The question posed above is one I have heard numerous times from customers and IT persons in general. Does having a firewall as your network core make any sense or does it just create more work to do?
Many of you may say “NO”, it’s not necessary. I would disagree with you. In today’s world of connectivity, security is a big concern for a lot of organizations. Ask yourself, where do breaches in the network usually originate? Some persons may say the Internet. That’s true, the Internet is not and has never been safe from threats. The question is, however, where do the rest of threats come from?
To me, the network is like a neighbourhood, we know who our neighbours are and where they belong. Your neighbour does not have keys to your house, do they? If they tried to access your house uninvited you would no doubt raise an alarm. Then why do you give your users unlimited access to your neighbourhood (network)? That poses unnecessary risks doesn’t it?
Studies have shown that more and more threats originate inside the network from your “trusted” users. These may be malicious users, or users whose machines may just be victim to viruses or malware. How do you defend against these threats?
The best method in my opinion is Zero Trust. Some of you may be familiar with this concept. Zero Trust is an approach that removes the concept of trust from the network, as the name implies. Users on the network have access to only the resources that they need. For example, if Bill needs access to File Shares and Printing, he will be given access to only those resources. He will not be able to browse the Internet or use social media, etc. The policies are so granular that if he only needs access for one (1) File Server and there are five (5) of them, he will only be able to see the single device to which he is granted access.
How do we achieve this? The question in the title sets the basis for this discussion. A key component to implement this approach is a Next Generation Firewall. This firewall can be placed at the core of your network to control access to network resources. Before the firewall is configured you need to:
- Identify your critical resources that need to be protected. All your Zero Trust policies will be built around these resources.
- The next step is identifying who needs access to the resources: does the user/user group need access to all of the resources, or does he/ she need access to only a subset?
- A detailed look at your users’ traffic flow must also be done in your environment. If this process is rushed, users can lose access to important resources.
- Identify technology for User Identify – user identity must be verified before granting access to resources, this can be achieved by using Active Directory (AD) integration. The firewall looks at your users’ logins via a connection to the AD This visibility will be used next. Because of the importance of user identity, some companies go the added step of enabling two-factor authentication where necessary. This means that along with their password, users have another step to verify their identity: for instance, a token used to aid the login process.
With the traffic flow verified, and the user groups identified and configured in the AD server, the policies can now be configured. The administrator users the traffic flow to configure the firewall policies, leaving no user with unnecessary access. The policies are tied to the AD Integration, meaning that if the user’s identity is not verified, they would not be given access to any of the network’s resources. This approach increases the security of the internal network by reducing the risk to resources if a user or their machine is compromised.
This was just a high-level introduction to Zero Trust, maybe next time I will tell you about how I implemented Zero Trust using Fortinet’s Next Generation Firewalls.