1. No category

Internal Segmentation Firewall (ISFW)

SOLUTION GUIDE
Internal Segmentation Firewall (ISFW)
Control and Protect Against Threat Propagation and Damage
in the Internal Network
Introduction
The quantity, quality and impact of cyber attacks are on the rise. Breaches draw unwanted public attention, loss of reputation and
customer confidence and may result in heavy recovery costs for the enterprise.
As organizations embrace the latest IT technology such as Mobility and the Cloud, traditional network boundaries are becoming
increasingly complex to control and secure. There are now many different ways into an enterprise network.
Organizations have been investing in perimeter security protection at different levels of the enterprise network – branches, campus
and the data center – to prevent threats from entering their internal infrastructure. For a decade, this has proven to be a valuable and
effective strategy.
In addition to the placement of firewalls at the network perimeter, additional purpose build security solutions are added to provide
application level and APT multi-layered protection. Yet sophisticated attacks are still able to penetrate the enterprise network.
Accepting the fact that threats will penetrate the perimeter, an additional security layer needs to be added in the internal network – one
that segments the access of potential threats vectors to critical resources, provides next generation security, greater visibility and limits
potential breach damage.
2
www.fortinet.com
SOLUTION GUIDE: INTERNAL SEGMENTATION FIREWALL (ISFW)
The Challenge
Fact #1 – Threats’ Quantity, Sophistication and Impact Are on the Rise - In today’s environment, access points to the enterprise
network have multiplied exponentially. Mobility, smart devices and the cloud - all represent a growing attack surface through which a
growing number of sophisticated attacks and threats can enter the network.
Fact #2 - The Internal Network is Flat and Open - To facilitate flexibility and agility, networks have become increasingly flatter and
open. Security implementation within the internal network is, in most cases, basic and limited to Virtual LANs and layer 4 access lists.
Therefore, once beyond the security perimeter, exploits and hackers can easily and freely spread and gain further access to credentials,
resources and data. Furthermore, the lack of security infrastructure within the internal network significantly limits the enterprise visibility
into suspected traffic behavior, threats and data flows, which hinders its ability to detect a breach.
Fact #3 - Virtual LAN (VLAN) Segmentation is Just Not Enough - Traditionally, internal network segmentation has been done via
VLANs deployment with intra-VLAN communication carried out by a routing function. VLAN segmentation may limit the spread of a
simple threat to members within the same VLAN. However, more sophisticated threats can easily spread between VLAN as routers are
not security appliances and do not have the security services and awareness required to effectively identify and block threats
VLAN segmentation model has a very limited scalability and can only support up to 4K VLANs, which limits its ability to provide the
necessary micro segmentation in today’s enterprise environments that may contain thousands of servers and virtual machines.
The Solution – Internal Segmentation Firewall
To help resolve the above challenges, enterprises should deploy enterprise firewalls with next generation functionality in strategic points
within the internal network, adding an additional security layer. The deployment of such firewalls, known as Internal Segmentation
Firewalls (ISFW), will provide the following security benefits:
1. Control access to critical resources/assets as close as possible to the user via policy-driven segmentation.
2. Establish security barriers to stop and limit the uncontrolled spread of threats and hackers activity within the internal network via the
implementation of physical segmentation with advanced security mechanisms.
3. Limit the potential damage of threats inside the perimeter.
4. Increase threat visibility and enhance breach discovery and mitigation.
5. Strengthen the enterprise’s overall security posture.
To effectively achieve and maximize threat control and potential damage limitation, the deployment of ISFW relies on two foundations:
nn Policy-driven firewall segmentation
nn Physical & virtual firewall segmentation
ISFW: Policy-Driven Firewall Segmentation
The objective of policy-driven segmentation is to segment users’ access to the network, applications and resources via the association
of the user’s identity with security policies enforcement so that one can limit the potential attack vectors and threats carried by the user.
Policy-based segmentation is the automatic association of user’s identity and the enforced security policy. A user’s identity may be
defined as a set of attributes, such as physical location, the type of device used to access the network, the application used, etc. As the
user’s identity may change dynamically, the enforced security policy must dynamically and automatically follow the user’s identity. For
example, a user may have different policies enforced based on the type of device he is using to access the network.
3
SOLUTION GUIDE: INTERNAL SEGMENTATION FIREWALL (ISFW)
In order to achieve the required user identification and the overall parameters needed to create and enforce granular security policies,
ISFW must be able to:
1. Allow user, device and application identification
2. Provide integration with the enterprise’s directory services solution, such as Microsoft’s Active Directory and others, to dynamically
identify user’s identity
3. Dynamically map a user’s identity to a specific security policy and enforcement
The association of a user profile upon which a specific security policy will be enforced should happen as close as possible to the source
or access point. Therefore, all firewalls deployed, at the various levels of the organization - from the branch office to the campus/HQ must have the ability to dynamically identify the user and enforce the appropriate policy throughout the organization. In effect, the entire
firewall infrastructure turns into an intelligent policy-driven segmentation fabric.
ISFW: Physical & Virtual Firewall Segmentation
Policy-based segmentation also defines the security services applied by the firewall, such as AV, IPS and Application control. No matter
how efficient these may be, it is clear that an unknown threat may enter the network. To maximize threat detection and protection
and to limit the threat’s spread within the internal network – physical firewall segmentation must be put in place. The need for physical
firewall segmentation is driven by the harsh realities of breaches and the growing adaptation of the zero trust concept – implying
micro-segmentation of all assets and resources within the enterprise network via the deployment of adapted security infrastructure and
mechanisms to effectively isolate servers, data repositories and applications.
ISFW Functionality Throughout the Enterprise
Virtual ISFW for the Software Defined Data Center (SDDC) - With virtualization and software-defined computing massively deployed
in enterprise’s data centers around the globe, micro-segmentation is already implemented via the deployment of advanced virtual
firewall appliances - segmenting each Virtual Machine (VM). These virtual ISFWs, such as the FortiGate-VM and FortiGate-VMX, provide
the required security services for visibility, analysis and protection of traffic flows between virtual machines, also known as “east-west”
traffic.
Physical ISFW - For traffic flows entering and exiting the network perimeter and the data center, also known as “north-south” traffic,
the implementation of physical ISFWs is required to provide a cost effective and scalable way to extend security segmentation and
visibility throughout the enterprise:
nn from the deployment of virtual ISFWs for virtual machines’ micro-segmentation;
nn through physical ISFWs within the internal network to provide security-enhanced segmentation of servers, applications and data,
functions and departments;
nn to the logical segmentation of user’s access to sensitive resources via ISFW policy-based segmentation.
Unlike the implementation of ISFW in the virtual environment, where a single virtual FortiGate ISFW will segment and protect all VMs
within a server, determining the physical firewall segmentation granularity (size, performance and the number of Ethernet ports) depends
upon multiple factors such as the firewall’s physical location; the architecture of the network; the trust structure of the enterprise and the
criticality and location of datacenter assets.
4
www.fortinet.com
SOLUTION GUIDE: INTERNAL SEGMENTATION FIREWALL (ISFW)
End-to-End ISFW - Although independent, combining policy-driven and virtual/physical ISFW will provide the following benefits:
1. Policy-driven ISFW to limit users and threat vectors access to sensitive resources
2. Ability to provide physical and virtual internal segmentation throughout the network
3. Threats and their impact are now limited to the network segment they penetrated
4. More visibility into the applications, users, devices and data flows in the internal network
5. Shorten time for breach detection and mitigation
ISFW Considerations - The implementation of an ISFW infrastructure can be achieved via:
1. Modifying the organization’s existing firewall infrastructure
2. Adding firewalls to act as designated ISFWs
Adding FortiGate firewalls to act as designated ISFWs provides the advantage of simplified deployment with Transparent Mode for rapid
deployment. In this mode, the firewall acts as a “bump in the wire” and is not seen as a router hop to connected devices and therefore
IP address modifications are not required.
Whichever deployment option is chosen, the following criteria should be considered:
nn Virtual and physical ISFWs for a complete end-to-end solution
nn Integration with directory services
nn Enhancement of the security policies in place to allow policy-driven segmentation
nn When required, addition firewall network ports for greater physical segmentation
nn ISFW performance must meet the throughput and latency required while providing next generation security in a highly
segmented environment
Internal Segmentation Firewall with Fortinet
Fortinet has pioneered the concept and deployment of Internal Segmentation Firewalls as part of its Advanced Threat Protection (ATP)
framework, protecting organizations against today’s most sophisticated threats.
Fortinet provides a dynamic, manageable and scalable ISFW solution:
1. User/Device/Application-aware FortiGate firewall policies for policy-driven segmentation
2. Integration with RADIUS, LDAP, Active Directory for user authentication & management
3. FortiGate firewalls provide a rich set of security services, including AV, IPS and Application Control, to provide maximum internal
network protection
4. FortiGate physical appliances are ASIC based to provide the required high performance, speed and low latency required in a highly
segmented environment
5. FortiGate virtual firewalls provide ISFW functionality in the SDDC and public clouds
6. Wide range of physical and virtual FortiGate ISFW appliances to fit performance and scalability required for optimized segmentation
throughout the network
7. A scalable, manageable and automated end-to-end solution with FortiManager, FortiAnalyzer/FortiView and FortiAuthenticator
5
SOLUTION GUIDE: INTERNAL SEGMENTATION FIREWALL (ISFW)
Management
ISFW is a component within Fortinet’s end-to-end security platform, from secured wireless access to physical and virtual datacenter
firewalls and application level security appliances, all managed under a single pane of glass – with FortiManager and FortiAnalyzer.
In the context of an ISFW deployment, the number of defined policies is expected to grow with policy-driven internal segmentation. In
addition, any firewall in the enterprise network should be capable of dynamically enforcing policy-based segmentation, requiring every
firewall to be aware of the entire range of policies defined.
Such requirements can potentially create a management nightmare and impact the firewalls resources.
Fortinet’s FortiManager, FortiAnalyzer and FortiAuthenticator address these issues by:
1. Defining policies once through FortiManager
2. FortiManager automatically distributes the policies to the firewalls participating in the ISFW functional segmentation
3. User awareness and policy-based segmentation scalability is achieved via the integration of FortiAuthenticator – providing
integration & automation of FortiGate firewalls and the Directory Services
4. FortiAnalyzer and FortiView provide a granular and aggregated traffic visibility (users, devices, applications, threats, etc.) throughout
the enterprise
Summary
As threats grow in numbers, sophistication and impact, it is clear that placing all the security emphasis in the network perimeter is not
enough.
Internal Segmentation Firewalls provide organizations with an additional layer of protection inside their network perimeters, protecting
critical assets while enhancing their ability to detect breaches and shorten mitigation delays.
With high performance virtual and physical ISFWs under a single pane of glass management, Fortinet leads the way and provides a
granular, cost effective and high performance end-to-end ISFW solution for the most demanding organizations and environments.
6
www.fortinet.com
SOLUTION GUIDE: INTERNAL SEGMENTATION FIREWALL (ISFW)
7
GLOBAL HEADQUARTERS
Fortinet Inc.
899 Kifer Road
Sunnyvale, CA 94086
United States
Tel: +1.408.235.7700
www.fortinet.com/sales
EMEA SALES OFFICE
120 rue Albert Caquot
06560, Sophia Antipolis,
France
Tel: +33.4.8987.0510
APAC SALES OFFICE
300 Beach Road 20-01
The Concourse
Singapore 199555
Tel: +65.6513.3730
LATIN AMERICA SALES OFFICE
Prol. Paseo de la Reforma 115 Int. 702
Col. Lomas de Santa Fe,
C.P. 01219
Del. Alvaro Obregón
México D.F.
Tel: 011-52-(55) 5524-8480
Copyright © 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or
company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other resultsmay vary. Network variables, different network environments and other conditions
may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly
warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication
without notice, and the most current version of the publication shall be applicable. 09 Oct 2015 – 9:54 AM MKT-STORAGE:01_BROCHURES:05_SOLUTION_GUIDES:SG-Internal Segmentation Firewall:SG-Internal Segmentation Firewall Folder:SG-Internal Segmentation Firewall
www.fortinet.com

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2024 Paperzz