eBook Isfw

SECURITY. FROM THE INSIDE OUT.

NEW BREACH DEFENSE STRATEGIES

Security Without Compromise

INTRODUCTION 1

SECTION 1: THE PERIMETER ISN’T ENOUGH 2

SECTION 2: NEW DEFENSES: THE INTERNAL FIREWALL 5

SECTION 3: HOW TO CHOOSE AN ISFW 8

CONCLUSION 10

CONTENTS

Breaches have moved from the domain of the CIO

or CISO to the CEO. Boards of Directors and other

external bodies are now asking their corporations

some strong questions: What contingencies are in

place to protect against an advanced attack or a

data breach? What strategies have you implemented

for dealing with an incident if it does penetrate your

infrastructure?

This is strategic now. CEOs and Boards have elevated

the discussion to calculating risk and building effective

solutions to prepare for what many see as inevitable.

Here we’ll discuss why the traditional perimeter-based

protection strategies are no longer enough and why

deploying specialized “internal segmentation” firewalls

throughout your organization may help give your

network the edge it needs to respond and react to

today’s advanced threats.

INTRODUCTION

1 INTRODUCTION

01

Not too long ago, access to the Internet was very

tightly controlled. A typical enterprise network may

have consisted of a couple redundant links to the

Internet and all traffic would flow through a single

point. This allowed enterprises the ability to deploy

a perimeter firewall between the Internet and all its

evils and the safety of your internal network. Today

though, the picture is much different. With the rapid

proliferation of devices, the rise of BYOD, the use of

the cloud and cloud technologies, and the Internet of

Things the attack surface available to attackers can no

longer be contained. It’s simply not enough to set up

a firewall on the perimeter of your network and cross

your fingers. That approach is no longer effective.

Threats today continue to evolve and increase in

volume, and your network defenses must adapt to

meet this new reality.

THE PERIMETER ISN’T ENOUGH

2 THE PERIMETER ISN’T ENOUGH

$Companies are spending more money than ever

on network security. With that in mind, you may

be wondering why breaches are still happening.

Enterprises have typically focused the majority of

their security spend on the data center and the

core network. After all, that’s where the bulk of the

company’s sensitive data exists! But attackers are

clever. They’re not focusing all of their energy and

resources on the data center anymore, at least not

directly. Attackers are spending considerable time

compromising endpoints and other systems outside

of the core network. An attacker will compromise

an endpoint user, steal their credentials, and then

use that access to begin to move laterally around

the network. They will often explore and map out

devices and systems in close proximity to their initial

entry point and look for ways to compromise other

systems, elevate their privileges, exploit unpatched

vulnerabilities on internal systems, plant more malware

and steal data. Once the attacker has gathered up

the information they’ve stolen, they’ll use that earlier

research to find a stealthy way of absconding with all

their plunder.


What happens when an attacker gets through?

Various analyses from many sources all agree that

right now, it can take a long time before a breach is

discovered and an attacker stymied. The costs to

your business could be in the millions—forensics,

remediation, legal costs, additional defenses--they

all could cost your organization untold amounts of

money. And the impact on your reputation and brand?

That could be incalculable.

Why aren’t current firewall deployments enough

anymore? Attackers are able to leverage more and

more techniques to evade perimeter protection, but

in many cases they don’t need to. As we mentioned

earlier, there are more ways into a network than ever.

All have the potential to bypass the protection at the

perimeter.

Today’s security strategy requires you to have an

understanding that effective security requires the

construction of internal defenses as well as protecting

the perimeter. Monitoring your internal traffic is

arguably as critical today as monitoring the traffic

coming in from the Internet as a whole. So what can a

security team do today to bolster their defenses?


02

As part of an effective defense strategy, you need to be

able to effectively segment your network into smaller

“chunks,” keeping teams with unique job functions

separate. For example, your development teams

likely have no reason to access systems relating to

accounting, and your HR systems probably have no

reason to connect to Finance.

Defense-in-depth isn’t a new term, and many

enterprises have implemented it in some fashion.

Defense-in-depth allows you to place multiple security

controls throughout your network in the hopes of

detecting an incident at some point during the attack

cycle. The Internal Segmentation Firewall (ISFW)

extends the defense-in-depth concept even further by

building those “chunks” and watching for traffic that is

not typical.

Most perimeter-based protection solutions do a poor

job at outbound inspection of traffic, if at all. Outdated

deployments often assume that what’s inside your

network is safe or innocuous and focuses on protecting

the inside from the bad outside. Those firewalls that do

provide some measure of outbound inspection often

struggle with the additional loads asked of it and can

lead to significant bottlenecks or performance issues.

NEW DEFENSES: THE INTERNAL FIREWALL

5 NEW DEFENSES: THE INTERNAL FIREWALL

How does the ISFW detect things that the perimeter

firewall does not? It’s critical to understand that the

ISFW is not designed to detect things that the perimeter

cannot. Your ISFW should be designed with specific

policies in mind to allow your users to access the things

they should be accessing, and either slow down the

access to, or prevent access to other segments of

your network entirely. So in the case where an attacker

compromises an endpoint belonging to a member

of your accounting team, they should not be able to

move throughout the network and onto the systems

controlling your Point of Sale systems or e-commerce

systems. Your ISFW should be able to detect these

attempts to access systems outside of the user’s

normal activities and alert accordingly. Beyond that,

your ISFW may be able to identify and block threats

from malware, botnets or other malicious activities

that found a way past your perimeter defenses. For

example, the ZeroAccess botnet is well known for

being very “chatty.” It will often search for other bots to

communicate with to receive commands. Your ISFW,

because it is located close to the infected endpoint,

may be uniquely equipped to detect that chatter and

alert your security team faster than you may expect

from your perimeter appliance.

URL APP


The ISFW is best deployed as close to the Access

Layer as possible as it will allow you the greatest access

to your network assets and the bulk of your internal

traffic. By deploying ISFWs in this fashion, for example,

intersecting all of your uplinks from the access layer to

the core and distribution layer, you can gain significant

visibility into all of that internal traffic. You can quickly

deploy your ISFW similar to a switch, or what we

call virtual wire mode. Not only does it facilitate rapid

deployment, but also it avoids a significant amount

of complexity around the configuration of a traditional

perimeter appliance. You won’t need to reconfigure

IPs, gateways or other assets, and you’ll gain a deep

visibility into the traffic moving throughout your network.


Until recently, companies have been reluctant to

add an additional layer such as ISFWs inside their

infrastructure. Recent statistics show that as much as

three-quarters of your traffic moving in and out of your

data center is now inside your infrastructure. Firewalls

with the throughput, processing ability and port density

to monitor that internal traffic were either unavailable or

incredibly cost-prohibitive. Add to that the disruptions

in deploying these devices, as well as the additional

management burden on your already overworked

security staff and it’s clear why enterprises decided to

focus their resources elsewhere.

03

HOW TO CHOOSE AN ISFW

8 HOW TO CHOOSE AN ISFW

Perhaps the most important factor in deciding on an

ISFW solution today is performance. Even wireless

networks are approaching real world throughputs in

the gigabit range, and gigabit at the desktop is the

rule now, not the exception. To meet those speed

demands, you must have an ISFW that can offer you

the port density and speed to service those networks.

Your security infrastructure must be able to perform

at wire-speed or near wire-speed. Users will not

accept any decrease or degradation in performance.

It’s just not efficient to repurpose an existing or

decommissioned firewall if it is unable to perform

without creating a bottleneck.

Also key in making a decision is integration with

your existing security infrastructure. Does your staff

need to retrain to use it? Are they able to extend the

knowledge and skills gained from using their perimeter

devices to the ISFW? Finally, the tangible and

intangible deployment costs must be considered Can

you deploy your ISFWs quickly and efficiently? How

much network disruption is needed to place an ISFW

in-line?

9 HOW TO CHOOSE AN ISFW

Segmenting your network isn’t a new idea. Traditional

segmentation models relied on ineffective measures

built around networking technologies. To a skilled

attacker, it’s just another speed bump.

You need to deploy roadblocks to slow attackers

down. With the advances in firewall performance

today, new segmentation strategies can now be

realized: strategies that protect your network not only

from threats on the outside, but also from threats

that appear on the inside as well. Today’s high-

performance ISFWs allow you to build an effective

internal segmentation strategy to protect the assets

that are important without sacrificing business

performance or causing disruption to your business.

CONCLUSION

10 CONCLUSION

eBook Isfw

Documents

Transcript of eBook Isfw