Deploying internal segmentation firewalls

Guest written by Alain Penel, Regional Vice President – Middle East, Fortinet.

As is the case across most of today’s industries, the latest IT technological advances like the cloud, Internet of Things (IoT), and mobility have all blurred the lines between traditional network boundaries, making them harder to secure by the day.

Security challenges are escalating in part because there are an increasing number of network access points that can open doors to sensitive financial data. For example, many devices inside of today’s financial networks, such as routers and switches, are not security aware. Once these devices are accessed and control is seized by a cybercriminal, they have a free run inside the broader enterprise network and its most critical assets.

Because the changing network environment continually adds new potential attack vectors, cybercriminals continue to target the financial services industry with advanced attack methods that are designed to evade outdated and under-matched security solutions. With this is mind, financial organizations could benefit from implementing an internal segmentation firewall (ISFW).

Traditional Firewalls vs. ISFWs

Traditional firewalls tend to be deployed at the outer edge of the network, and often about as far away from valuable data as they can possibly be. Because a firewall generally only inspects the traffic that passes through it, this distance between security and the valuable data you need to protect can lead to vulnerabilities. Additionally, traditional firewalls do not provide any security beyond the point on the perimeter where they have been deployed.

Internal segmentation firewalls, on the other hand, are an integrated system of defenses that are placed at critical points within the network. These firewalls are positioned to protect servers that host valuable client cardholder data or even a set of devices or web applications that are located in the cloud.

ISFWs also segment the network in order to separate traffic, isolate and protect network resources, and control malware propagation. When an outbreak or a breach occurs, ISFWs are able to restrict attacks to an isolated location or network segment, thereby minimizing their ability to spread to the rest of the network.

Capabilities and Benefits of ISFWs

When ISFWs are in place, there are a number of capabilities and benefits that financial organizations will realize.

Visibility: With an ISFW in place, CISOs and the rest of the network security team will gain visibility to the traffic that’s moving in and out of and between specific network assets. With this deeper visibility into the network they can see abnormal traffic and behaviors and make actionable decisions in real time, without needing days or weeks of advanced preparation. Such visibility also enhances the ability of security professionals to ensure compliance with the PCI Data Security Standards requirements for enhanced segmentation.

Protection: While visibility is critical to the detection portion of the security equation, at the end of the day, network security is in place to thwart attacks. Without an ISFW, the security team may spend weeks or months sorting through data, log files, and alerts to find and respond to attacks. An ISFW eliminates that overhead by proactively implementing segmentation and protection in order to respond the threats in real time by seeing threats where they occur through leveraging the latest security updates.

Flexibility: The ability for ISFWs to be placed anywhere throughout the network is one of their primary redeeming qualities. This flexibility not only expands security touch points, but also allows the internal network to be integrated with other parts of the enterprise security system into one unified view. Further, ISFWs allow the organization to quickly insert security into the network where it’s needed most without interfering with critical business processes.

Final Thoughts

Today’s cybercriminals and the advanced threats they’re using are allowing them to capitalize on the flat, and largely unprotected landscape of many internal networks. Even with traditional firewalls in place, financial services organizations are unable to protect their data once the initial defense systems at the perimeter have been breached.

Internal segmentation firewalls should be an essential consideration by all financial organizations that are looking for a solution that can be deployed quickly and with minimal disruption to the larger security picture, while extending security deep into the network where the most dangerous threats reside.

Because they are designed for today’s network performance requirements, ISFWs allow networks to maintain productivity levels while providing the visibility and protection needed to secure them against today’s sophisticated attack environment.