Upload
ada-mckinney
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
1© Copyright 2013 Fortinet Inc. All rights reserved.
The Internal Firewall
The Zero Trust Model andNeed for Internal Segmentation
Harley Waterson
Sales Specialist – Fortinet
2
A Global Leader and Innovator in Network SecurityFortinet Quick Facts
Platform Advantage built on key innovations
• FortiGuard: industry-leading threat research• FortiOS: tightly integrated network + security OS
• FortiASIC: custom ASIC-based architecture
• Market-leading technology: 196 patents, 162 pending
Founded November 2000, 1st product shipped 2002, IPO 2009
HQ: Sunnyvale, California
Employees: 3000+ worldwide
Consistent growth, gaining market share
Strong positive cash flow, profitable
$13M
$770M
$16M
~$1B
Cash
Revenue
2003 2014
2003 2014
Global presence and customer base
• Customers: 225,000+• Units shipped: 1.9+ Million• Offices: 80+ worldwide
Based on Q4 and FY 2014 data
Malware & Hacking – the Past
4
Trend – Mobile Ransomware
The year?
5
Creeper – The First ‘Computer Virus’
Creeper
Experimental self-replicating program
Written in 1971
Considered a mobile or rogue application in that it moved form computer to computer
It hogged resources and essentially DoS’d its host network through excessive replication
Infected DEC PDP-10 computers running TENEX OS on DARPANET
‘Reaper’ worm created in ‘72 to delete it – 1st AV
6
Trend – Mobile Ransomware
The year?
7
The First ‘Hack’Marconi Wireless Telegraph Demo
Positioned as confidential, eavesdrop-proof
Morse code message to be sent 300 miles from Wales to the Royal Institution of London
But right before they got started…
“Scientific Hooliganism”
Nevil Maskelyne, magician and self-taught wireless technology experimenter
Transmitted taunt from nearby building and showed interception/disruption was possible
Justified his actions on the grounds of the security holes it revealed for the public good
Later funded by ‘wired’ telegraph industry to spy on Marconi’s ship to shore trials
“rats rats rats there once was a…”
State of Security Today
9
2014-15 … Breaches Continue …But with its exponential growth, increased damage more serious than ever
Source: DataBreaches.net
Sony 50K
Adobe 152M
Target1M
US Feds2M AdultFriendFinder
1.9M
IRS100K
Apple
LastPass
Snapchat
European Central
Bank
Dominos Pizza (France)
Nieman Marcus
Korean Credit
Bureau
Mozilla
Vodafone
Gmail
Kapersky
10
Two Major Internet Vulnerabilities in 2014
500,000 web servers affected
HeartBleed ShellShock
Millions of Internet connected devices affected
11
Magnitude of Hacking and Cyber Espionage
“The Chinese have penetrated every major corporation of any consequence in the United States and taken information. We've never, ever not found Chinese malware.”Ex-NSA Director Mike McConnell
“There are two types of companies in America … those who have been hacked and know about it and those who have been hacked and don’t know about it!”Ex-FBI Director Robert Mueller
12
Time to Discovery of a Breach is Not Keeping Up
Wide gap between percentages for the two phases
Time to compromise accelerating faster than Discovery
Once inside, what can be done to contain and minimize the attack?
*Verizon DBIR 2014
Percent of breaches where time to compromise (red)/time todiscovery (blue) was days or less
100%
75%
50%
25%
20
04
20
05
20
06
20
07
20
08
20
09
20
10
20
11
20
12
20
13
Time to compromise
Time to discovery
Defense in Depth
14
Defense in Depth – Where does it come from?
We have all heard of the term “defense in depth”, right?
Rather popular term in IT security.
Many of us have built security designs and architectures around this term.
Anyone know where it comes from?
Anyone heard of the Siegfried Line?
The Siegfried Line was a continuous defensive system built by Germany at the beginning of WWII that stretched 400 miles from Holland down along the German border all the way to Switzerland.
The brainchild of Fritz Todt, a civil engineer.
15
Defense in Depth – What was it?
A system of inter locking, complementary individual defensive systems created to work together to neutralize and stop the advance of allied attacks into Germany
Series of zones and barriers used to slow down and expose various elements of a coordinated attack and strip away the benefit of a multi-pronged assault where infantry, both on foot and mechanized, armor, artillery and air power would all be coordinated in an effective combined effort.
How did it work?
16
Defense in Depth – What was it?
Step 1 – a row of anti-tank obstacles that would slow down and expose the underbelly of heavy armor to defensive anti-tank guns.
17
Defense in Depth – What was it?
Step 2 – a row of anti-personal mines to take out infantry and light vehicles.
18
Defense in Depth – What was it?
Step 3 – heavy use of barbed wire to slow down, trap and expose remaining infantry to heavy defensive machine gun fire.
19
Defense in Depth – What was it?
Step 4 – underground, fortified, steel reinforced concrete bunkers that served as machine gun posts and artillery embankments that had protection from air and artillery.
20
Defense in Depth – What was it?
Step 5 – ‘booby traps’ and ‘murder holes’ within the “wall” itself for when the bunker system was finally penetrated.
21
VPNWANAcceleration
Web Filtering
IPS
Application Control
WiFi Controller
Advanced Threat
Protection
Antivirus
Firewall
Management
Over time, point solutions have been deployed in response to evolving threats
Platforms vary across deployment scenarios
Numerous management consoles
Inconsistent policy andnetworking function
Varying upgrade cycles
This model still sees defense in depth as pertaining to clearly defined Internet vs Internal
Defense in Depth in Cyber Warfare
22
Advanced Threats Take Advantage of the “Flat Internal” Network
Existing Firewall’s focus on the border – the Internet
Internal network no longer “trusted”
Many ways into the network Once inside threats
can spread
23
Internal Security is Integral to a Layered Security Approach – Defense in Depth
What is Needed
» Inside-out visibility
» Internal segmentation
» Authentication
» Easy integration into the
network
» Don’t be the bottleneck
What is Internal Security?
DMZs, firewalls, IDS, gateway AV
Protects attacks from within
Client security controls
24
Layered Security and the Zero Trust Model
EXTERNAL vs. INTERNAL
Internal vs External is an
antiquated notion.
We have been taught to not trust
the external but trust the internal.
EDGE FIREWALLS ARE NOT ENOUGH
ANYMORE
ALWAYS AUTHENTICATE
Access to the network needs to be seen in
the context of access to the data … • who needs access• what data do they need access to• when do they need access• from where and from what device
PROTECT THE DATA
We need to get away from a
concept of protecting the network
to one in which we protect the
data.
25
Too Many Ways In…
Endpoint
Multi-FunctionGateway
Data CenterCloud
WAN
External Network(Multi-Megabit)
AV Signature Only Protection
Less Trustworthy Networks/Subsidiary
Security out of your Control
Not every Security App switched on
Internet
More Customer/PartnerAccess
Security Becomes a Bottleneck
Too Many Point Solutions
No Security Agents
“FLAT” InternalNetwork Architecture
Internal Network(Multi-Gigabit)
Internal Firewall (INFW)
27
Internal Network Firewall (INFW)
Complete Protection– Continuous inside-out protection against advanced threats
Segmentation – Default Transparent Mode means no need to re-architect the network
High Performance – Multi-Gigabit throughput supports wire speed East-West traffic
LOCAL SERVERS USER NETWORKDEVICES
To Internet
Core/Distribution Switch
AccessSwitch/VLAN
DISTRIBUTION/CORE LAYER
ACCESS LAYER
• FortiGate wire intercept using transparent port pair
• High speed interface connectivity
• IPS, ATP & App Control
28
Internal Firewall Deployment Modes
Deployment Mode
Deployment Complexity
Network Functions
High Availability
Traffic Visibility
Threat Prevention
Network Routing
High L3 – L7
Transparent Low L1 – L2
Sniffer Low
Transparent mode combines the advantages of Network Routing and Sniffer mode
29
Internal Network Firewall Deployment (before)N
etw
ork
A
INTERNAL
Net
wo
rk B
EXTERNAL
EdgeFirewall(NGFW)
Problems
No controls in place» Users in network A can access
anything they want in network B with basically file permissions as the only source of role based control
Can’t stop a worm or botnet propagating internally
Can’t stop an attack launched from network A to an asset on network B
30
Internal Network Firewall Deployment (after)N
etw
ork
A
INTERNAL
Net
wo
rk B
EXTERNAL
EdgeFirewall(NGFW)
Problems Solved
Access controls enforced» Identity based access controls
enforce who, what, when and from where an asset can be accessed
Traffic can be scanned for worms and botnets as it moves laterally in the network
Internal attacks are stopped
InternalFirewall(INFW)
31
Security in the Next Gen Data Center
32
Customer Challenge – East West Traffic
East-west traffic visibility
Session statefulness during live migration (e.g. vMotion
Overlay and other SDN/SDDC network virtualization (e.g. VXLAN)
Logical ports, IP’s, MAC can break static rules
North-South
Data Center Edge
East-West
FACT: 76% of Data Center Traffic is East-West*
*Cisco Global Cloud Index, 2013
33
Internal Network Firewall – How is it different?
Deployment INFW NGFW UTM DCFW CCFW
Purpose Visibility & protection for internal segments
Visibility & protection against external threats and internet activities
Visibility & protection against external threats and user activities
High performance, low latency network protection
Network security for Service Providers
Location Access Layer Internet Gateway Internet Gateway Core Layer/DC gateway Various
Network Operation Mode
Transparent Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode
Hardware requirements Higher port density to protect multiple assets, hardware acceleration
GbE and GbE/10 port High GbE port density, integrated wireless connectivity and PoE
High speed (GbE/10 GbE/40 GbE/100) & high port density, hardware acceleration
High speed (GbE/10 GbE/40 GbE, GbE/100) & high port density, hardware acceleration
Security Components Firewall, IPS, ATP, Application Control
(User-based) Firewall, VPN, IPS, Application Control,
Comprehensive and extensible, client and device integration
Firewall, DDoS protection Firewall, CGN, LTE & mobile security
Other Characteristics Rapid Deployment – near zero configuration
Integration with Advanced Threat Protection (Sandbox)
Broad WAN connectivity options including 3G/4G/LTE
High Availability High Availability
34
Fortinet Advantage – GLOBAL Platform FortiOS & Scalable High Performance Architecture Enable Deployment Across The Entire Enterprise
Data Center/SDN
Carrier Class Firewall (CCFW)
INTERNET
Distributed Enterprise& Small Business
Mobile Users
VirtualMachineFirewall
Cloud Firewall(CFW)
Client Firewall
Internal NetworkFirewall(INFW)
Carrier/MSSP/Cloud
Bo
un
da
ry
1
4
3
7
5
6
28
Internal Network(Ultra Low Latency)
Next Gen Firewall+ Advanced
Threat Protection(NGFW + ATP)
Unified Threat Management (UTM)
Data CenterFirewall(DCFW)
Enterprise Campus And Large Sites