Internal Network Segmentation Firewalls: What are these?
What are Internal Network Segmentation Firewalls?
Most firewalls are placed on the edge of the network, and with a good reason. But what happens once a threat/malicious code passes through into the network? Is it not a good idea to contain these threats within a small segment, instead of exposing all systems in the network? That’s why a new category of firewalls called Internal Network Segmentation Firewalls were created.
Network Security Threats Today
Threats can penetrate a network in multiple ways today. Employees and partners/guests have access to the internal network and they can wreak havoc, if they want. A lot of activity happens on the cloud server outside the network, and the security offered by the cloud provider is beyond enterprise control.
Employees are no longer in one location, they keep traveling and accessing the network from around the world. Even within the network, there are mobiles, tablets, and other BYoD devices which are used for both personal and official purposes. It’s difficult to monitor and protect traffic from moving VMs. There are many more entry points like Social Engineering, Phishing, Wireless, etc.
Once inside, hackers can listen to network traffic, identify usernames/passwords and masquerade as employees while continuing with their nefarious activities on any/all systems they can access.
What can Internal Network Segmentation Firewalls Do?
Internal Network Segmentation Firewalls can segment the network into multiple zones so that stateful inspection and policies can be applied for the traffic traversing these internal zones. That way, an administrator can try to contain malicious activity to one segment of the network instead of that spreading to all the systems in a network.
And then there are those critical servers and group of computers that contain Intellectual Property and other critical information. These systems need to be separated and protected from many internal users and external users visiting public servers like the web server, etc.
Once suspicious activity is identified, the firewall should be able to block the communication between the two hosts in addition to isolating them to a small segment. Administrators need visibility of what’s going inside the network, which user is accessing which server/application, which protocols are being used, etc.
Vendors claim that Internal Network Segmentation Firewalls can do all that and more.
Where can Internal Network Segmentation Firewalls be placed?
Vendors propose that these firewalls be placed at the segmentation points between two different networks. Large organizations would have already segmented their network using L3 Switches/Routers. Instead of using L3 Switches, Internal Network Segmentation Firewalls can be used which not only segments the network but can also monitor the traffic traversing between them by applying stateful policies.
Some vendors claim even large L2 Networks can be segmented and the traffic between them monitored. In this case, these firewalls need to be placed in between two stacks of L2 aggregation switches.
Do you need Internal Network Segmentation Firewalls?
That’s a question you need to answer depending on your network setup. Some functionality offered by these firewalls might already be available in many networks through other devices/apps. Besides, the traffic handling capacity of Internal networks are higher when compared to the edge of the network where firewalls are typically placed. So, these firewalls need to have the capacity to handle large traffic and process security policies quickly in order to minimize delays.
Reference:
- SANS: Achieving Defense in Depth using Internal Firewalls.
- Fortinet: Internal Segmentation Firewall – Security where you need it, when you need it.
excITingIP.com
You could stay up to date on Computer Networking/IT Technologies by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’.