Inspect Everything, Protect Everything: Next Generation Firewalls for Network Segmentation Inspection

Most of us would reach into a cookie jar full of delicious, just-out-of-the-oven, chocolate chip cookies without a care in the world, or any doubt that we should simply enjoy the euphoric chocolaty goodness.

But what about germs? Did everyone wash their hands before reaching into the jar? What soap did they use? How do you know if your delicious cookie hasn’t been infected? It’s not like you can force someone to stand guard with a bottle of hand sanitizer to ensure that everyone is disinfected before they reach their hand into the jar. Or can you?

Your network data is a lot like that jar of cookies. You want to ensure it is available for those trusted to be able to enjoy and use, and you want to keep it safe from infection. You also want to be able to see who else is reaching into your cookie jar, and make sure they aren’t eating all the cookies. You want to make sure you are protected from cookie thieves and other crumb snatchers.

The practice of architecting a network with different zones and segments based on usage, function, or location (for instance, configuring different network zones or VLANs for different uses such as isolating DMZ from LAN traffic) is nothing new. It has been a long standing cornerstone in any enterprise network. Over the years this segmentation theme has grown drastically in some enterprises, such that different hallways or floors of buildings are isolated on specific VLANs, or printers and servers are on different VLANs than end-user workstations. In some cases, there could be further segmenting of various WIFI networks, VoIP networks, or public accessible kiosks. In the Internet of Things model, everything needs to be connected, but, for controlling the connectivity, network segmentation is still a vastly favored and effective method.

However, there is a flaw to this mindset that many network admins and architects have overlooked, and that is the evolving security threat landscape. Most networks using forms of VLAN segmentation have deployed these VLANs on high-performance-core network switches to support the vast demand of connectivity and throughput performance. As such, the most common example one might see of this configuration is several VLANs combined with Layer 3 IP Interfaces built on the core switch. Once this is configured, it enables users to route directly over the switch from user networks to the server networks. While this is traditionally a very effective and standard approach to network communications, it has become an effective way for malware to communicate as well. In this approach, as there is typically no access control between the end-users and server segments, exploits, trojans, and malware can pass freely from zone to zone.

Consider the data as the cookies, and the server zone in which they sit as the cookie jar. You need to make sure every user that reaches their hand into that jar has used hand sanitizer to make sure they are not passing off any infections. You need to make sure the users reaching into that jar are who they say they are, and that they aren’t stealing your favorite cookie. You cannot rely on simple network access control or stateful packet inspection via access list on a core switch to protect your cookies. The threat landscape has evolved, and stateful rules that would permit file share access would also permit communications for the latest ransomware exploits. Don’t let the bad guys hold your cookies hostage.

By deploying the SonicWall Next-Gen Firewall with advanced Gateway Antivirus, Access Control, Application Inspection, Intrusion Prevention, and Advanced Persistent Threat Protection, in combination with a network architecture crafted for segmenting different network zones, you can successfully ensure that everyone’s hands have been disinfected. Keep your cookie jar clean from the latest botnets, exploits, intrusions, and malware. Read more on this topic with our “Executive Brief: Why you need network security segmentation to stop advance threats.”

Rob Krug

Senior Security Solution Architect | SonicWall

Rob has been in the network engineering and security space for over 27 years and has been recognized as a past SonicWall Security Engineer of the Year. His background includes extensive work with telecommunications, network design and management, and network security. Specializing in security vulnerabilities, his background includes extensive training and experience in cryptography, ethical hacking and reverse engineering of malware. A Master CSSA, Rob has dozens of industry certifications and is also as a SonicWall Technical Master. He served in the United States Navy within Naval Intelligence, and also worked as both a data security analyst and director of engineering for multiple international service providers. Rob has designed, implemented and maintained some of the most complex and secure networks imaginable. And he collects malware for fun.