For the last decade organizations have been trying to protect their networks by building defenses across the borders of their network. This includes the Internet edge, perimeter, endpoint, and data center (including the DMZ). This ‘outside-in’ approach has been based on the concept that companies can control clearly defined points of entry and secure their valuable assets. The strategy was to build a border defense as strong as possible and assume nothing got past the firewall.
As organizations grow and embrace the latest IT technology such as Mobility and Cloud the traditional network boundaries are becoming increasingly complex to control and secure. There are now many different ways into an enterprise network.
Not long ago, firewall vendors marked the ports on their appliances ‘External’ (Untrusted) and ‘Internal’ (Trusted). However, advanced threats use this to their advantage because, once inside, the network is very flat and open. The inside of the network usually consists of non-security aware devices such as switches, routers and even bridges. So once you gain access to the network as a hacker, contractor or even rogue employee, then you get free access to the entire enterprise network including all the valuable assets.
The solution is a new class of firewall – Internal Segmentation Firewall (ISFW), that sits at strategic points of the internal network. It may sit in front of specific servers that contain valuable intellectual property or a set of user devices or web applications sitting in the cloud.
Once in place, the ISFW must provide instant “visibility” to traffic traversing into and out of that specific network asset. This visibility is needed instantly, without months of network planning and deployment.
Most importantly the ISFW must also provide “protection” because detection is only a part of the solution. Sifting through logs and alerts can take weeks or months; the ISFW needs to deliver proactive segmentation and real-time protection based on the latest security updates.
Finally, the ISFW must be flexible enough to be placed anywhere within the internal network and integrate with other parts of the enterprise security solution under a single pane of management glass. Other security solutions can also provide additional visibility and protection. This includes the email gateway, web gateway, border firewalls, cloud firewalls and endpoints. Further, Internal Segmentation Firewalls need to scale from low to high throughputs allowing deployment across the global network.
