Firewalling at the edge is no longer enough so organisations increasingly need to combine suitable location with segmentation and zero-trust strategies that can be centrally managed, according to Stormshield product marketing manager Stéphane Prevost.
“Historically conceived as an impenetrable wall around the edge of the network, its function has since evolved considerably,” Prevost said via the IT/OT networking and endpoint security company’s blog.
“The options are numerous, and will depend on your security objectives and the capacity of your firewalls.”
Organisations need to go “back to basics” in a sense, Prevost suggested, and reassess their requirements in line with newly dynamic circumstances to ensure an effective approach to corporate network security.
“To respond to the changing threat landscape and block all lateral movement attempts by malware, system administrators have had to rethink their use of firewalls, adding new layers of protection,” he explained.
Firewalling remains a key pillar, but changing work environments and more advanced threats mean firewalls may need deployment at different points on the network, itself now made up of more diverse internal and external elements.
The optimum choice may depend on your security objectives and the capacity of your firewalls, he added.
“Note that, in line with the principle of defence in depth, it is advisable to install at least two firewalls to create a ‘demilitarised zone (DMZ)’,” Prevost said.
The aim is to implement several levels of trust across internet, LAN, datacentres and other cloud environments. A ‘next generation” firewall can add network segmentation based on ‘zero trust’ approaches, according to Stormshield.
“Having compromised and infiltrated a machine, [cybercriminals] scan the equipment connected to the network in preparation for a potential rebound attack,” Prevost said.
“By dividing this area into distinct zones, an administrator can apply strict access and flow controls.”
Simon Dansette, product manager at Stormshield, said a DMZ helps compartmentalise the network for a specific need by blocking all options for lateral movement, including direct routing between two firewalls, and creating zones of trust and zero trust.
Users and network components should not be trusted by default, instead proving identities and legitimacy every time access to resources is requested.
According to Dansette, centralised management makes it possible to reduce the complexity of managing the various firewall connections, simplify compliance, and reduce network administration time. All this should be combined with maximum visibility, ensuring timely responses.
“This is a strong asset for MSSPs and IT resellers,” he added via the blog.
“Centralised management makes it possible to manage the configuration of several firewalls using a single tool, and administer them all from a single platform. Changes can be made quickly and easily, providing security for their customers and productivity gains for their teams.”