Fortinet’s internal segmentation firewalls: Securing the inner network
The good news is that edge firewalls do an excellent job of protecting the network border. The bad news is that they can't help after a breach occurs. Once malware enters the network, it can move laterally virtually unopposed. The key to securing your network, data and application services is to place 'edge' protection inside your network to create barriers that allow legitimate traffic to pass whilst stopping any unauthorised activities.
Internal networks have been designed to be flat and open. But it has been impractical to deploy edge firewalls internally due to latency and cost. As a result, data and application services - including trade secrets, private data, proprietary applications and other sensitive assets - residing on internal networks have remained relatively unsecured. Added to the mix is the fact that advanced threats are getting better at slipping past perimeter security to reach the unprotected internal network.
"Networks require their own special type of internal security," says Andrew Khan, Fortinet Senior Business Manager at Ingram Micro, New Zealand's largest distributor of Fortinet's cyber-security solutions. "Fortinet's internal segmentation firewalls (ISFWs) remove the constraints and limitations of what a firewall can do for enterprises and prevent infections on easy targets, such as compromised smartphones, web servers and security cameras, from spreading laterally to your critical infrastructure. Installed correctly, ISFWs segment and protect network assets to control access, offer greater visibility in terms of user activity and traffic and limit damages in the event of a breach.
ISFW architecture delivers maximum performance and maximum security while offering the flexibility of being placed anywhere in the enterprise. In addition, ISFWs offer streamlined processes to manage individual policies for multiple devices and secure the enterprise's internal network security with minimal management overheads.
Segmentation is keyUntil recently, effective segmentation hasn't been practical. Performance, price and overheads have been problematic for implementing a good segmentation strategy. But these barriers are no longer valid.
"ISFWs can handle traditional 'north-south' segmentation as well as emerging 'east-west' segmentation," continues Khan. "Because they can be placed anywhere inside the network, ISFWs can focus on monitoring activities that move around the internal portions of the enterprise network. If hackers attempt to locate assets and data of value by spreading laterally from one compromised host to another, the ISFW identifies this activity as suspect and restricts the lateral movement and propagation of malicious code.
One network - multiple policiesISFWs can also manage individual policies for multiple devices. Network managers can configure different levels of visibility, control and mitigation for internal segments within the network. Not all ISFW policies require the same level of inspection so managers have much more flexibility as to how and where they set activity thresholds. The ability to put the security where you want it, when you want it is one of the greatest benefits of an ISFW.
With more security enforcement points within the network, device and policy management becomes more critical. Policy-driven segmentation controls access to the network, applications and resources by automatically associating each user's identity - attributes such as physical location, the type of device used to access the network or the application used - with the security policies of a specific segment.
"ISFWs firewalls have the ability to dynamically identify users and enforce the appropriate policies throughout the network," concludes Khan. "In effect, the entire firewall infrastructure turns into an intelligent policy-driven fabric that protects vital assets with less overhead, less latency and lower overall costs.
To learn more about how ISFW solutions are helping to solve these sorts of problems and secure today's networks, Fortinet has prepared a technical white paper 'Security Where You Need It, When You Need It' that presents both a design approach and architecture for implementing an ISFW strategy for your enterprise. Call Ingram Micro and they'll be happy to get you started.
For further information, please contact:Andrew Khan, Senior Business Manager Email: andrew.khan@ingrammicro.com M: 021 819 793
David Hills, Solutions Architect Email: david.hills@ingrammicro.com M: 021 245 0437
Hugo Hutchinson, Business Development Manager at Ingram Micro hugo.hutchinson@ingrammicro.com P: 09-414-0261 | M: 021-245-8276
Marc Brunzel, Business Development Manager Email: marc.brunzel@ingrammicro.com M: 021 241 6946