1© Copyright 2013 Fortinet Inc. All rights reserved.

The Internal Firewall

The Zero Trust Model andNeed for Internal Segmentation

Harley Waterson

Sales Specialist – Fortinet

2

A Global Leader and Innovator in Network SecurityFortinet Quick Facts

Platform Advantage built on key innovations

• FortiGuard: industry-leading threat research• FortiOS: tightly integrated network + security OS

• FortiASIC: custom ASIC-based architecture

• Market-leading technology: 196 patents, 162 pending

Founded November 2000, 1st product shipped 2002, IPO 2009

HQ: Sunnyvale, California

Employees: 3000+ worldwide

Consistent growth, gaining market share

Strong positive cash flow, profitable

$13M

$770M

$16M

~$1B

Cash

Revenue

2003 2014

2003 2014

Global presence and customer base

• Customers: 225,000+• Units shipped: 1.9+ Million• Offices: 80+ worldwide

Based on Q4 and FY 2014 data

Malware & Hacking – the Past

4

Trend – Mobile Ransomware

The year?

5

Creeper – The First ‘Computer Virus’

Creeper

Experimental self-replicating program

Written in 1971

Considered a mobile or rogue application in that it moved form computer to computer

It hogged resources and essentially DoS’d its host network through excessive replication

Infected DEC PDP-10 computers running TENEX OS on DARPANET

‘Reaper’ worm created in ‘72 to delete it – 1st AV

6

Trend – Mobile Ransomware

The year?

7

The First ‘Hack’Marconi Wireless Telegraph Demo

Positioned as confidential, eavesdrop-proof

Morse code message to be sent 300 miles from Wales to the Royal Institution of London

But right before they got started…

“Scientific Hooliganism”

Nevil Maskelyne, magician and self-taught wireless technology experimenter

Transmitted taunt from nearby building and showed interception/disruption was possible

Justified his actions on the grounds of the security holes it revealed for the public good

Later funded by ‘wired’ telegraph industry to spy on Marconi’s ship to shore trials

“rats rats rats there once was a…”

State of Security Today

9

2014-15 … Breaches Continue …But with its exponential growth, increased damage more serious than ever

Source: DataBreaches.net

Sony 50K

Adobe 152M

Target1M

US Feds2M AdultFriendFinder

1.9M

IRS100K

Apple

LastPass

Snapchat

European Central

Bank

Dominos Pizza (France)

Twitter

Nieman Marcus

Korean Credit

Bureau

Mozilla

Vodafone

Gmail

Kapersky

10

Two Major Internet Vulnerabilities in 2014

500,000 web servers affected

HeartBleed ShellShock

Millions of Internet connected devices affected

11

Magnitude of Hacking and Cyber Espionage

“The Chinese have penetrated every major corporation of any consequence in the United States and taken information. We've never, ever not found Chinese malware.”Ex-NSA Director Mike McConnell

“There are two types of companies in America … those who have been hacked and know about it and those who have been hacked and don’t know about it!”Ex-FBI Director Robert Mueller

12

Time to Discovery of a Breach is Not Keeping Up

Wide gap between percentages for the two phases

Time to compromise accelerating faster than Discovery

Once inside, what can be done to contain and minimize the attack?

*Verizon DBIR 2014

Percent of breaches where time to compromise (red)/time todiscovery (blue) was days or less

100%

75%

50%

25%

20

04

20

05

20

06

20

07

20

08

20

09

20

10

20

11

20

12

20

13

Time to compromise

Time to discovery

Defense in Depth

14

Defense in Depth – Where does it come from?

We have all heard of the term “defense in depth”, right?

Rather popular term in IT security.

Many of us have built security designs and architectures around this term.

Anyone know where it comes from?

Anyone heard of the Siegfried Line?

The Siegfried Line was a continuous defensive system built by Germany at the beginning of WWII that stretched 400 miles from Holland down along the German border all the way to Switzerland.

The brainchild of Fritz Todt, a civil engineer.

15

Defense in Depth – What was it?

A system of inter locking, complementary individual defensive systems created to work together to neutralize and stop the advance of allied attacks into Germany

Series of zones and barriers used to slow down and expose various elements of a coordinated attack and strip away the benefit of a multi-pronged assault where infantry, both on foot and mechanized, armor, artillery and air power would all be coordinated in an effective combined effort.

How did it work?

16

Defense in Depth – What was it?

Step 1 – a row of anti-tank obstacles that would slow down and expose the underbelly of heavy armor to defensive anti-tank guns.

17

Defense in Depth – What was it?

Step 2 – a row of anti-personal mines to take out infantry and light vehicles.

18

Defense in Depth – What was it?

Step 3 – heavy use of barbed wire to slow down, trap and expose remaining infantry to heavy defensive machine gun fire.

19

Defense in Depth – What was it?

Step 4 – underground, fortified, steel reinforced concrete bunkers that served as machine gun posts and artillery embankments that had protection from air and artillery.

20

Defense in Depth – What was it?

Step 5 – ‘booby traps’ and ‘murder holes’ within the “wall” itself for when the bunker system was finally penetrated.

21

VPNWANAcceleration

Web Filtering

IPS

Application Control

WiFi Controller

Advanced Threat

Protection

Antivirus

Firewall

Management

Over time, point solutions have been deployed in response to evolving threats

Platforms vary across deployment scenarios

Numerous management consoles

Inconsistent policy andnetworking function

Varying upgrade cycles

This model still sees defense in depth as pertaining to clearly defined Internet vs Internal

Defense in Depth in Cyber Warfare

22

Advanced Threats Take Advantage of the “Flat Internal” Network

Existing Firewall’s focus on the border – the Internet

Internal network no longer “trusted”

Many ways into the network Once inside threats

can spread

23

Internal Security is Integral to a Layered Security Approach – Defense in Depth

What is Needed

» Inside-out visibility

» Internal segmentation

» Authentication

» Easy integration into the

network

» Don’t be the bottleneck

What is Internal Security?

DMZs, firewalls, IDS, gateway AV

Protects attacks from within

Client security controls

24

Layered Security and the Zero Trust Model

EXTERNAL vs. INTERNAL

Internal vs External is an

antiquated notion.

We have been taught to not trust

the external but trust the internal.

EDGE FIREWALLS ARE NOT ENOUGH

ANYMORE

ALWAYS AUTHENTICATE

Access to the network needs to be seen in

the context of access to the data … • who needs access• what data do they need access to• when do they need access• from where and from what device

PROTECT THE DATA

We need to get away from a

concept of protecting the network

to one in which we protect the

data.

25

Too Many Ways In…

Endpoint

Multi-FunctionGateway

Data CenterCloud

WAN

External Network(Multi-Megabit)

AV Signature Only Protection

Less Trustworthy Networks/Subsidiary

Security out of your Control

Not every Security App switched on

Internet

More Customer/PartnerAccess

Security Becomes a Bottleneck

Too Many Point Solutions

No Security Agents

“FLAT” InternalNetwork Architecture

Internal Network(Multi-Gigabit)

Internal Firewall (INFW)

27

Internal Network Firewall (INFW)

Complete Protection– Continuous inside-out protection against advanced threats

Segmentation – Default Transparent Mode means no need to re-architect the network

High Performance – Multi-Gigabit throughput supports wire speed East-West traffic

LOCAL SERVERS USER NETWORKDEVICES

To Internet

Core/Distribution Switch

AccessSwitch/VLAN

DISTRIBUTION/CORE LAYER

ACCESS LAYER

• FortiGate wire intercept using transparent port pair

• High speed interface connectivity

• IPS, ATP & App Control

28

Internal Firewall Deployment Modes

Deployment Mode

Deployment Complexity

Network Functions

High Availability

Traffic Visibility

Threat Prevention

Network Routing

High L3 – L7

Transparent Low L1 – L2

Sniffer Low

Transparent mode combines the advantages of Network Routing and Sniffer mode

29

Internal Network Firewall Deployment (before)N

etw

ork

A

INTERNAL

Net

wo

rk B

EXTERNAL

EdgeFirewall(NGFW)

Problems

No controls in place» Users in network A can access

anything they want in network B with basically file permissions as the only source of role based control

Can’t stop a worm or botnet propagating internally

Can’t stop an attack launched from network A to an asset on network B

30

Internal Network Firewall Deployment (after)N

etw

ork

A

INTERNAL

Net

wo

rk B

EXTERNAL

EdgeFirewall(NGFW)

Problems Solved

Access controls enforced» Identity based access controls

enforce who, what, when and from where an asset can be accessed

Traffic can be scanned for worms and botnets as it moves laterally in the network

Internal attacks are stopped

InternalFirewall(INFW)

31

Security in the Next Gen Data Center

32

Customer Challenge – East West Traffic

East-west traffic visibility

Session statefulness during live migration (e.g. vMotion

Overlay and other SDN/SDDC network virtualization (e.g. VXLAN)

Logical ports, IP’s, MAC can break static rules

North-South

Data Center Edge

East-West

FACT: 76% of Data Center Traffic is East-West*

*Cisco Global Cloud Index, 2013

33

Internal Network Firewall – How is it different?

Deployment INFW NGFW UTM DCFW CCFW

Purpose Visibility & protection for internal segments

Visibility & protection against external threats and internet activities

Visibility & protection against external threats and user activities

High performance, low latency network protection

Network security for Service Providers

Location Access Layer Internet Gateway Internet Gateway Core Layer/DC gateway Various

Network Operation Mode

Transparent Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode

Hardware requirements Higher port density to protect multiple assets, hardware acceleration

GbE and GbE/10 port High GbE port density, integrated wireless connectivity and PoE

High speed (GbE/10 GbE/40 GbE/100) & high port density, hardware acceleration

High speed (GbE/10 GbE/40 GbE, GbE/100) & high port density, hardware acceleration

Security Components Firewall, IPS, ATP, Application Control

(User-based) Firewall, VPN, IPS, Application Control,

Comprehensive and extensible, client and device integration

Firewall, DDoS protection Firewall, CGN, LTE & mobile security

Other Characteristics Rapid Deployment – near zero configuration

Integration with Advanced Threat Protection (Sandbox)

Broad WAN connectivity options including 3G/4G/LTE

High Availability High Availability

34

Fortinet Advantage – GLOBAL Platform FortiOS & Scalable High Performance Architecture Enable Deployment Across The Entire Enterprise

Data Center/SDN

Carrier Class Firewall (CCFW)

INTERNET

Distributed Enterprise& Small Business

Mobile Users

VirtualMachineFirewall

Cloud Firewall(CFW)

Client Firewall

Internal NetworkFirewall(INFW)

Carrier/MSSP/Cloud

Bo

un

da

ry

1

4

3

7

5

6

28

Internal Network(Ultra Low Latency)

Next Gen Firewall+ Advanced

Threat Protection(NGFW + ATP)

Unified Threat Management (UTM)

Data CenterFirewall(DCFW)

Enterprise Campus And Large Sites