The Internal Segmentation Firewall: The Future | Source: Fortinet.com |
Introduction
Vendor
vulnerabilities, as well as putting into practice of freeware firewalls
continuously manifest at a rapid pace. At each vulnerability, it seemingly
appears to be the effect of something such as flaws in coding or feebleness in
the configuration of another. Considering the huge number of firewalls vulnerabilities surfacing currently, it is only paramount to
develop a more complete framework in understanding what firewalls are doing
when receiving incoming traffic and what could go wrong when processing this
traffic.
The Outside-In Approach
One
of the principal elements of any organization’s security platforms is implementation and maintaining firewalls. In the
last decade, however, organizations have been attempting to protect networks by
putting up protections across the periphery of the network. This includes the
internet edge, endpoint, perimeter, data center, and its perimeter
network or DMZ. This ‘outside-in’ method of approach has been largely
based on the idea that organizations can control defined various points of
entry and protect valuable resources. Although organizations grow and adopt the
latest in IT technology such as cloud and mobility, conventional network
boundaries are becoming more and more complex to safeguard and manage. It is
because at present there are so many ways into the enterprise network.
Recently, the firewall seller distinctly marked the ports of the appliances
‘internal’(Trusted) and ‘external’(Untrusted), but, more developed threats use
this to their advantage precisely because, once inside, the network system is
very flat and open. The inside of the system is generally composed of non-security
aware appliances/devices such as routers,
switches, and bridges that once access is gain to the network by hackers, rogue
employees, and contractors, then these cyber-criminals could get unhindered
access to the whole enterprise network/system including all the valuable assets
inside.
Source: Verizon’s 2020 Data Breach Investigation Report |
As
demonstrated in many breaches, setting down inordinate trust in the peripheral
protection alone places organizations in a precarious and often costly
difficult situation. A lot of data breaches, including those of the
highest-profile cases, are always the direct result of the cyber-criminals
activity that was undetected for several months. Moreover, hackers can
undermine the organization in just a couple of minutes. In what Verizon’s 2020 Data Breach Investigation Report,
phishing, and business email compromises and
errors cause the majority of the breaches (67% or more). These tactics are potent
for attackers, so they are most likely to return to them time and again. For organizations,
these tactics must be the focus of the bulk of security efforts.
Additionally,
on the same Verizon’s 2020
Data Breach Investigation Report, money is the root of all levels, accounting
for 86% of financially motivated breaches, 70% of breaches were caused by
outsiders, 27 % of incidents are attributed to ransomware and 43% or more than
from last year of breaches were attacks on web applications.
Incidentally,
personal data is also getting swiped more often as it accounts for 58% of
breaches, virtually twice the percentage in last year’s data. These thefts are
being more often reported due to disclosure regulations. These include names, physical
addresses, email addresses, phone numbers, and any other types of data that one
might uncover concealing in an email or stored in a misconfigured database.
It
is believed that hackers had access for at least six months before detection.
These breaches not only draw unpopular public awareness which typically results
in loss of customer confidence but to the cost of recovery as well, at best,
likely crippling organizations worldwide. According to the Ponemon Institute’s 2020 Cost of a Data Breach Report, it indicates some consistencies with past
research, including that of the global total cost of a data breach, averaged $3.86
million in the 2020 study. However, it falls to about 1.5% from the 2019 study, but in line with previous years.
The ISFW Solution
How to Implement Internal Segmentation | Source: Fortinet.com/Solutions |
Fortunately,
there exist solutions that go well beyond the perimeter protection that offers
to provide the type of coverage that can ultimately help in protecting the organization
better remediate and identify in the event of a breach. The solution - ISFW(Internal Segmentation Firewall) that sits at strategic locations of
the internal network adding an extra layer of security. The ISFW may sit-in
front of servers containing valuable intellectual properties, in a set of user
devices, or in web applications sitting in the cloud protecting resources
against any threats that may have crossed the perimeter.
Since
hackers have evolved from mere hobbyists to exceptionally skilled
professionals, the technique these people utilize has evolved remarkably -
oftentimes providing inexcusable access even when conventional protection
devices remain active. The
advanced persistent threat is one specific
category of advanced threat that is raising concern in the security community.
This threat is often a targeted attack that represents a set of surreptitiously
and unceasingly computer hacking procedures oftentimes set up by humans with
aims not only to gain access into a particular entity but also to spend
days, weeks, or even months scouring through the network system to accumulate
intel for succeeding attacks. Moreover, advanced threats are taking full
advantage of the flat internal network very typical in today’s organizations
that once this threat passes through the perimeter defenses, there is no
stopping it from spreading and/or eventually extracting valuably targeted
assets within.
In
countering threat effectiveness, there are processes to follow, namely.
Risk Mitigation - The purpose of which
is to make responses to likely eventualities. An ISFW (Internal Segmentation
Firewall) strategically and intelligently deployed, can block possible
suspicious activities from continuously gathering valuable data, that if it
falls to unscrupulous hands can effectively cripple an organization.
Prevention - This relies heavily on
possessing the latest security tools that can act on well-known threats and
information statistics. This helps in stopping some of the many pronounced
attacks, although this may come difficult considering that advanced attacks are
often caused by human components. As an example, most advanced attacks often
start with evil-intentioned, spiteful emails, or in many click-through ads
singling-out a particular person in an organization. The NGFWs (Next-Generation Firewalls) can partially do the prevention component by enabling
L2/L3 firewalls, application control, intrusion prevention, and more, but
because NGFWs are only deployed at the borders it can only provide qualified
visibility into the life-cycle attack, principally just detecting ingress and
egress activity. As organizations fell prey to well-crafted advances,
cyber-criminals could effectively exploit and deploy malware competent enough of
populating the network system resulting in data stolen. Guidance helps.
Detection & Identification - The
crucial part of the success here is to enhance visibility - an area where ISFW
thrive. Detect hitherto uncertain, unknown threats. If hackers can penetrate
through the perimeter, ISFW that is strategically located within the system
will recognize such behaviors that fall outside the usual or otherwise appears
as unauthorized. Most malicious activity is often compromised by internal movements
as cyber-criminals strive to pinpoint valuable information within and
ultimately extract data, and having a complete depiction of both internal and
perimeter activity will boost all stages of an unmitigated ATP (Advanced Threat Protection) infrastructure. At times when internal traffic
frequently appearing many times the bandwidth of perimeter traffic, ISFW can
and will provide several opportunities to restrict the growth of a compromise
segment by involving well-known methods and promptly pass higher-risk items for
sandboxing for extensive investigation.
Conclusion
An
ISFW scrutinizes internal traffic closely, with the sole objective of
identifying any malicious activities inside the network as opposed to just
sitting at the perimeter tracking traffic going in-and-out. Significantly, ISFW
is very much different from other firewalls, in that its primary objective is
to undertake a much extensive dive into day-to-day traffic than other popular
next-generation firewalls. More importantly, ISFW could provide protection from the most recent sophisticated
persistent threats, access compartmentalization of
sensitive data, improve risk mitigation, boost protection as networks grow increasingly
flatter, and open and increase visibility into internal traffic.