When WatchGuard launched its first Firebox in the mid-nineties the network was relatively straightforward and the perimeter well defined. Since this time the corporate enterprise has become far more distributed and complex. In fact, people are the new perimeter and more often than ever before, they are working outside the corporate network. The threat landscape has also changed dramatically and despite the best attempts of security vendors, resellers and professionals, cyber attackers still successfully manage to breach large organisations.
As networks have become more complex and more users have access to corporate resources, one of challenge is to ensure users with different business roles and different access rights to privileged data are separated on different networks with full security controls between them. This is called segmentation.
Segmentation isn’t new and is not very ‘sexy’ when it comes to security, but it’s often misunderstood. In a recent worldwide survey, more than half of respondents said that segmentation is not a top priority on their security list, since it doesn’t seem to offer direct business benefits. Yet, they forget that the recent Target breach in the US is a great example of the risk of poor segmentation. Attackers simply transformed access to an external partner portal into full access to Target’s systems. True segmentation would have made it harder for attackers to jump from one network to another.
Another common myth is that role based authentication is segmentation. While this is important, even correctly implemented authentication may not be totally reliable. If attackers gain physical access, they might still exploit software flaws to bypass authentication weaknesses.
If you really want to limit access, you need to segment resources at a physical network level too. But switches, routers and VLANs won’t provide big enough security bumps between segments. Just having something on a separate network, doesn’t mean you can apply the proper security policies to traffic between those two networks.
Good next generation firewalls and unified threat management security appliances can overcome this as they are not limited to just three-pronged networks – WAN, LAN and the DMZ. The latest WatchGuard Firebox UTM/NGFW appliances, for example, are designed to further simplify network segmentation, removing the need for complex configurations and making it easier to apply traffic-appropriate policies across multiple network segments – a process beyond the technical reach of many resellers or end user organisations. And combined with good network visibility tools, it is also possible to map the traffic, create custom policies based on what traffic is in each segment and instantly see how it affects traffic. Applying the appropriate security policies to the correct traffic flows is what truly defines the success of a segmentation strategy.
Effective segmentation has never been more critical. With the increased expectation for anytime, anywhere employee access and advances around embedded Internet of Things (IoT) devices and recent breaches tied to a lack of proper segmentation, organisations need to re-evaluate how they segment the network and ensure they have the right policies applied.
Network security solutions are only good if they’re not too difficult for resellers or their customers to deploy, configure, manage and use. There is no turning back to the simpler days of protecting a fixed network perimeter. Our job is to provide our channel partners and their clients with the technologies and tools to deal with complex and evolving challenges.
Jon-Marc Wilkinson is Distribution Manager UK & Ireland at WatchGuard Technologies