Next Generation Network Design
In my previous blog post, I discussed the basic level of network segmentation. While segmentation creates separate compartments between different areas of the business, as with the Titanic, it does not make it unsinkable. Diving deeper into the world of network segmentation, past virtual local area network (VLAN) segmentation, having compartments between different parts of the network is not enough. There has to be a seal that only allows authorized traffic between the compartments.
In the basic segmentation example there was a router routing traffic between segments. While a router can add access control lists, and filters can allow or block traffic between segments, these are not enough in today’s environment because basic port filtering allows too much. Even stateful inspection is not enough today, as that would allow unauthorized and malicious traffic to traverse known and allowed protocols like Hypertext Transfer Protocol (HTTP). In today’s environment where most applications no longer use dedicated ports and instead use HTTP as the transport for an application, something more is required.
Many of the firewalls currently on the market support identification of apps running over different protocols. Collectively these firewalls are called next generation firewalls (NGFWs). One example is how one of these NGFWs identifies Facebook traffic over HTTP. This isn’t just basic Facebook traffic, but games, chat and file sharing that Facebook offers to its users. Perhaps more important are the applications that are trying to be evasive and avoid detection, bypassing organizational policies, attempting to hide command and control traffic, or in the worst case, leaking information like credit card numbers to the outside.
In the past, replacing a router with a firewall has not been feasible for most organizations as the cost of the firewall was exponentially higher. NGFWs – with purpose-built hardware that scales from small offices to large datacenters – and the cloud make it possible to replace a router or Layer 3 (L3) switch with a firewall. In smaller or branch offices, it might actually cost less to use the same device for Internet traffic and internal segmentation. Network design is evolving to include the use of NGFWs to identify traffic between segments. This is the next generation of network design: security incorporated as a central element in the network, not as an afterthought.
When a next generation firewall is inserted on the internal network as the gateway between segments, the visibility it provides creates a “wow” factor. Suddenly, traffic is classified by application, risk, and bandwidth consumption and in most cases, users. For most organizations, increased visibility alone is enough of a return on investment, as it is now possible to determine the traffic paths in an easy, visual manner. However, there is more to be gained from the next gen firewall; the next step in this process is determining why traffic is traversing the network, which will be the topic of my next post.