SOLUTION GUIDE Internal Segmentation Firewall (ISFW) Control and Protect Against Threat Propagation and Damage in the Internal Network Introduction The quantity, quality and impact of cyber attacks are on the rise. Breaches draw unwanted public attention, loss of reputation and customer confidence and may result in heavy recovery costs for the enterprise. As organizations embrace the latest IT technology such as Mobility and the Cloud, traditional network boundaries are becoming increasingly complex to control and secure. There are now many different ways into an enterprise network. Organizations have been investing in perimeter security protection at different levels of the enterprise network – branches, campus and the data center – to prevent threats from entering their internal infrastructure. For a decade, this has proven to be a valuable and effective strategy. In addition to the placement of firewalls at the network perimeter, additional purpose build security solutions are added to provide application level and APT multi-layered protection. Yet sophisticated attacks are still able to penetrate the enterprise network. Accepting the fact that threats will penetrate the perimeter, an additional security layer needs to be added in the internal network – one that segments the access of potential threats vectors to critical resources, provides next generation security, greater visibility and limits potential breach damage. 2 www.fortinet.com SOLUTION GUIDE: INTERNAL SEGMENTATION FIREWALL (ISFW) The Challenge Fact #1 – Threats’ Quantity, Sophistication and Impact Are on the Rise - In today’s environment, access points to the enterprise network have multiplied exponentially. Mobility, smart devices and the cloud - all represent a growing attack surface through which a growing number of sophisticated attacks and threats can enter the network. Fact #2 - The Internal Network is Flat and Open - To facilitate flexibility and agility, networks have become increasingly flatter and open. Security implementation within the internal network is, in most cases, basic and limited to Virtual LANs and layer 4 access lists. Therefore, once beyond the security perimeter, exploits and hackers can easily and freely spread and gain further access to credentials, resources and data. Furthermore, the lack of security infrastructure within the internal network significantly limits the enterprise visibility into suspected traffic behavior, threats and data flows, which hinders its ability to detect a breach. Fact #3 - Virtual LAN (VLAN) Segmentation is Just Not Enough - Traditionally, internal network segmentation has been done via VLANs deployment with intra-VLAN communication carried out by a routing function. VLAN segmentation may limit the spread of a simple threat to members within the same VLAN. However, more sophisticated threats can easily spread between VLAN as routers are not security appliances and do not have the security services and awareness required to effectively identify and block threats VLAN segmentation model has a very limited scalability and can only support up to 4K VLANs, which limits its ability to provide the necessary micro segmentation in today’s enterprise environments that may contain thousands of servers and virtual machines. The Solution – Internal Segmentation Firewall To help resolve the above challenges, enterprises should deploy enterprise firewalls with next generation functionality in strategic points within the internal network, adding an additional security layer. The deployment of such firewalls, known as Internal Segmentation Firewalls (ISFW), will provide the following security benefits: 1. Control access to critical resources/assets as close as possible to the user via policy-driven segmentation. 2. Establish security barriers to stop and limit the uncontrolled spread of threats and hackers activity within the internal network via the implementation of physical segmentation with advanced security mechanisms. 3. Limit the potential damage of threats inside the perimeter. 4. Increase threat visibility and enhance breach discovery and mitigation. 5. Strengthen the enterprise’s overall security posture. To effectively achieve and maximize threat control and potential damage limitation, the deployment of ISFW relies on two foundations: nn Policy-driven firewall segmentation nn Physical & virtual firewall segmentation ISFW: Policy-Driven Firewall Segmentation The objective of policy-driven segmentation is to segment users’ access to the network, applications and resources via the association of the user’s identity with security policies enforcement so that one can limit the potential attack vectors and threats carried by the user. Policy-based segmentation is the automatic association of user’s identity and the enforced security policy. A user’s identity may be defined as a set of attributes, such as physical location, the type of device used to access the network, the application used, etc. As the user’s identity may change dynamically, the enforced security policy must dynamically and automatically follow the user’s identity. For example, a user may have different policies enforced based on the type of device he is using to access the network. 3 SOLUTION GUIDE: INTERNAL SEGMENTATION FIREWALL (ISFW) In order to achieve the required user identification and the overall parameters needed to create and enforce granular security policies, ISFW must be able to: 1. Allow user, device and application identification 2. Provide integration with the enterprise’s directory services solution, such as Microsoft’s Active Directory and others, to dynamically identify user’s identity 3. Dynamically map a user’s identity to a specific security policy and enforcement The association of a user profile upon which a specific security policy will be enforced should happen as close as possible to the source or access point. Therefore, all firewalls deployed, at the various levels of the organization - from the branch office to the campus/HQ must have the ability to dynamically identify the user and enforce the appropriate policy throughout the organization. In effect, the entire firewall infrastructure turns into an intelligent policy-driven segmentation fabric. ISFW: Physical & Virtual Firewall Segmentation Policy-based segmentation also defines the security services applied by the firewall, such as AV, IPS and Application control. No matter how efficient these may be, it is clear that an unknown threat may enter the network. To maximize threat detection and protection and to limit the threat’s spread within the internal network – physical firewall segmentation must be put in place. The need for physical firewall segmentation is driven by the harsh realities of breaches and the growing adaptation of the zero trust concept – implying micro-segmentation of all assets and resources within the enterprise network via the deployment of adapted security infrastructure and mechanisms to effectively isolate servers, data repositories and applications. ISFW Functionality Throughout the Enterprise Virtual ISFW for the Software Defined Data Center (SDDC) - With virtualization and software-defined computing massively deployed in enterprise’s data centers around the globe, micro-segmentation is already implemented via the deployment of advanced virtual firewall appliances - segmenting each Virtual Machine (VM). These virtual ISFWs, such as the FortiGate-VM and FortiGate-VMX, provide the required security services for visibility, analysis and protection of traffic flows between virtual machines, also known as “east-west” traffic. Physical ISFW - For traffic flows entering and exiting the network perimeter and the data center, also known as “north-south” traffic, the implementation of physical ISFWs is required to provide a cost effective and scalable way to extend security segmentation and visibility throughout the enterprise: nn from the deployment of virtual ISFWs for virtual machines’ micro-segmentation; nn through physical ISFWs within the internal network to provide security-enhanced segmentation of servers, applications and data, functions and departments; nn to the logical segmentation of user’s access to sensitive resources via ISFW policy-based segmentation. Unlike the implementation of ISFW in the virtual environment, where a single virtual FortiGate ISFW will segment and protect all VMs within a server, determining the physical firewall segmentation granularity (size, performance and the number of Ethernet ports) depends upon multiple factors such as the firewall’s physical location; the architecture of the network; the trust structure of the enterprise and the criticality and location of datacenter assets. 4 www.fortinet.com SOLUTION GUIDE: INTERNAL SEGMENTATION FIREWALL (ISFW) End-to-End ISFW - Although independent, combining policy-driven and virtual/physical ISFW will provide the following benefits: 1. Policy-driven ISFW to limit users and threat vectors access to sensitive resources 2. Ability to provide physical and virtual internal segmentation throughout the network 3. Threats and their impact are now limited to the network segment they penetrated 4. More visibility into the applications, users, devices and data flows in the internal network 5. Shorten time for breach detection and mitigation ISFW Considerations - The implementation of an ISFW infrastructure can be achieved via: 1. Modifying the organization’s existing firewall infrastructure 2. Adding firewalls to act as designated ISFWs Adding FortiGate firewalls to act as designated ISFWs provides the advantage of simplified deployment with Transparent Mode for rapid deployment. In this mode, the firewall acts as a “bump in the wire” and is not seen as a router hop to connected devices and therefore IP address modifications are not required. Whichever deployment option is chosen, the following criteria should be considered: nn Virtual and physical ISFWs for a complete end-to-end solution nn Integration with directory services nn Enhancement of the security policies in place to allow policy-driven segmentation nn When required, addition firewall network ports for greater physical segmentation nn ISFW performance must meet the throughput and latency required while providing next generation security in a highly segmented environment Internal Segmentation Firewall with Fortinet Fortinet has pioneered the concept and deployment of Internal Segmentation Firewalls as part of its Advanced Threat Protection (ATP) framework, protecting organizations against today’s most sophisticated threats. Fortinet provides a dynamic, manageable and scalable ISFW solution: 1. User/Device/Application-aware FortiGate firewall policies for policy-driven segmentation 2. Integration with RADIUS, LDAP, Active Directory for user authentication & management 3. FortiGate firewalls provide a rich set of security services, including AV, IPS and Application Control, to provide maximum internal network protection 4. FortiGate physical appliances are ASIC based to provide the required high performance, speed and low latency required in a highly segmented environment 5. FortiGate virtual firewalls provide ISFW functionality in the SDDC and public clouds 6. Wide range of physical and virtual FortiGate ISFW appliances to fit performance and scalability required for optimized segmentation throughout the network 7. A scalable, manageable and automated end-to-end solution with FortiManager, FortiAnalyzer/FortiView and FortiAuthenticator 5 SOLUTION GUIDE: INTERNAL SEGMENTATION FIREWALL (ISFW) Management ISFW is a component within Fortinet’s end-to-end security platform, from secured wireless access to physical and virtual datacenter firewalls and application level security appliances, all managed under a single pane of glass – with FortiManager and FortiAnalyzer. In the context of an ISFW deployment, the number of defined policies is expected to grow with policy-driven internal segmentation. In addition, any firewall in the enterprise network should be capable of dynamically enforcing policy-based segmentation, requiring every firewall to be aware of the entire range of policies defined. Such requirements can potentially create a management nightmare and impact the firewalls resources. Fortinet’s FortiManager, FortiAnalyzer and FortiAuthenticator address these issues by: 1. Defining policies once through FortiManager 2. FortiManager automatically distributes the policies to the firewalls participating in the ISFW functional segmentation 3. User awareness and policy-based segmentation scalability is achieved via the integration of FortiAuthenticator – providing integration & automation of FortiGate firewalls and the Directory Services 4. FortiAnalyzer and FortiView provide a granular and aggregated traffic visibility (users, devices, applications, threats, etc.) throughout the enterprise Summary As threats grow in numbers, sophistication and impact, it is clear that placing all the security emphasis in the network perimeter is not enough. Internal Segmentation Firewalls provide organizations with an additional layer of protection inside their network perimeters, protecting critical assets while enhancing their ability to detect breaches and shorten mitigation delays. With high performance virtual and physical ISFWs under a single pane of glass management, Fortinet leads the way and provides a granular, cost effective and high performance end-to-end ISFW solution for the most demanding organizations and environments. 6 www.fortinet.com SOLUTION GUIDE: INTERNAL SEGMENTATION FIREWALL (ISFW) 7 GLOBAL HEADQUARTERS Fortinet Inc. 899 Kifer Road Sunnyvale, CA 94086 United States Tel: +1.408.235.7700 www.fortinet.com/sales EMEA SALES OFFICE 120 rue Albert Caquot 06560, Sophia Antipolis, France Tel: +33.4.8987.0510 APAC SALES OFFICE 300 Beach Road 20-01 The Concourse Singapore 199555 Tel: +65.6513.3730 LATIN AMERICA SALES OFFICE Prol. Paseo de la Reforma 115 Int. 702 Col. Lomas de Santa Fe, C.P. 01219 Del. Alvaro Obregón México D.F. Tel: 011-52-(55) 5524-8480 Copyright © 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other resultsmay vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. 09 Oct 2015 – 9:54 AM MKT-STORAGE:01_BROCHURES:05_SOLUTION_GUIDES:SG-Internal Segmentation Firewall:SG-Internal Segmentation Firewall Folder:SG-Internal Segmentation Firewall www.fortinet.com
© Copyright 2024 Paperzz