The importance of using a firewall in the workplace is well established. But in response to today’s sophisticated threats, an edge firewall is no longer enough. In an ever-changing environment, how do you integrate a firewall into your network architecture? And how do you make the best use of it?
Where to locate a firewall, how to segment a network, the “zero-trust” approach, centralised management and monitoring; we tell you everything you need to know about making the best use of a firewall in your network architecture.
Understanding the need and the perimeter for protection
The firewall is one of the key pillars of corporate perimeter security. Historically conceived as an impenetrable wall around the edge of the network, its function has since evolved considerably. To respond to the changing threat landscape and block all lateral movement attempts by malware, system administrators have had to rethink their use of firewalls, adding new layers of protection.
The correct place for a firewall in a network architecture depends on the need for security. And the traditional firewall at the edge of the network – while still an essential part of the security arsenal – is no longer sufficient to provide a good level of protection. Changing work models (digital nomads, teleworking, SaaS and other cloud infrastructures), coupled with increasingly sophisticated cyber threats, have forced businesses to extend their use of firewalls. It is now necessary to go further and deploy firewalls at different points on the company's security perimeter. But this security perimeter is evolving and is made up of a diverse variety of elements, both internal and external.
So what are the strategic locations for a firewall? At an Internet connection point, at the edge or at the centre of the network, in the cloud... the options are numerous, and will depend on your security objectives and the capacity of your firewalls. Note that, in line with the principle of defence in depth, it is advisable to install at least two firewalls to create a DMZ (demilitarised zone). Such a double barrier provides an additional seal against (potentially malicious) data flows. The aim is to implement several levels of trust, from the Internet to the LAN, and even to data centres and other cloud environments.
And next-generation firewalls (NGFW) can take network architecture security even further; for example, with network segmentation and the “Zero Trust” approach. We explain how.
The importance of network segmentation and “Zero Trust”
Why is network segmentation so important? Because the modus operandi of cybercriminals includes a reconnaissance phase. Having compromised and infiltrated a machine, they scan the equipment connected to the network in preparation for a potential rebound attack. To avoid any spread, strict segmentation must be applied on the main network and in the sub-networks. By dividing this area into distinct zones, an administrator can apply strict access and flow controls.
Setting up a DMZ, as mentioned above, is a “special segmentation case”, according to Simon Dansette, Product Manager at Stormshield. “It has the advantage of being able to compartmentalise the network for a specific need by blocking all options for lateral movement.” As Sébastien Viou, Director of Cybersecurity and Product Management at Stormshield, points out, “protocol disruption is a principle designed to disrupt all network, transport and application flows by interpreting and rewriting them. In essence, it must be impossible to perform direct routing between the two firewalls.” The principle of the double barrier is not to accumulate a series of firewalls “thinking that the first of them will block the vulnerabilities of the other,” but instead “to create zones of trust and apply consistent security rules while controlling data flows.” In sensitive industrial environments, such network segmentation enables a number of actions to be taken. Firstly, it isolates IT and OT environments, stopping the lateral movement of ransomware that has infected an IT infrastructure and is trying to spread to production environments. Secondly, such segmentation can go right to the heart of the OT, in the closest possible proximity to the machines and PLCs, with the application of granular filtering of flows, right down to the individual command sent.
To ensure that users and machines connecting to networks are legitimate, companies can also apply the “Zero Trust” concept. This “Zero Trust” philosophy is based on the principle that users and network components should not be assumed to be trusted by default, but should prove their identity and legitimacy every time they request access to resources. The Zero Trust Network Access (ZTNA) architecture includes both users and devices in authenticating and authorising network access. Access is then granular and specific to the user’s needs. “In a Zero Trust architecture,the firewall must first be tied in with strong authentication technologies to identify the user. But it must also check that the workstation to be authenticated is healthy,” explains Dansette. The latest firewall models use this philosophy to enable user access control to be applied, rather than filtering solely on the basis of IP (as traditional firewalls did). Traffic filtering rules can then be used to implement granular, real-time security policies. Dansette explains that “there are now interactions between EDR-type solutions and firewalls that authorise a user to log in. These mechanisms take the authentication process a step further.” The new-generation firewall therefore becomes a key element of the Zero Trust architecture.
Through the application of specific or common rules, updating of equipment and monitoring and supervision, whether physical or virtualised, the proliferation of firewalls in companies is forcing system administrators to rethink the way in which they are managed, in a move from unit-based to centralised management. This is a tool that has now become a necessity.
The need for centralised firewall management
Whether at the edge or at the centre of a network, close to industrial equipment or hosted in the cloud, the number of firewalls and their locations have multiplied to such an extent that managing them can quickly become a complex task. Deployment, configuration, maintenance, patch management... According to Dansette, centralised management makes it possible to “reduce the complexity of managing the various firewall connections and reduce network administration time, and therefore the inherent costs.”
Centralised management also simplifies the security standards compliance process, ensuring that all security policies are applied uniformly to all firewalls on the network. This is a strong asset for MSSPs and IT resellers. Centralised management makes it possible to manage the configuration of several firewalls using a single tool, and administer them all from a single platform. Changes can be made quickly and easily, providing security for their customers and productivity gains for their teams.
Also, by centralising log management indicators can be viewed from a single interface, making monitoring and reporting easier. In cases where logs are collected, stored and archived on a single platform, system administrators can find and correct configuration problems more easily. Dansette says, “Centralisation provides an overview that makes it easier to analyse where the problem lies and then correct it on the offending firewall. This makes the troubleshooting stage easier for system administrators, and saves time at times when stress is high.”
And what about the future? It is clear that network protection points are not the only area of growth within the enterprise; endpoint protection points are following the same trend. However, the recurring success of cyberattacks demonstrates the ineffectiveness of this approach. Because the proliferation of detection solutions causes numerous varied events with behaviour patterns that are difficult for administrators to interpret and correlate. This lack of visibility limits responsiveness, which in practical terms results in a lower level of protection. In response to this problem, and in the interests of enabling more comprehensive management, XDR offers (eXtended Detection & Response) have been developed. The aim is threefold: to reduce risks, to correlate events reported by the various cybersecurity solutions, and to improve organisations’ cyber-operational productivity.