably have no
reason to connect to Finance.
Defense-in-depth isn’t a new term, and many
enterprises have implemented it in some fashion.
Defense-in-depth allows you to place multiple security
controls throughout your network in the hopes of
detecting an incident at some point during the attack
cycle. The Internal Segmentation Firewall (ISFW)
extends the defense-in-depth concept even further by
building those “chunks” and watching for traffic that is
not typical.
Most perimeter-based protection solutions do a poor
job at outbound inspection of traffic, if at all. Outdated
deployments often assume that what’s inside your
network is safe or innocuous and focuses on protecting
the inside from the bad outside. Those firewalls that do
provide some measure of outbound inspection often
struggle with the additional loads asked of it and can
lead to significant bottlenecks or performance issues.
NEW DEFENSES: THE INTERNAL FIREWALL
5 NEW DEFENSES: THE INTERNAL FIREWALL
How does the ISFW detect things that the perimeter
firewall does not? It’s critical to understand that the
ISFW is not designed to detect things that the perimeter
cannot. Your ISFW should be designed with specific
policies in mind to allow your users to access the things
they should be accessing, and either slow down the
access to, or prevent access to other segments of
your network entirely. So in the case where an attacker
compromises an endpoint belonging to a member
of your accounting team, they should not be able to
move throughout the network and onto the systems
controlling your Point of Sale systems or e-commerce
systems. Your ISFW should be able to detect these
attempts to access systems outside of the user’s
normal activities and alert accordingly. Beyond that,
your ISFW may be able to identify and block threats
from malware, botnets or other malicious activities
that found a way past your perimeter defenses. For
example, the ZeroAccess botnet is well known for
being very “chatty.” It will often search for other bots to
communicate with to receive commands. Your ISFW,
because it is located close to the infected endpoint,
may be uniquely equipped to detect that chatter and
alert your security team faster than you may expect
from your perimeter appliance.
URL APP
6 NEW DEFENSES: THE INTERNAL FIREWALL
The ISFW is best deployed as close to the Access
Layer as possible as it will allow you the greatest access
to your network assets and the bulk of your internal
traffic. By deploying ISFWs in this fashion, for example,
intersecting all of your uplinks from the access layer to
the core and distribution layer, you can gain significant
visibility into all of that internal traffic. You can quickly
deploy your ISFW similar to a switch, or what we
call virtual wire mode. Not only does it facilitate rapid
deployment, but also it avoids a significant amount
of complexity around the configuration of a traditional
perimeter appliance. You won’t need to reconfigure
IPs, gateways or other assets, and you’ll gain a deep
visibility into the traffic moving throughout your network.
7 NEW DEFENSES: THE INTERNAL FIREWALL
Until recently, companies have been reluctant to
add an additional layer such as ISFWs inside their
infrastructure. Recent statistics show that as much as
three-quarters of your traffic moving in and out of your
data center is now inside your infrastructure. Firewalls
with the throughput, processing ability and port density
to monitor that internal traffic were either unavailable or
incredibly cost-prohibitive. Add to that the disruptions
in deploying these devices, as well as the additional
management burden on your already overworked
security staff and it’s clear why enterprises decided to
focus their resources elsewhere.
03
HOW TO CHOOSE AN ISFW
8 HOW TO CHOOSE AN ISFW
Perhaps the most important factor in deciding on an
ISFW solution today is performance. Even wireless
networks are approaching real world throughputs in
the gigabit range, and gigabit at the desktop is the
rule now, not the exception. To meet those speed
demands, you must have an ISFW that can offer you
the port density and speed to service those networks.
Your security infrastructure must be able to perform
at wire-speed or near wire-speed. Users will not
accept any decrease or degradation in performance.
It’s just not efficient to repurpose an existing or
decommissioned firewall if it is unable to perform
without creating a bottleneck.
Also key in making a decision is integration with
your existing security infrastructure. Does your staff
need to retrain to use it? Are they able to extend the
knowledge and skills gained from using their perimeter
devices to the ISFW? Finally, the tangible and
intangible deployment costs must be considered Can
you deploy your ISFWs quickly and efficiently? How
much network disruption is needed to place an ISFW
in-line?
9 HOW TO CHOOSE AN ISFW
Segmenting your network isn’t a new idea. Traditional
segmentation models relied on ineffective measures
built around networking technologies. To a skilled
attacker, it’s just another speed bump.
You need to deploy roadblocks to slow attackers
down. With the advances in firewall performance
today, new segmentation strategies can now be
realized: strategies that protect your network not only
from threats on the outside, but also from threats
that appear on the inside as well. Today’s high-
performance ISFWs allow you to build an effective
internal segmentation strategy to protect the assets
that are important without sacrificing business
performance or causing disruption to your business.
CONCLUSION
10 CONCLUSION
Copyright © 2016 Fortinet, Inc. All rights reserved.www.fortinet.com
Security Without Compromise
Top Related