SECURITY.

FROM THE INSIDE OUT.

NEW BREACH DEFENSE STRATEGIES

Security Without Compromise

CONTENTS
INTRODUCTION 1
SECTION 1: THE PERIMETER ISNT ENOUGH

SECTION 2: NEW DEFENSES: THE INTERNAL FIREWALL

SECTION 3: HOW TO CHOOSE AN ISFW

CONCLUSION 10

INTRODUCTION
Breaches have moved from the domain of the CIO

This is strategic now. CEOs and Boards have elevated

or CISO to the CEO. Boards of Directors and other

the discussion to calculating risk and building effective

external bodies are now asking their corporations

solutions to prepare for what many see as inevitable.

some strong questions: What contingencies are in

Here well discuss why the traditional perimeter-based

place to protect against an advanced attack or a

protection strategies are no longer enough and why

data breach? What strategies have you implemented

deploying specialized internal segmentation firewalls

for dealing with an incident if it does penetrate your

throughout your organization may help give your

infrastructure?

network the edge it needs to respond and react to

todays advanced threats.

INTRODUCTION

01

THE
PERIMETER
ISNT
ENOUGH
Not too long ago, access to the Internet was very

the cloud and cloud technologies, and the Internet of

tightly controlled. A typical enterprise network may

Things the attack surface available to attackers can no

have consisted of a couple redundant links to the

longer be contained. Its simply not enough to set up

Internet and all traffic would flow through a single

a firewall on the perimeter of your network and cross

point. This allowed enterprises the ability to deploy

your fingers. That approach is no longer effective.

a perimeter firewall between the Internet and all its

Threats today continue to evolve and increase in

evils and the safety of your internal network. Today

volume, and your network defenses must adapt to

though, the picture is much different. With the rapid

meet this new reality.

proliferation of devices, the rise of BYOD, the use of

THE PERIMETER ISNT ENOUGH

Companies are spending more money than ever

on network security. With that in mind, you may

be wondering why breaches are still happening.
Enterprises have typically focused the majority of
their security spend on the data center and the
core network. After all, thats where the bulk of the
companys sensitive data exists! But attackers are
clever. Theyre not focusing all of their energy and
resources on the data center anymore, at least not
directly. Attackers are spending considerable time
compromising endpoints and other systems outside
of the core network. An attacker will compromise
an endpoint user, steal their credentials, and then
use that access to begin to move laterally around
the network. They will often explore and map out
devices and systems in close proximity to their initial
entry point and look for ways to compromise other
systems, elevate their privileges, exploit unpatched
vulnerabilities on internal systems, plant more malware
and steal data. Once the attacker has gathered up
the information theyve stolen, theyll use that earlier
research to find a stealthy way of absconding with all
their plunder.

THE PERIMETER ISNT ENOUGH

What happens when an attacker gets through?

in many cases they dont need to. As we mentioned

Various analyses from many sources all agree that

earlier, there are more ways into a network than ever.

right now, it can take a long time before a breach is

All have the potential to bypass the protection at the

discovered and an attacker stymied. The costs to

perimeter.

your business could be in the millionsforensics,

remediation, legal costs, additional defenses--they
all could cost your organization untold amounts of
money. And the impact on your reputation and brand?
That could be incalculable.

Todays security strategy requires you to have an

understanding that effective security requires the
construction of internal defenses as well as protecting
the perimeter. Monitoring your internal traffic is
arguably as critical today as monitoring the traffic

Why arent current firewall deployments enough

coming in from the Internet as a whole. So what can a

anymore? Attackers are able to leverage more and

security team do today to bolster their defenses?

more techniques to evade perimeter protection, but

THE PERIMETER ISNT ENOUGH

02

NEW DEFENSES:
THE INTERNAL
FIREWALL
As part of an effective defense strategy, you need to be

cycle. The Internal Segmentation Firewall (ISFW)

able to effectively segment your network into smaller

extends the defense-in-depth concept even further by

chunks, keeping teams with unique job functions

building those chunks and watching for traffic that is

separate. For example, your development teams

not typical.

likely have no reason to access systems relating to

accounting, and your HR systems probably have no
reason to connect to Finance.

Most perimeter-based protection solutions do a poor

job at outbound inspection of traffic, if at all. Outdated
deployments often assume that whats inside your

Defense-in-depth isnt a new term, and many

network is safe or innocuous and focuses on protecting

enterprises have implemented it in some fashion.

the inside from the bad outside. Those firewalls that do

Defense-in-depth allows you to place multiple security

provide some measure of outbound inspection often

controls throughout your network in the hopes of

struggle with the additional loads asked of it and can

detecting an incident at some point during the attack

lead to significant bottlenecks or performance issues.

NEW DEFENSES: THE INTERNAL FIREWALL

URL

APP

How does the ISFW detect things that the perimeter

attempts to access systems outside of the users

firewall does not? Its critical to understand that the

normal activities and alert accordingly. Beyond that,

ISFW is not designed to detect things that the perimeter

your ISFW may be able to identify and block threats

cannot. Your ISFW should be designed with specific

from malware, botnets or other malicious activities

policies in mind to allow your users to access the things

that found a way past your perimeter defenses. For

they should be accessing, and either slow down the

example, the ZeroAccess botnet is well known for

access to, or prevent access to other segments of

being very chatty. It will often search for other bots to

your network entirely. So in the case where an attacker

communicate with to receive commands. Your ISFW,

compromises an endpoint belonging to a member

because it is located close to the infected endpoint,

of your accounting team, they should not be able to

may be uniquely equipped to detect that chatter and

move throughout the network and onto the systems

alert your security team faster than you may expect

controlling your Point of Sale systems or e-commerce

from your perimeter appliance.

systems. Your ISFW should be able to detect these

6

NEW DEFENSES: THE INTERNAL FIREWALL

The ISFW is best deployed as close to the Access

deploy your ISFW similar to a switch, or what we

Layer as possible as it will allow you the greatest access

call virtual wire mode. Not only does it facilitate rapid

to your network assets and the bulk of your internal

deployment, but also it avoids a significant amount

traffic. By deploying ISFWs in this fashion, for example,

of complexity around the configuration of a traditional

intersecting all of your uplinks from the access layer to

perimeter appliance. You wont need to reconfigure

the core and distribution layer, you can gain significant

IPs, gateways or other assets, and youll gain a deep

visibility into all of that internal traffic. You can quickly

visibility into the traffic moving throughout your network.

NEW DEFENSES: THE INTERNAL FIREWALL

03

HOW TO
CHOOSE
AN ISFW
Until recently, companies have been reluctant to

to monitor that internal traffic were either unavailable or

add an additional layer such as ISFWs inside their

incredibly cost-prohibitive. Add to that the disruptions

infrastructure. Recent statistics show that as much as

in deploying these devices, as well as the additional

three-quarters of your traffic moving in and out of your

management burden on your already overworked

data center is now inside your infrastructure. Firewalls

security staff and its clear why enterprises decided to

with the throughput, processing ability and port density

focus their resources elsewhere.

HOW TO CHOOSE AN ISFW

Perhaps the most important factor in deciding on an

ISFW solution today is performance. Even wireless
networks are approaching real world throughputs in
the gigabit range, and gigabit at the desktop is the
rule now, not the exception. To meet those speed
demands, you must have an ISFW that can offer you
the port density and speed to service those networks.
Your security infrastructure must be able to perform
at wire-speed or near wire-speed. Users will not
accept any decrease or degradation in performance.
Its just not efficient to repurpose an existing or
decommissioned firewall if it is unable to perform
without creating a bottleneck.
Also key in making a decision is integration with
your existing security infrastructure. Does your staff
need to retrain to use it? Are they able to extend the
knowledge and skills gained from using their perimeter
devices to the ISFW? Finally, the tangible and
intangible deployment costs must be considered Can
you deploy your ISFWs quickly and efficiently? How
much network disruption is needed to place an ISFW
in-line?

HOW TO CHOOSE AN ISFW

CONCLUSION
Segmenting your network isnt a new idea. Traditional

from threats on the outside, but also from threats

segmentation models relied on ineffective measures

that appear on the inside as well. Todays high-

built around networking technologies. To a skilled

performance ISFWs allow you to build an effective

attacker, its just another speed bump.

internal segmentation strategy to protect the assets

You need to deploy roadblocks to slow attackers

down. With the advances in firewall performance
today, new segmentation strategies can now be
realized: strategies that protect your network not only
10

CONCLUSION

that are important without sacrificing business

performance or causing disruption to your business.

Security Without Compromise

www.fortinet.com

Copyright 2016 Fortinet, Inc. All rights reserved.