ISFW-WP

8/16/2019 ISFW-WP

1/8

WHITE PAPER

Internal Segmentation Firewall (ISFW)

Protecting Your NetworkFrom the Inside-Out

8/16/2019 ISFW-WP

2/8

2 www.fortinet.com

Key Requirements

n COMPLETE PROTECTION –Continuous inside-out protectionagainst advanced threats with asingle security infrastructure

n POLICY-DRIVEN To better control andcompartmentalize users and limitthreat vectors access to sensitiveresources

n EASY DEPLOYMENT –

Default Transparent Mode meansno need to re-architect thenetwork and centrally deployedand Managed

n HIGH PERFORMANCE –Multi-gigabit performance supportswire speed East-West trafc

SummaryFor the last decade organizations have been trying to protecttheir networks by building defenses across the borders of theirnetwork. This includes the Internet edge, perimeter, endpoint,and data center (including the DMZ). This ‘outside-in’ approachhas been based on the concept that companies can controlclearly dened points of entry and secure their valuable assets.

The strategy was to build a border defense as strong as possibleand assume nothing got past the rewall.

As organizations grow and embrace the latest IT technology such as Mobility andCloud the traditional network boundaries are becoming increasingly complex to control

and secure. There are now many different ways into an enterprise network.

Not long ago, rewall vendors marked the ports on their appliances ‘External’(Untrusted) and ‘Internal’ (Trusted). However, advanced threats use this to theiradvantage because, once inside, the network is very at and open. The inside of thenetwork usually consists of non-security aware devices such as switches, routers andeven bridges. So once you gain access to the network as a hacker, contractor or evenrogue employee, then you get free access to the entire enterprise network including allthe valuable assets.

The solution is a new class of rewall – Internal Segmentation Firewall (ISFW), thatsits at strategic points of the internal network. It may sit in front of specic serversthat contain valuable intellectual property or a set of user devices or web applicationssitting in the cloud.

Table of ContentsSummary .......................................................................................................................2

Advanced Threats Take Advantage of the “Flat Internal” Network ..................................3

The Answer is a New Class of Firewall – Internal Segmentation Firewall .........................4

ISFW Technology Requirements ....................................................................................6

Conclusion ....................................................................................................................8

8/16/2019 ISFW-WP

3/8

3

WHITE PAPER: PROTECTING YOUR NETWORK FROM THE INSIDE–OUT – INTERNAL SEGMENTATION FIREWALL (ISFW)

Advanced Threats Take Advantageof the “Flat Internal” Network Cybercriminals are creating customized attacks to evadetraditional defenses, and once inside, to avoid detection andenable egress of valuable data. Once inside the network there

are few systems in place to detect or better stil l protectagainst APTs.

It can be seen from the threat life cycle in Figure 1 that oncethe perimeter border is penetrated, the majority of the activitytakes place inside the boundary of the network. Activitiesinclude disabling any agent-based security, updates from thebotnet command and control system, additional infection/ recruitment and extraction of the targeted assets.

Once in place, the ISFW must provide instant “visibility” totrafc traversing into and out of that specic network asset.

This visibility is needed instantly, without months of networkplanning and deployment.

Most importantly the ISFW must also provide “protection”because detection is only a part of the solution. Siftingthrough logs and alerts can take weeks or months; theISFW needs to deliver proactive segmentation and real-timeprotection based on the latest security updates.

Finally, the ISFW must be exible enough to be placedanywhere within the internal network and integrate with otherparts of the enterprise security solution under a single paneof management glass. Other security solutions can alsoprovide additional visibility and protection. This includes theemail gateway, web gateway, border rewalls, cloud rewallsand endpoints. Further, Internal Segmentation Firewalls needto scale from low to high throughputs allowing deploymentacross the global network.

FIGURE 1 – ADVANCED THREAT LIFE CYCLE

1 2

34

Disposal

Threat Production+ Recon

Threat Vector Infection

Extraction Communication

Scan for vulnerabilitiesDesign phishing emailsCustomize malware, etc.

InternalExternalSocial EngineeringZero Days ExploitsMalicious URLsMalicious Apps, more

Hide, Spread,Disarm, Access,Contact Botnet C&C,Update

Package &Encrypt Stage

APP URL

8/16/2019 ISFW-WP

4/8

4 www.fortinet.com


The Answer is a New Class of Firewall –Internal Segmentation Firewall (ISFW)Most rewall development over the past decade has beenfocused on the border, the Internet edge, perimeter (hostrewall), endpoint, data center (DMZ) or the cloud. Thisstarted with the stateful rewall but has evolved to includeUnied Threat Management (UTM) for distributed networks,which brought together the rewall, intrusion detection andantivirus. Later came the Next Generation Firewall (NGFW),which included intrusion prevention, and application controlfor the Internet edge. More recently because of the hugeincrease in speeds, Data Center Firewalls (DCFW) havearrived to provide more than 100Gbps of throughput. All ofthese rewalls have in common an approach designed toprotect from the “outside-in.”

For rapid internal deployment and protection, a new class ofrewall is required – Internal Segmentation Firewall (ISFW).

The Internal Segmentation Firewall has some differentcharacteristics when compared to a border rewall. Thedifferences are laid out in gure 2.

Foundation of ISFWEnterprises should deploy ISFW with next generationfunctionalities in strategic points within the internal network,adding an additional security layer to provide the followingsecurity benets:

n Control access to critical resources/assets as close aspossible to the user via policy-driven segmentation.n Establish security barriers to stop and limit the uncontrolledspread of threats and hackers activity within the internalnetwork via the implementation of advanced securitymechanisms.n Limit the potential damage of threats inside the perimeter.n Increase threat visibility and enhance breach discovery andmitigation.n Strengthen the enterprise’s overall security posture.

FIGURE 2 – FIREWALL TYPE DIFFERENCES

Deployment Mode ISFW NGFW DCFW UTM CCFW

Purpose Visibility & protectionfor internal segments

Visibility & protec-tion against externalthreats and internetactivities

High performance,lowlatency networkaprotection

Visibility & protec-tion against externalthreats and useractivities

Network security forService Providers

Location Access Layer Internet Gateway Core Layer/DCGateway

Internet Gateway Various

Network Operation Mode Transparent Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode

Hardware Requirements Higher port density toprotect multiple assets

GbE and 10GbE ports High speed (GbE/10GbE/40 GbE/100) &

high port density,hardware acceleration

High GbE port density,integrated wireless

connectivity and POE

High speed (GbE/10GbE/40 GbE) &

high port density,hardware acceleration

Security Components Firewall, IPS, ATP, Application Control

(User-based) Firewall, VPN, IPS, ApplicationControl

Firewall, DDoS protec-tion

Comprehensive andextensible, client anddevice integration

Firewall, CGN, LTE& mobile security

Other Characteristics Rapid Deployment– near zero congura-tion

Integration with Advanced ThreatProtection (Sandbox)

High Availability Different WANConnectivity Optionssuch as 3G4G

High Availability

8/16/2019 ISFW-WP

5/8

5


The ISFW needs to provide easy deployment The ISFW must be easy to deploy and manage. Keepingit simple for IT means being able to deploy with minimumconguration requirements and without having to re-architect

the existing network.

The ISFW must also be able to protect different types ofinternal assets placed at different parts of the network. Itcould be a set of servers containing valuable customerinformation or a set of endpoint devices that may not be ableto be updated with the latest security protection.

Additionally the ISFW must be able to integrate with otherparts of the enterprise security solution. Other securitysolutions can also provide additional visibility and protection.

This includes the email gateway, web gateway, borderrewalls, cloud rewalls and endpoints. This all needs to bemanaged with a ‘single pane of glass’ approach. This allowssecurity policies to be consistent at the border, inside thenetwork and even outside the network in clouds.

Additionally, traditional rewalls are usually deployed in routingmode. Interfaces (ports) are well dened with IP addresses.

This often takes months of planning and deployment. This isvaluable time in today’s instant cyber attack world. An ISFW

can be deployed in the network rapidly and with minimumdisruption. It must be as simple as powering on a deviceand connecting. It must be transparent to the network andapplication.

The ISFW needs to provide wire-speed performanceBecause internal segmentation rewalls are deployed in-linefor network zoning, they must be very high performance inorder to meet the demands of internal or “East/West” trafc,and to ensure they do not become a bottleneck at thesecritical points. Unlike rewalls at the border which deal with

Wide Area Network (WAN) access or Internet speeds ofless than 1 gigabit per second, internal networks run muchfaster – multi-gigabit speeds. There, ISFWs need to operateat multi-gigabit speeds and be able to provide deep packet/ connect inspection without slowing down the network.

The ISFW needs to provide policy-drivensegmentationPolicy – driven segmentation enables better control andcompartmentalization of user’s access to applicationsand resources via the association of the user’s identity

with specic security policies enforcement. Policy-basedsegmentation can limit potential attack vectors and threatsvehicled by the user.

Policy-based segmentation can be dened as the automaticassociation of user’s identity and the enforced security policy.

A user’s identity may be dened as a set of attributes, suchas physical location, the type of device used to access thenetwork, the application used, etc. As the user’s identitymay change dynamically, the enforced security policy mustdynamically and automatically follow the user’s identity.

In order to achieve the required user identication and theoverall parameters needed to create and enforce granularsecurity policies, ISFW must be able to:1. Allow user, device and application identication2. Provide integration with directory services solutions toidentify user’s identity3. Dynamically map a user’s identity to a specic securitypolicy and enforcement

The ISFW needs to provide complete protection The rst element of security is visibility. And visibility is onlyas good as network packet knowledge. What does a packetstream look like for a specic application, where did it comefrom, where is it going, even what actions are being taken(download, upload…).

The second and equally important element is protection. Isthe application, content or actions malicious? Should thistype of trafc be communicating from this set of assetsto another set of assets? While this is very difcult across

different content and application types, it is an essential partof the ISFW. The ability to detect a malicious le, applicationor exploit gives an enterprise time to react and contain thethreat. All of these protection elements must be on a singledevice to be effective.

Both visibility and protection are heavily reliant on a realtime central security threat intelligence service. A questionthat always needs to posed – how good is the visibility andprotection. Is it keeping up with the latest threats? That’s whyall security services should be measured on a constant basiswith 3rd party test and certication services.

8/16/2019 ISFW-WP

6/8

6 www.fortinet.com


ISFW Technology Requirements A Flexible Network Operating System Almost all rewall “deployments modes” require IP allocationand reconguration of the network. This is known as networkrouting deployment and provides trafc visibility and threatprevention capabilities. At the other end of the spectrumis sniffer mode, which is easier to congure and providesvisibility, but does not provide protection.

Transparent mode combines the advantages of NetworkRouting and Sniffer modes – it provides rapid deployment andvisibility plus, more importantly, protection. The differences aresummarized in Figure 3.

A Scalable Hardware ArchitectureBecause internal networks run at much higher speedsthe ISFW needs to be architected for multi-gigabit protectionthroughput. Although CPU-only based architectures are

exible they become bottlenecks when high throughputis required. The superior architecture still uses a CPU forexibility but adds custom ASICs to accelerate network trafcand content inspection.

Because the ISFW is deployed in closer proximity to the dataand devices, it may sometimes need to cope with harsherenvironments. Availability of a more ruggedized form factor istherefore another requirement of ISFWs.

Deployment

Mode

Deployment

Complexity

Network

Functions

High

Availability

Trafc

Visibility

Threat

ProtectionNetworkRouting High L3-Routing 4 4 4

Transparent Low L2-Bridge 4 4 4

Sniffer Low X X 4 X

FIGURE 3 – FIREWALL TYPE DIFFERENCES

INTERNAL CLOUD

INTERNAL

D a t a C en

t er

INTERNAL

E n d p o i n t

C a m p u s

ISFW

ISFW

EdgeFirewall(NGFW)

Data Center Firewall(DCFW)

UniedThreatManagement(UTM)

ISFW

ISFW

B r a n c h

INTERNET

Virtual ISFW

Applications

FIGURE 4 – Internal Segmentation Firewall(ISFW) DEPLOYMENT

8/16/2019 ISFW-WP

7/8

7


Enhancing Advanced ThreatProtection with Internal Visibility

A proper approach to mitigating advanced threats shouldinclude a continuous cycle of Prevention, Detection, andMitigation. Very typically a Next-Generation Firewall would

serve as a key foundation of the Prevention component,enabling L2/L3 rewall, intrusion prevention, applicationcontrol and more to block known threats, while passinghigh-risk unknown items to a sandbox for Detection. But withNGFW’s deployed traditionally at the network edge, this onlyprovides partial visibility into the attack life cycle by primarilyobserving ingress and egress activity.

Network Segmentation –High Speed Integrated Switching

An evolving aspect of transparent mode is the ability tophysically separate subnetworks and servers via a switch.

Firewalls are starting to appear on the market with fullyfunctional, integrated switches within the appliance. Thesenew rewalls, with many 10GbE port interfaces, become anideal data center ‘top-of-rack’ solution, allowing servers to bephysically and virtually secured. Also, similar switch-integratedrewalls with a high density of 1GbE port interfaces becomeideal for separation of LAN subsegments. ISFWs should beable to fulll both of these roles, and as such should ideallyhave fully functional, integrated switching capabilities.

Real-time SecurityInternal Segmentation Firewalls must be able to deliver afull spectrum of advanced security services, including IPS,application visibility, antivirus, anti-spam, and integration withcloud-based sandboxing, allowing for the enforcement ofpolicies that complement standard border rewalls. This real-time visibility and protection is critical to limiting the spread ofmalware inside the network.

Network Wide ISFW Deployment ExampleMost companies have set up border protection with rewalls,

NGFWs and UTMs. These are still critical parts of the networkprotection. However to increase the security posture, InternalSegmentation Firewalls can be placed strategically internally.

This could be a specic set of endpoints where it is hardto update security or servers where intellectual property isstored.

Segment ISFW Deployment Example The ISFW is usually deployed in the access layer and protectsa specic set of assets. Initially the deployment is transparentbetween the distribution and access switches. Longer term

the integrated switching could take the place of the accessand distribution switch and provide additional physicalprotection.

FIGURE 6 – ADVANCED THREAT PROTECTION (ATP) FRAMEWORK

To Internet

DISTRIBUTION/ CORE LAYER

ACCESS LAYER

LOCAL SERVERS USER NETWORK DEVICES

Access Switch / VLAN

Core/Distribution Switch

n FortiGate wire intercept using transparent

port pair n High speed

interface connectivity n IPS, ATP &

App Control

FIGURE 5 –INTERNAL SEGMENTATION FIREWAL (ISFW) DEPLOYMENT

8/16/2019 ISFW-WP

8/8


Deployment of an ISFW can provide more complete visibilityinto the additional internal activity of the hackers once they’vecompromised the edge. Lateral movement can account fora signicant portion of the malicious activity as the hackerstry to identify valuable assets and extract data, and having a

complete picture of both internal and edge activity enhancesall phases of a complete ATP framework. With internalnetwork trafc often being several times the bandwidth ofedge trafc, an ISFW can provide many more opportunitiesto limit the spread of the compromise from known techniquesand more high-risk items to be passed to sandboxes fordeeper inspection.

Conclusion Advanced Threats are taking advantage of the at Internalnetwork. Once through the border defense there is little tostop their spread and eventual extraction of valuable targetedassets. Because traditional rewalls have been architected toslower speeds of the Internet Edge its hard to deploy thesesecurity devices internally. And rewall network congurationdeployments (IP addresses) take a long time to deploy.

Internal Segmentation Firewalls are a new class of rewallthat can be deployed rapidly with minimum disruption while

keeping up the multi-gigabit speeds of internal networks.Instant visibility and protection can be applied to specicparts of the internal network.

Copyright © 2015 Fortinet, Inc. All rights reserved. Fortinet ®, FortiGate ®, FortiCare ® and FortiGuard ®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or commonlaw trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performanceand other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whetherexpress or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identied product will perform according to certain expressly-identiedperformance metrics and, in such event, only the specic performance metrics expressly identied in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the sameideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise thispublication without notice, and the most current version of the publication shall be applicable. October 16, 2015 6:15 PM X:\01_BROCHURES\02_WHITEPAPERS\WhitePaper-ISFW Folder\WP-Protecting-Your-Network-From-the-Inside-Out_A

GLOBAL HEADQUARTERSFortinet Inc.899 Kifer RoadSunnyvale, CA 94086United States

Tel: +1.408.235.7700www.fortinet.com/sales

EMEA SALES OFFICE120 rue Albert Caquot06560, Sophia Antipolis,France

Tel: +33.4.8987.0510

APAC SALES OFFICE300 Beach Road 20-01

The ConcourseSingapore 199555

Tel: +65.6513.3730

LATIN AMERICA SALES OFFICEPaseo de la Reforma 412 piso 16Col. JuarezC.P. 06600México D. F.

Tel: 011-52-(55) 5524-8428

Documents

ISFW-WP