10 years ago, when people talked about a modern-day network, they would compare it to a medieval castle: a fortress with a single drawbridge, a large moat and guard towers that would pierce the sky. Considering the time, this was a valid comparison.
Today, this is no longer valid. Your attackers are plodding through the moat, assaulting the guard towers with helicopters and the slightest crack in the drawbridge is sufficient to cause a breach. It feels as if we, as defenders, are in a different time-zone compared to the attackers.
It is often said that “Security needs to be multi-layered”. This often implies the implementation of a common internet access street consisting of a firewall, proxy and anti-virus. When these are all operating, they have the capability to detect a threat.
To enhance the success of this access street, there must be a change in the design mentality. When we take a look at the current threat landscape, there is another analogy we can make. We can compare it to … a submarine.
Submerged in the ever-treacherous waters of the internet, the slightest crack in the hull can flood the entire ship. Not only do we need to create an outer hull with the utmost care, disaster scenarios such as sacrificing certain parts of the ship so that others may continue to function need to be prepared as well.
Segmenting your network would prevent a similar situation.
Let’s take the above high-level overview as an example.
This network has been segmented and all users have been grouped according to their department.
The servers for this organization have been clustered according to their connectivity requirements.
Each segment is contained by using a separate VLAN and layer 3 subnet.
Combining this design with a next-generation zone-based firewall will provide the most merit for its possibilities.
In terms of security, we notice the following advantages:
Unfortunately, there are some downsides to this approach as well.
Don’t be put off by those last parts, there are solutions!
A management platform such as Junos Space or Palo Alto’s Panorama has the possibility to define standard policies that apply to a combination of zones. Where the management platform for the firewall seemed like overkill before, it fits perfectly in the segmented network.
Even if you are used to working with a network that has no segmentation nor documentation on the internal traffic flows, a seasoned consultant can analyze the temporary ‘allow all’ rule that was implemented between segments and propose a rigid security policy.
In fact, why not implement Algosec’s Firewall analyzer and complete the task in a fraction of the time. Repeated use of the product will also correct human errors in order to keep an optimized rule base and eliminate the chance of rule shadowing
To wrap up this blog post, we can conclude that multi-layered security is not only achieved by implementing best of breed technologies but also by designing with security in mind.Do you have a question or would you like more information? Please do not hesitate to contact us.