Going Beyond Zero Trust with Internal Segmentation Firewalls

Networks designed with implicit trust, even if small, simplifies allowing data and applications to move around inside the perimeter. It’s also one of the reasons why network breaches can remain undetected for so long, malicious insiders are able to steal so much data, and unintentional errors can cause so much damage.

Even minimal implicit trust in a network needs to be replaced with a Zero Trust model that mandates a “never trust, always verify, and enforce least privilege” approach to access, from both outside and inside the network.

It starts with the premise that traffic inside the perimeter should not be more trusted any more than outside traffic. Instead, all traffic should be inspected and logged, and all requests for network access should be verified, authenticated, and validated on a need-to-know basis.

While Zero Trust is gaining in popularity, there are also a number of limitations to such a model. These include:

• If you restrict access too tightly or take too long to verify an access request, you create bottlenecks that can cripple your network.
• Zero Trust doesn’t address issues such as DDoS attacks, human error, poorly patched or misconfigured devices, and even a number of common network issues.
• Perimeter-based security devices can be quickly overwhelmed by network traffic that is not constrained by regulated perimeter connection speeds.
• Inspecting encrypted traffic is exceptionally CPU-intensive, and will force most traditional NGFW solutions to their knees.
• Point defense products, designed to protect a specific spot on the perimeter, can impose limitations on the network’s ability to quickly adapt to changing requirements and shifting resources.
• VLANs—historically used to segment traffic—rarely have adequate security, and most are unable to seamlessly span distributed network environments.

A better approach is to identify, track, and isolate devices, applications, and workflows based on business and security requirements. This has two components:

1. Network Access Control can identify and keep track of any device connecting to the network, determine its role and privilege, and limit it to a specific role within the network.
2. Internal Segmentation Firewalls (ISFWs) provide the scalability, span of control, and performance that traditional NGFW solutions and VLANs simply can’t. Administrators can:

• Dynamically segment the network
• Assign devices to those segments at the moment of access
• Restrict applications and workflows to physical or virtual locations, groups, or devices
• Assign levels of security inspection
• Permit cross-segment movement based on policy

New Intent-based Segmentation, however, can interpret business and security requirements, automatically convert them into a specific segmentation policy that spans the distributed network to protect and isolate workflows and application along their entire transactional path, and do so at digital speeds.

In addition to interpreting business intent on the front end, Intent-based Segmentation also relies on an integrated security framework that enables different tools deployed in different segments of the network to see and interact with each other.  This allows them to detect and respond to threats occurring anywhere across the distributed environment, and dynamically adapt the policies governing a network segment. By combining traditional segmentation and Zero Trust principles, Intent-based Segmentation offers a holistic, integrated security architecture that can adapt to changing requirements, detect and mitigate advanced threats, as well as grant variable access on a need-to-know basis.

Contributed by: Jitendra Ghughal, Director Channels, India & SAARC, Fortinet