Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
The Internal Firewall The Zero Trust Model and Need for Internal Segmentation Harley Waterson Sales Specialist – Fortinet © Copyright 2013 Fortinet Inc. All rights reserved. 1 A Global Leader and Innovator in Network Security Fortinet Quick Facts Global presence and customer base $770M Revenue • Customers: 225,000+ • Units shipped: 1.9+ Million • Offices: 80+ worldwide Platform Advantage built on key innovations • FortiGuard: industry-leading threat research $13M • FortiOS: tightly integrated network + security OS 2003 2014 • FortiASIC: custom ASIC-based architecture ~$1B • Market-leading technology: 196 patents, 162 pending Cash Founded November 2000, 1st product shipped 2002, IPO 2009 HQ: Sunnyvale, California Employees: 3000+ worldwide Consistent growth, gaining market share Strong positive cash flow, profitable $16M 2003 2014 Based on Q4 and FY 2014 data 2 Malware & Hacking – the Past Trend – Mobile Ransomware 4 Creeper – The First ‘Computer Virus’ Creeper Experimental self-replicating program Written in 1971 Considered a mobile or rogue application in that it moved form computer to computer It hogged resources and essentially DoS’d its host network through excessive replication Infected DEC PDP-10 computers running TENEX OS on DARPANET ‘Reaper’ worm created in ‘72 to delete it – 1st AV 5 Trend – Mobile Ransomware 6 The First ‘Hack’ Marconi Wireless Telegraph Demo Positioned as confidential, eavesdrop-proof Morse code message to be sent 300 miles from Wales to the Royal Institution of London But right before they got started… “Scientific Hooliganism” “rats rats rats there once was a…” Nevil Maskelyne, magician and self-taught wireless technology experimenter Transmitted taunt from nearby building and showed interception/disruption was possible Justified his actions on the grounds of the security holes it revealed for the public good Later funded by ‘wired’ telegraph industry to spy on Marconi’s ship to shore trials 7 State of Security Today 2014-15 … Breaches Continue … But with its exponential growth, increased damage more serious than ever Sony 50K European Central Bank Gmail LastPass Adobe 152M Nieman Marcus Mozilla Korean Credit Bureau US Feds 2M Target 1M Dominos Pizza (France) Twitter Vodafone AdultFriendFinder 1.9M IRS 100K Apple Snapchat Kapersky Source: DataBreaches.net 9 Two Major Internet Vulnerabilities in 2014 HeartBleed ShellShock 500,000 web servers affected Millions of Internet connected devices affected 10 Magnitude of Hacking and Cyber Espionage “The Chinese have penetrated every major corporation of any consequence in the United States and taken information. We've never, ever not found Chinese malware.” Ex-NSA Director Mike McConnell “There are two types of companies in America … those who have been hacked and know about it and those who have been hacked and don’t know about it!” Ex-FBI Director Robert Mueller 11 Time to Discovery of a Breach is Not Keeping Up Time to compromise 75% 50% Time to discovery 2013 2012 2011 2010 2009 2008 2007 25% 2006 Once inside, what can be done to contain and minimize the attack? 100% 2005 Time to compromise accelerating faster than Discovery Percent of breaches where time to compromise (red)/time to discovery (blue) was days or less 2004 Wide gap between percentages for the two phases *Verizon DBIR 2014 12 Defense in Depth Defense in Depth – Where does it come from? We have all heard of the term “defense in depth”, right? Rather popular term in IT security. Many of us have built security designs and architectures around this term. Anyone know where it comes from? Anyone heard of the Siegfried Line? The Siegfried Line was a continuous defensive system built by Germany at the beginning of WWII that stretched 400 miles from Holland down along the German border all the way to Switzerland. The brainchild of Fritz Todt, a civil engineer. 14 Defense in Depth – What was it? A system of inter locking, complementary individual defensive systems created to work together to neutralize and stop the advance of allied attacks into Germany Series of zones and barriers used to slow down and expose various elements of a coordinated attack and strip away the benefit of a multipronged assault where infantry, both on foot and mechanized, armor, artillery and air power would all be coordinated in an effective combined effort. How did it work? 15 Defense in Depth – What was it? Step 1 – a row of anti-tank obstacles that would slow down and expose the underbelly of heavy armor to defensive anti-tank guns. 16 Defense in Depth – What was it? Step 2 – a row of anti-personal mines to take out infantry and light vehicles. 17 Defense in Depth – What was it? Step 3 – heavy use of barbed wire to slow down, trap and expose remaining infantry to heavy defensive machine gun fire. 18 Defense in Depth – What was it? Step 4 – underground, fortified, steel reinforced concrete bunkers that served as machine gun posts and artillery embankments that had protection from air and artillery. 19 Defense in Depth – What was it? Step 5 – ‘booby traps’ and ‘murder holes’ within the “wall” itself for when the bunker system was finally penetrated. 20 Defense in Depth in Cyber Warfare Over time, point solutions have been deployed in response to evolving threats Platforms vary across deployment scenarios Management Numerous management consoles Inconsistent policy and networking function VPN WAN Acceleration Web Filtering Application Control Firewall Varying upgrade cycles This model still sees defense in depth as pertaining to clearly defined Internet vs Internal IPS Advanced Threat Protection Antivirus WiFi Controller 21 Advanced Threats Take Advantage of the “Flat Internal” Network Existing Firewall’s focus on the border – the Internet Internal network no longer “trusted” Many ways into the network Once inside threats can spread 22 Internal Security is Integral to a Layered Security Approach – Defense in Depth What is Needed What is Internal Security? » Inside-out visibility » Internal segmentation » Authentication » Easy integration into the network DMZs, firewalls, IDS, gateway AV Protects attacks from within Client security controls » Don’t be the bottleneck 23 Layered Security and the Zero Trust Model EXTERNAL vs. INTERNAL Internal vs External is an antiquated notion. We have been taught to not trust the external but trust the internal. PROTECT THE DATA We need to get away from a concept of protecting the network to one in which we protect the data. ALWAYS AUTHENTICATE Access to the network needs to be seen in the context of access to the data … • • • • who needs access what data do they need access to when do they need access from where and from what device EDGE FIREWALLS ARE NOT ENOUGH ANYMORE 24 Too Many Ways In… Data Center Cloud Security Becomes a Bottleneck Security out of your Control AV Signature Only Protection Internal Network External Network (Multi-Megabit) (Multi-Gigabit) Too Many Point Solutions “FLAT” Internal Network Architecture Endpoint Internet Multi-Function Gateway No Security Agents Not every Security App switched on More Customer/Partner Access Less Trustworthy Networks/Subsidiary WAN 25 Internal Firewall (INFW) Internal Network Firewall (INFW) Complete Protection– Continuous inside-out protection against advanced threats Segmentation – Default Transparent Mode means no need to re-architect the network To Internet DISTRIBUTION/ CORE LAYER Core/Distribution Switch Access Switch/VLAN LOCAL SERVERS High Performance – Multi-Gigabit throughput supports wire speed East-West traffic USER NETWORK DEVICES • FortiGate wire intercept using transparent port pair • High speed interface connectivity • IPS, ATP & App Control ACCESS LAYER 27 Internal Firewall Deployment Modes Deployment Mode Deployment Complexity Network Functions High Availability Traffic Visibility Threat Prevention Network Routing High L3 – L7 Transparent Low L1 – L2 Sniffer Low Transparent mode combines the advantages of Network Routing and Sniffer mode 28 Internal Network Firewall Deployment (before) INTERNAL EXTERNAL Network A Network B Problems No controls in place Edge Firewall (NGFW) » Users in network A can access anything they want in network B with basically file permissions as the only source of role based control Can’t stop a worm or botnet propagating internally Can’t stop an attack launched from network A to an asset on network B 29 Internal Network Firewall Deployment (after) INTERNAL EXTERNAL Network A Network B Problems Solved Internal Firewall (INFW) Access controls enforced Edge Firewall (NGFW) » Identity based access controls enforce who, what, when and from where an asset can be accessed Traffic can be scanned for worms and botnets as it moves laterally in the network Internal attacks are stopped 30 Security in the Next Gen Data Center 31 Customer Challenge – East West Traffic FACT: 76% of Data Center Traffic is East-West* Data Center Edge North-South East-west traffic visibility Session statefulness during live migration (e.g. vMotion Overlay and other SDN/SDDC network virtualization (e.g. VXLAN) East-West Logical ports, IP’s, MAC can break static rules *Cisco Global Cloud Index, 2013 32 Internal Network Firewall – How is it different? Deployment INFW NGFW UTM DCFW CCFW Purpose Visibility & protection for internal segments Visibility & protection against external threats and internet activities Visibility & protection against external threats and user activities High performance, low latency network protection Network security for Service Providers Location Access Layer Internet Gateway Internet Gateway Core Layer/DC gateway Various Network Operation Mode Transparent Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode Hardware requirements Higher port density to protect multiple assets, hardware acceleration GbE and GbE/10 port High GbE port density, integrated wireless connectivity and PoE High speed (GbE/10 GbE/40 GbE/100) & high port density, hardware acceleration High speed (GbE/10 GbE/40 GbE, GbE/100) & high port density, hardware acceleration Security Components Firewall, IPS, ATP, Application Control (User-based) Firewall, VPN, IPS, Application Control, Comprehensive and extensible, client and device integration Firewall, DDoS protection Firewall, CGN, LTE & mobile security Other Characteristics Rapid Deployment – near zero configuration Integration with Advanced Threat Protection (Sandbox) Broad WAN connectivity options including 3G/4G/LTE High Availability High Availability 33 Fortinet Advantage – GLOBAL Platform FortiOS & Scalable High Performance Architecture Enable Deployment Across The Entire Enterprise Data Center/SDN Virtual Machine Firewall Internal Network (Ultra Low Latency) Internal Network Firewall (INFW) 2 Boundary 5 Data Center Firewall (DCFW) 4 6 Carrier/MSSP/Cloud Cloud Firewall (CFW) 7 Carrier Class Firewall (CCFW) INTERNET Mobile Users Client Firewall 8 1 Next Gen Firewall + Advanced Threat Protection (NGFW + ATP) Enterprise Campus Distributed Enterprise & Small Business And Large Sites 3 Unified Threat Management (UTM) 34