Transcript the Presentation

The Internal Firewall
The Zero Trust Model
and
Need for Internal Segmentation
Harley Waterson
Sales Specialist – Fortinet
© Copyright 2013 Fortinet Inc. All rights reserved.
1
A Global Leader and Innovator in Network Security
Fortinet Quick Facts
Global presence and customer base
$770M
Revenue
• Customers: 225,000+
• Units shipped: 1.9+ Million
• Offices: 80+ worldwide
Platform Advantage built on key innovations
• FortiGuard: industry-leading threat research
$13M
• FortiOS: tightly integrated network + security OS
2003
2014
• FortiASIC: custom ASIC-based architecture
~$1B
• Market-leading technology: 196 patents, 162 pending
Cash
Founded November 2000, 1st product shipped 2002, IPO 2009
HQ: Sunnyvale, California
Employees: 3000+ worldwide
Consistent growth, gaining market share
Strong positive cash flow, profitable
$16M
2003
2014
Based on Q4 and FY 2014 data
2
Malware & Hacking – the Past
Trend – Mobile Ransomware
4
Creeper – The First ‘Computer Virus’
Creeper
 Experimental self-replicating program
 Written in 1971
 Considered a mobile or rogue application in that it
moved form computer to computer
 It hogged resources and essentially DoS’d its host
network through excessive replication
 Infected DEC PDP-10 computers running TENEX
OS on DARPANET
 ‘Reaper’ worm created in ‘72 to delete it – 1st AV
5
Trend – Mobile Ransomware
6
The First ‘Hack’
Marconi Wireless Telegraph Demo
 Positioned as confidential, eavesdrop-proof
 Morse code message to be sent 300 miles from Wales
to the Royal Institution of London
 But right before they got started…
“Scientific Hooliganism”
“rats
rats
rats
there
once
was a…”
 Nevil Maskelyne, magician and self-taught wireless
technology experimenter
 Transmitted taunt from nearby building and showed
interception/disruption was possible
 Justified his actions on the grounds of the security holes it
revealed for the public good
 Later funded by ‘wired’ telegraph industry to spy on
Marconi’s ship to shore trials
7
State of Security Today
2014-15 … Breaches Continue …
But with its exponential growth, increased damage more serious than ever
Sony
50K
European
Central
Bank
Gmail
LastPass
Adobe
152M
Nieman
Marcus
Mozilla
Korean
Credit
Bureau
US Feds
2M
Target
1M
Dominos Pizza
(France)
Twitter
Vodafone
AdultFriendFinder
1.9M
IRS
100K
Apple
Snapchat
Kapersky
Source:
DataBreaches.net
9
Two Major Internet Vulnerabilities in 2014
HeartBleed
ShellShock
500,000 web
servers affected
Millions of Internet
connected devices affected
10
Magnitude of Hacking and Cyber Espionage
“The Chinese have penetrated every major corporation of any
consequence in the United States and taken information. We've never,
ever not found Chinese malware.”
Ex-NSA Director Mike McConnell
“There are two types of companies in America … those who have been
hacked and know about it and those who have been hacked and don’t
know about it!”
Ex-FBI Director Robert Mueller
11
Time to Discovery of a Breach is Not Keeping Up
Time to compromise
75%
50%
Time to discovery
2013
2012
2011
2010
2009
2008
2007
25%
2006
 Once inside, what can be done
to contain and minimize the
attack?
100%
2005
 Time to compromise
accelerating faster than
Discovery
Percent of breaches where time to compromise (red)/time to
discovery (blue) was days or less
2004
 Wide gap between
percentages for the two
phases
*Verizon DBIR 2014
12
Defense in Depth
Defense in Depth – Where does it come from?
 We have all heard of the term “defense in depth”, right?
 Rather popular term in IT security.
 Many of us have built security designs and architectures around this term.
 Anyone know where it comes from?
 Anyone heard of the Siegfried Line?
 The Siegfried Line was a continuous defensive system built by Germany at
the beginning of WWII that stretched 400 miles from Holland down along
the German border all the way to Switzerland.
 The brainchild of Fritz Todt, a civil engineer.
14
Defense in Depth – What was it?
 A system of inter locking, complementary
individual defensive systems created to work
together to neutralize and stop the advance of
allied attacks into Germany
 Series of zones and barriers used to slow down
and expose various elements of a coordinated
attack and strip away the benefit of a multipronged assault where infantry, both on foot and
mechanized, armor, artillery and air power would
all be coordinated in an effective combined effort.
 How did it work?
15
Defense in Depth – What was it?
 Step 1 – a row of anti-tank obstacles that would slow down and expose the
underbelly of heavy armor to defensive anti-tank guns.
16
Defense in Depth – What was it?
 Step 2 – a row of anti-personal mines to take out infantry and light vehicles.
17
Defense in Depth – What was it?
 Step 3 – heavy use of barbed wire to slow down, trap and expose
remaining infantry to heavy defensive machine gun fire.
18
Defense in Depth – What was it?
 Step 4 – underground, fortified, steel reinforced concrete bunkers that
served as machine gun posts and artillery embankments that had
protection from air and artillery.
19
Defense in Depth – What was it?
 Step 5 – ‘booby traps’ and ‘murder holes’ within the “wall” itself for when
the bunker system was finally penetrated.
20
Defense in Depth in Cyber Warfare
 Over time, point solutions have
been deployed in response to
evolving threats
 Platforms vary across deployment
scenarios
Management
 Numerous management consoles
 Inconsistent policy and
networking function
VPN
WAN
Acceleration
Web
Filtering
Application
Control
Firewall
 Varying upgrade cycles
 This model still sees defense in
depth as pertaining to clearly defined
Internet vs Internal
IPS
Advanced
Threat
Protection
Antivirus
WiFi Controller
21
Advanced Threats Take Advantage of
the “Flat Internal” Network
 Existing Firewall’s focus on the
border – the Internet
 Internal network no longer
“trusted”
 Many ways into the network
 Once inside threats
can spread
22
Internal Security is Integral to a Layered Security
Approach – Defense in Depth
 What is Needed
What is Internal Security?
» Inside-out visibility
» Internal segmentation
» Authentication
» Easy integration into the
network
DMZs, firewalls,
IDS, gateway AV
Protects attacks
from within
Client security
controls
» Don’t be the bottleneck
23
Layered Security and the Zero Trust Model
EXTERNAL vs. INTERNAL
Internal vs External is an
antiquated notion.
We have been taught to not trust
the external but trust the internal.
PROTECT THE DATA
We need to get away from a
concept of protecting the network
to one in which we protect the
data.
ALWAYS AUTHENTICATE
Access to the network needs to be seen in
the context of access to the data …
•
•
•
•
who needs access
what data do they need access to
when do they need access
from where and from what device
EDGE FIREWALLS ARE NOT ENOUGH
ANYMORE
24
Too Many Ways In…
Data Center
Cloud
Security Becomes a
Bottleneck
Security out of
your Control
AV Signature
Only
Protection
Internal Network
External Network
(Multi-Megabit)
(Multi-Gigabit)
Too Many Point
Solutions
“FLAT” Internal
Network Architecture
Endpoint
Internet
Multi-Function
Gateway
No Security
Agents
Not every
Security App
switched on
More Customer/Partner
Access
Less Trustworthy
Networks/Subsidiary
WAN
25
Internal Firewall (INFW)
Internal Network Firewall (INFW)
 Complete Protection– Continuous
inside-out protection against
advanced threats
 Segmentation – Default
Transparent Mode means no need
to re-architect the network
To Internet
DISTRIBUTION/
CORE LAYER
Core/Distribution Switch
Access
Switch/VLAN
LOCAL SERVERS
 High Performance – Multi-Gigabit
throughput supports wire speed
East-West traffic
USER NETWORK
DEVICES
• FortiGate wire
intercept using
transparent port pair
• High speed interface
connectivity
• IPS, ATP & App
Control
ACCESS LAYER
27
Internal Firewall Deployment Modes
Deployment
Mode
Deployment
Complexity
Network
Functions
High
Availability
Traffic
Visibility
Threat
Prevention
Network
Routing
High
L3 – L7



Transparent
Low
L1 – L2



Sniffer
Low




Transparent mode combines the advantages of
Network Routing and Sniffer mode
28
Internal Network Firewall Deployment (before)
INTERNAL
EXTERNAL
Network A
Network B
Problems
 No controls in place
Edge
Firewall
(NGFW)
» Users in network A can access
anything they want in network
B with basically file permissions
as the only source of role
based control
 Can’t stop a worm or botnet
propagating internally
 Can’t stop an attack launched
from network A to an asset on
network B
29
Internal Network Firewall Deployment (after)
INTERNAL
EXTERNAL
Network A
Network B
Problems Solved
Internal
Firewall
(INFW)
 Access controls enforced
Edge
Firewall
(NGFW)
» Identity based access controls
enforce who, what, when and
from where an asset can be
accessed
 Traffic can be scanned for
worms and botnets as it
moves laterally in the network
 Internal attacks are stopped
30
Security in the Next Gen Data Center
31
Customer Challenge – East West Traffic
FACT: 76% of Data Center
Traffic is East-West*
Data Center Edge
North-South
 East-west traffic visibility
 Session statefulness during live migration (e.g.
vMotion
 Overlay and other SDN/SDDC network
virtualization (e.g. VXLAN)
East-West
 Logical ports, IP’s, MAC can break static rules
*Cisco Global Cloud Index, 2013
32
Internal Network Firewall – How is it different?
Deployment
INFW
NGFW
UTM
DCFW
CCFW
Purpose
Visibility & protection for
internal segments
Visibility & protection
against external threats
and internet activities
Visibility & protection
against external threats
and user activities
High performance, low
latency network protection
Network security for
Service Providers
Location
Access Layer
Internet Gateway
Internet Gateway
Core Layer/DC gateway
Various
Network Operation
Mode
Transparent Mode
NAT/Route Mode
NAT/Route Mode
NAT/Route Mode
NAT/Route Mode
Hardware requirements
Higher port density to
protect multiple assets,
hardware acceleration
GbE and GbE/10 port
High GbE port density,
integrated wireless
connectivity and PoE
High speed (GbE/10
GbE/40 GbE/100) & high
port density, hardware
acceleration
High speed (GbE/10
GbE/40 GbE, GbE/100) &
high port density,
hardware acceleration
Security Components
Firewall, IPS, ATP,
Application Control
(User-based) Firewall,
VPN, IPS, Application
Control,
Comprehensive and
extensible, client and
device integration
Firewall, DDoS protection
Firewall, CGN, LTE &
mobile security
Other Characteristics
Rapid Deployment –
near zero configuration
Integration with Advanced
Threat Protection
(Sandbox)
Broad WAN connectivity
options including
3G/4G/LTE
High Availability
High Availability
33
Fortinet Advantage – GLOBAL Platform
FortiOS & Scalable High Performance Architecture Enable Deployment Across The Entire Enterprise
Data Center/SDN
Virtual
Machine
Firewall
Internal Network
(Ultra Low Latency)
Internal Network
Firewall
(INFW)
2
Boundary
5
Data Center
Firewall
(DCFW)
4
6
Carrier/MSSP/Cloud
Cloud
Firewall
(CFW)
7
Carrier Class Firewall
(CCFW)
INTERNET
Mobile Users
Client Firewall
8
1
Next Gen Firewall
+ Advanced
Threat Protection
(NGFW
+ ATP)
Enterprise
Campus
Distributed Enterprise
& Small Business
And Large Sites
3
Unified Threat Management (UTM)
34