Upload File

firewall, you’re fired! - 128 technology · layers of security measures at multiple levels:...

  • Home
  • Documents
  • Firewall, You’re Fired! - 128 Technology · layers of security measures at multiple levels: Access Control Lists (ACLS) in edge and backbone switches, coupled with complex and ever-growing
14
Firewall, You’re Fired! How Zero Trust Security is Disrupting Network Security Architectures Analyst White Paper WRITTEN BY NEMERTES BROUGHT TO YOU BY 128 TECHNOLOGY

Upload: others

Post on 03-Jul-2020

0 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Firewall, You’re Fired! - 128 Technology · layers of security measures at multiple levels: Access Control Lists (ACLS) in edge and backbone switches, coupled with complex and ever-growing

Firewall, You’re Fired!How Zero Trust Security is Disrupting Network Security Architectures

Analyst White Paper

WRITTEN BY NEMERTES

BROUGHT TO YOU BY 128 TECHNOLOGY

Page 2: Firewall, You’re Fired! - 128 Technology · layers of security measures at multiple levels: Access Control Lists (ACLS) in edge and backbone switches, coupled with complex and ever-growing

©NemertesResearch2018www.nemertes.comDN7067 1

Johna Till Johnson CEO and Founder John Burke CIO and Principal Research Analyst Nemertes Research

Firewall,You’re Fired! How Zero-Trust Security is Disrupting Network Security Architectures

Q3 2018

Page 3: Firewall, You’re Fired! - 128 Technology · layers of security measures at multiple levels: Access Control Lists (ACLS) in edge and backbone switches, coupled with complex and ever-growing

©Nemertes Research 2018 www.nemertes.com DN7067 2

TableofContents..........................................................................................................................2

ExecutiveSummary.......................................................................................................................3

TrendsandBackground.................................................................................................................4

SecurityNow............................................................................................................................4

LimitationsoftheCurrentApproach.......................................................................................4

ZeroTrustOverview......................................................................................................................5

ZeroTrust:TheBasics..............................................................................................................5

TheImportanceofAutomation...............................................................................................7

ZeroTrustandtheNetwork...........................................................................................................8

Automated,CentralizedPolicyManagement..........................................................................8

DeepSegmentation.................................................................................................................8

NestedSegmentation............................................................................................................10

End-to-EndStatefulSessionManagement............................................................................10

IntegratedEncryption............................................................................................................11

VirtualizationandConsolidationofNetworkandSecurityFunctions...................................11

SecureRoutingFabrics...........................................................................................................11

BusinessValueofZero-TrustSecurity...........................................................................................12

ImprovedRiskMitigationandSecurityPosture.....................................................................12

ReducedCosts:CapitalandOperational...............................................................................12

ImprovedAgility.....................................................................................................................12

Conclusion....................................................................................................................................13

Table of Contents

Page 4: Firewall, You’re Fired! - 128 Technology · layers of security measures at multiple levels: Access Control Lists (ACLS) in edge and backbone switches, coupled with complex and ever-growing

©NemertesResearch2018www.nemertes.comDN70673

Executive Summary MostCISOshaveheardaboutzero-trustsecurity.Leading-edgedigitalnativeorganizationsincludingGooglehavere-inventedcybersecurity,andintheprocessupendedourmostcherishedbeliefsabouthowtoprotectdata,applications,andtherestoftheenterpriseenvironment.Zerotrustrelieson—demands—adeeperlevelofknowledgeofsystemsanddata,sothatitispossibletoputmeaningfulboundariesaroundsystemsanduserseverywhere.Thenetworkisstillhugelyimportanttoimplementingsecurity,butinsteadofafewbarriersatvariousnetworkchokepoints,thefocusisoncentrallymanaged,policy-driven,deeplysegmentedcommunications.Largethreatsurfacescreatedbycomplexsecurityrulesetsarereplacedbymanysmallersurfacescontrolledbysimplerrules,easiertounderstand,plan,create,andmaintain.Networksecurityinteractswithandreinforcessystemanddataprotections.Zerotrustthereforeupendsourbasicunderstandingofhowbesttoprotectdata,systems,andusers.Itrequiresaradicalre-thinkingofnetworks,includingtheroles—andeventheexistence—ofconventional,separaterouters,firewalls,DDOSdefenses,networksegmentationsolutions,andallotherfamiliarnetworkelements.Securityfunctions,increasinglyvirtualizedandmodularizedintheformsofvirtualappliancesandvirtualizednetworkfunctions,areimplementedthroughouttheinfrastructureasneeded.Zerotrustalsoplacessecurityautomationattheheartofsecurityoperations,andbringswithitallthebenefitsofautomation:reliability,agility,andscalability.Itdoesallthiswhilereducingbothcapitalandoperationalcostsonthenetwork,throughvirtualizationandconsolidationofnetworkappliances.Italsoenablesvirtualizedsecurityfunctionalitytobeembeddedintonetworkfunctionssuchasrouters—makingthenetworksecurefromwithin.Finally,zerotrustalsodrivesreducedoperatingcosts,especiallybyeliminatingorsimplifyingandautomating,managementandmaintenancetasks,allatreducedcostsandwithreducedrisks.ITprofessionalsshouldimmediatelyexploretheopportunitytoembracezerotrustintheirenvironments;identifywheretobeginimplementingzerotrustprinciples;seektechnologiesthatcanhelpthemimplementcoordinated,integratedprotectionsarounddataandsystem,andwithinthenetwork;buildabusinesscaseforzerotrustinthenetworkaroundcostreductions,riskreduction,andagility.

Page 5: Firewall, You’re Fired! - 128 Technology · layers of security measures at multiple levels: Access Control Lists (ACLS) in edge and backbone switches, coupled with complex and ever-growing

©NemertesResearch2018www.nemertes.comDN70674

Trends and Background

Security Now

Howgoodiscybersecurityatmostorganizations?Notvery.Ittakesthetypicalteammorethanamonthtodetectthatananomalouseventhasoccurred,understandwhethertheeventrepresentsanattack,andresolvetheattackbycontainingcompromisedsystemsandprotectingtherestoftheenvironment.(PleaseseeFigure1).

Figure1:TypicalSecOpsResponseTimes

However,themostsuccessfulcompanies—theoneswhocandoalloftheabovethefastest—arenotjustalittlebetter;they’realotbetterthantheirless-successfulpeers.Themostsuccessfulcandetect,understand,andresolveinanaverageof2.3days,vsmorethan132daysfortheleastsuccessful.(Note:ThisdatacomesfromNemertes’2017-2018SecurityandRiskManagementResearchStudy,comprising625organizationsin12countries).Theverybestperformers—thosethatplaceinthe99thpercentile—candoallthisinamatterofminutes.Whatdifferentiatesthegroupsthatperformthebest?Amongotherthings,theyareadoptingazero-trustapproachtosecurity,aswediscussbelow.Byembeddingsecurityfunctionalitywithinandthroughoutthenetwork,they’reabletodeploypolicy-basedautomationtodetect,understand,andresolveissuessignificantlyfaster.Limitations of the Current Approach

Inmostcompanies,thenetwork’ssecurityarchitectureconsistsofpoorlycoordinatedlayersofsecuritymeasuresatmultiplelevels:AccessControlLists(ACLS)inedgeandbackboneswitches,coupledwithcomplexandever-growingrulesetsinperimeterfirewalls,corerouters,anddatacenterswitches.Asthedatareveals,thisapproachisn’tworking.Thethreatuniverseismovingfasterthancompaniesareabletorespondwiththetraditionalarchitecture.Theperimeter-only

Page 6: Firewall, You’re Fired! - 128 Technology · layers of security measures at multiple levels: Access Control Lists (ACLS) in edge and backbone switches, coupled with complex and ever-growing

©NemertesResearch2018www.nemertes.comDN70675

approachisdemonstrablyfailingtopreventdatabreaches(checktheheadlinesofanymajornewspaperforthebreachdujour).Companies’inabilitytoquicklyandeasilymanagesecuritypolicies,segmentation,encryption,andcomplianceresultsinanescalatingbusinessriskintheformofbreachesandcompliancepenalties.Andtheinabilitytosegmentthenetworkfabricacrossdistributedenvironmentsattherightlevelofgranularitymeansvaluableassetsareincreasinglyunprotected,andleadstocomplianceconcernsbecauseofinadequatenetworksegmentationacrosslinesofbusiness.Technologylimitationsaren’ttheonlyproblem.Theproliferationofpoliciesanddevices,allmanagedthroughtedious,error-pronemanualprocesses,consumesexpensive(andincreasinglyscarce)labor.Worse,it’sincreasinglydifficulttoretainstaffinsuchanenvironment:Cybersecurityprofessionalsdon’tappreciatedoingsenseless,repetitivework,andinthecurrentjobmarket,arehighlylikelytojumpshipformoreattractiveopportunities.Theupshot?Companiesarecomplainingaboutskyrocketingsecurityexpenses(bothcapitalandoperational),whileatthesametimebeingunabletodeliverthe“tablestakes”ofasecure,effectivelymanagedinfrastructure.Asnoted,responsetimesarefartoohigh(overamonthtodetect,understand,andrecoverfromabreach),andtheimpactofthissluggishandineffectiveresponseismakingitselfknownintheformofanincreasednumberofsecuritybreachesthataffectrevenue,customersatisfaction,andbrandequity.Thesolutionistomovefromaperimeter-basedapproachtoonethatembedssecuritythroughouttheinfrastructure,deliveringafabricthatcanbegranularlysegmented(anapproachwecall“deepsegmentation”)basedoncentralizedpolicy.Inshort,thesolutionrequireszero-trustsecurity.Zero Trust Overview

The Basics

Thezerotrustsecuritymodelcamefromtheworldofhyperscalersandwebgiants,especiallyGoogle,whichimplementedin2009anapproachthatsubsequentlybecamenamed“zerotrust.”Thekeyconceptisthatnothingintheenvironmentshouldbeconsidered“trusted.”Everyuser,system,application,codecomponent,datastore,andnetworkorinfrastructuredeviceisconsidered“untrusted”untilithasauthenticateditselfandvalidateditsrighttoaccessorconnectwithanotheruser,system,application,codeordatacomponent,ordevice.Thatsoundsreasonable,butithassomeprettysignificantimplications.Foronething,itforcestheenterprisecybersecurityteamtomaptheenvironmentatanunprecedentedlevelofgranularity,sothatitcancreateahighlygranularsetofpolicies.Thechallengeofdevelopingthesepoliciesisonereasonthatcompaniesaretakingawhiletoimplementzero-trustsecurity:Just28%ofsuccessfulorganizations,and22%ofless-successfulones,haveimplementedthisapproach.(PleaseseeFigure2.)

Page 7: Firewall, You’re Fired! - 128 Technology · layers of security measures at multiple levels: Access Control Lists (ACLS) in edge and backbone switches, coupled with complex and ever-growing

©NemertesResearch2018www.nemertes.comDN70676

Figure2:ZeroTrustAdoptionbySuccess

Evenmoresignificantly,thezerotrustmodelmakesperimeter-basedsecurityobsolete,therebyradicallychangingtheroleofthefirewall.Thisisamajorchange.Sincenetworksecurity’sinceptionintheearly1990s,thefirewallhasbeenthelynchpinofsecuritymodels.Themodelowesitsoriginstomilitarystrategyandisbasedontwofundamentalassumptions:everythingoutsidethefirewallisuntrusted,andthereforepotentiallydangerous;everythingwithinthefirewallistrusted,andthereforeunlikelytocauseharm.Unfortunately,theseassumptionsaredemonstrablyfalse,andbecomingmoresoovertime.Insiderscangorogue,andcauseharm(insiderthreatisagrowingprobleminmanyorganizations).Internalsystemscanbe(andoftenare)compromisedbysophisticatedattacks,meaningthatthesesystemsthemselvescanserveasthelaunchpadforfurtherattacks.And,theneedsofnewapplicationarchitectures,newservicedeliverymodels,useofpublicclouds,andintegrationamongpartners’systemscausethetypicalenterprisetocontinually“pokeanotherhole”inthefirewalltoallowcommunicationstoflow.Inadditiontoblurringtheinside/outsidedistinction,thismakesfirewallrulesetsenormouslycomplicatedanddifficulttomaintain,andchangestothemchallengingtotest.Asthedistinctionbetween“trustedinside”and“untrustworthyoutside”disappears—indeed,thewholenotionoftrustedinsidedisappears—theroleofthefirewallchangessignificantly.Itnolongerservestokeepthebadguysoutandshieldthegoodguyswithin.Instead,theroleofthefirewall—andofthenetworkoverall—shiftstogreen-lightingonlycommunicationswherethesenderisallowedtosendtothereceiverinthespecificwayitissending(byportandprotocolandothercriteria),andthereceiverisallowedtoreceivefromthesenderinthatsamespecificway.

Page 8: Firewall, You’re Fired! - 128 Technology · layers of security measures at multiple levels: Access Control Lists (ACLS) in edge and backbone switches, coupled with complex and ever-growing

©NemertesResearch2018www.nemertes.comDN70677

Thismeans,inturn,thatenterprisesthatembracezerotrustaremovingawayfromthetraditionalfirewall-centricmodel.

Figure3:ZeroTrustDrivesShiftsinFirewallArchitecture

Inparticular,zero-trust-focusedcybersecurityorganizationsaremovingawayfromtraditionalphysicalfirewallmodel,inwhichthere’saphysicalfirewallatall,ormost,networksites,towardsacentralizedplusvirtualizedapproach.Theprimarydriverhereistoensurethatfirewallstreattrafficconsistently,insteadofviathead-hocapproachdescribedearlier.Withaphysicalnetworkofdistributedfirewalls,eachmustbeconfiguredindividuallytoconformtopolicy.Althoughnetworkengineerssometimesautomatethisconfigurationsoitdoesn’thavetohappenmanually,it’sstilldifficulttoscale,andpronetoerrorsthatcanintroducevulnerabilities.Everydevicetendstohaveauniqueconfiguration.Itcanbeverydifficulttotellwhetherachangeinconfigurationisnecessaryandintentional,orisaccidentaldriftfromthedesiredruleset.Itcanalsobedifficulttobalancelocalvs.centralcontrol.Intherapidlyrisingvirtualizedapproach,thefirewallfunctionalityisimplementedassoftwareinothernetworkelements.Withvirtualfirewalls,configurationismoreoftenautomatedbydesign,andmanagedcentrally,whiletheworkoftrafficfiltrationisspreadfurther.Spreadingtheworkfurtherdecreasesthecapacityrequiredoneachfirewall,andputscontrolatmorepointsinthenetwork.The Importance of Automation

Zerotrustadoptersaresignificantlymorelikelythantheirnon-adoptingcounterpartstohaveanexplicitfocusonautomatingsecurityprocesses,ortohavefullyautomatedtheseprocesses.(PleaseseeFigure4.)Thoseslowertoadoptzerotrustaremorelikelytoautomatesecurityfunctionsonanad-hocbasis(suchaswritingscriptsforfirewallconfiguration).

0.0%$

46.0%$

24.0%$

30.0%$

8.0%$

17.8%$

35.5%$

29.0%$

17.8%$

11.2%$

No$firewalls$

Centralized$

Distributed$

Virtualized$

CloudAbased$

Firewall$Architecture$$

Zero$Trust$NonAAdopters$

Zero$Trust$Adopters$

Page 9: Firewall, You’re Fired! - 128 Technology · layers of security measures at multiple levels: Access Control Lists (ACLS) in edge and backbone switches, coupled with complex and ever-growing

©NemertesResearch2018www.nemertes.comDN70678

Figure4:SecurityAutomationDifferencesBetweenAdoptersandNon-Adopters

Zero Trust and the Network

Automated, Centralized Policy Management

Oneofthemostsignificantbenefitsofzerotrustsecurityisitsdrivetowardanetworkmanagedandprovisionedholisticallyviacentralizedpolicymanagement.Thegoalofautomated,centralizedpolicymanagementistoshrinkthegapbetweenwhatthenetworkshoulddoandwhatitactuallydoes.It’sonethingtohaveapolicystating,forinstance,thatalltrafficfromdeviceXonportYshouldbeprohibitedfromreachingserverinstanceZ—andanentirelydifferentthingtoconfigureeachandeverynetworkdeviceineverypotentialtrafficpathtodeliveronthatpolicy.Withautomated,centralizedpolicymanagementthethoughtbecomesthedeed:Oncethepolicyisdefined,everyapplicabledeviceinthenetworkinstantiatesit.Andwhenpolicieschange(astheymust,tostayeffective)thecentralpolicyengineautomaticallypushesupdatedpoliciesouttopolicyenforcementpoints.Obviouslythat’snotthecasetodaywithmostnetworks,butasthezerotrustmodelmovesintothemainstream,theabilitytosupportautomated,centralizedpolicymanagementbecomesanincreasinglycriticalselectioncriterionfornetworkdevices.Deep Segmentation

Asnoted,withtheimplementationofthezerotrustsecuritymodel,theroleofthenetworkshiftsfromprovidingunfetteredconnectivitytopermittingonlythatconnectivitythatisexplicitlyapproved,basedonpolicy.Thismeans,inanutshell,thattheconceptof“thenetwork”(thephysicalnetworkitself)isreplacedbymultiplelayersofvirtualnetworks,eachofwhichcomprisesasmallcircleofassetsthatcantalktoeachotherinspecificways.Wecallthisapproach“deepsegmentation.”ThisapproachissimilarinconcepttovirtualLANs(VLANs).Thedifferenceisthatitis

Page 10: Firewall, You’re Fired! - 128 Technology · layers of security measures at multiple levels: Access Control Lists (ACLS) in edge and backbone switches, coupled with complex and ever-growing

©NemertesResearch2018www.nemertes.comDN70679

intendedtopartitionnotjustalayer2network,asVLANsdo,butthewholenetworkfromendtoend,evenifitiscrossingIPboundaries(routers,firewalls)andsocannotbeachievedwithEthernetpackettagging.Itrequirestheparticipationofnetworkcomponents,physicalorvirtual,atbothendsoftheconversationandpotentiallyatintermediatepointsaswell.(PleaseseeFigure5.)

Figure5:DeepSegmentationLogicallyPartitionsAcrossNetworks

Withtraditionalnetworktechnology,networkandsecurityengineersneedtodevelopandmaintainalistoftrafficpatternsthatrepresentattacks.AlthoughAIandmachinelearningtools(suchasbehavioralthreatanalyticssystems)canautomatethisprocesstoaconsiderabledegree,itstillrequiresoperatorstothinkintermsof,“Whatdoesanattacklooklike?”Inotherwords,nomatterhoweffectivethesecurityteamsare,they’restillplayingcatch-up.Implementingdeepsegmentationvianetworkvirtualizationcancreateahighlydynamic,policy-driveninfrastructure.Thequestionbecomes,instead,“Whatdoesahealthycommunicationspatternlooklike?”Asnewapplicationsandusersjointhenetwork,operatorscanaddtheirdesiredandanticipatedcommunicationspatternsviapolicy,ensuringtheyreceivetheconnectivitytheyneed.Butbecausethereisnoneedtosuddenlyreassesswhatanattacklookslikeinlightofthechangedenvironment,networksecurityisnotperturbedbytheaddition.Thesecurityandnetworkteamstherebymovefromareactivestance,tryingtoexplicitlyidentifyanddisablebadtrafficandrespondtodetectedthreats,toaproactivestance,enablingdesiredconnectivityandimplicitlydisablingeverythingelse.Thetwocriticalcomponentsthatmakesuchashiftpossiblearevirtualizationandautomation.Virtualizationembedsdeepsegmentationfunctionalitywithinthenetwork,andautomationinstantiatespolicychangestothoseembeddedfunctionsatscale.

Page 11: Firewall, You’re Fired! - 128 Technology · layers of security measures at multiple levels: Access Control Lists (ACLS) in edge and backbone switches, coupled with complex and ever-growing

©NemertesResearch2018www.nemertes.comDN706710

Figure6:PoliciesatTenantLevelControlWhetherSessionsAllowed

Nested Segmentation

Anothercriticalcomponent,particularlyfor(increasinglycommon)multi-tenantenvironments,istheabilitytodefinetrustboundariesandrelationshipsatatenantlevel,andexpectallsegmentationsetupwithinatenantsegmenttoinheritthoseboundariesandrelationshipsasastartingpoint.Forexample(PleaseseeFigure6)acompanymayestablishthatsometenants(likeacustomersupportdivision)havenoaccesstoanythinginthedevelopmentnetworksegment;orthatthoseintheconsultingdivisionhavenoaccesstotheoperationsnetwork.Oncetherelevantnetworkcomponentsareawareofthepolicy,allsuchsessionswillcease.End-to-End Stateful Session Management

Azero-trust-enablednetworkneedstheabilitytoseetrafficintermsoftheconversationsestablishedacrossit.Thismeans,inessence,trackingsessionsstatefully(inrealtime)fromsourcetodestination.Statefulsessionmanagementmattersfortwokeyreasons.First,itallowspolicy-basedsessionadministration.Inotherwords,thenetworkmanagercandecidethatonlycertainkindsofsessionsarepermitted,andrefusetosetupsessionsthatareoutsidepolicybounds.Asimportantly,statefulsessionmanagementisakeyweaponinpreventingsessionsfrombeinghijacked.Astandardhackertechniqueistowaituntiltrustedendpointsestablishasession,thenhijackthatsessionfornefariouspurposes.Precludingsuchanattackrequiresthatthenetworkbeawarenotjustoftheexistenceofasession,butitsactualstate:whichendinitiatedtheconversation,whattypesofpacketsaretraveling,inwhichdirection,inwhatorder,etc.Ifasessionappearsinitiallytobeinapermittedstate,butshiftsintoan

Page 12: Firewall, You’re Fired! - 128 Technology · layers of security measures at multiple levels: Access Control Lists (ACLS) in edge and backbone switches, coupled with complex and ever-growing

©NemertesResearch2018www.nemertes.comDN706711

unpermittedone,networkdevicescanshutthesessiondown—butonlyiftheyhavetheabilitytoperformstatefulsessionmanagementinthefirstplace. Integrated Encryption

Itshouldbeobvious,butit’sworthnotingthatencryptionisanessentialcomponentofzerotrust,sinceencryptionimpliesanappropriatelackoftrustinthenetwork.However,encryptingdataalsomakesitdifficulttoperformallthesession-managementfunctionsabove.Tosupportbotheffectiveend-to-endstatefulsessionmanagementandencryption,encryptionhastobebuiltintothenetworkfabric,ratherthanboltedon.Virtualization and Consolidation of Network and Security Functions

OneofthemostpromisingdevelopmentsinnetworktechnologyistheemergenceofSoftware-DefinedNetworking(SDN)andSoftware-DefinedWideAreaNetworking(SD-WAN),modelsinwhichcorenetworkfunctionssuchasrouting,firewalling,loadbalancing,andmoreareconsolidatedintoasingleappliance,eitherasasingleVMorasacooperatingswarmofVirtualizedNetworkFunctions(VNFs).Moreover,manytimesthissoftwarecanberunningonabare-metalplatform(anapproachknownas“whiteboxing.”)Networkandcybersecurityprofessionalscanworktogethertocreateacustomizedsystemthatincorporatesexactlytherightmixofnetwork,security,andsegmentationfunctionalityfortheirrequirements—essentiallychangingthenetworkinfrastructurefromhardware-definedtosoftware-defined.Fromasecurityperspective,thesoftware-definedapproachisoptimal,becausetherearefewerhardwaredevicestoadministerandmanage(andthereforefewerpossibilitiesforhacking).Moreover,automatedmanagementworksmosteffectivelywithsoftware,ratherthanhardware,components.Inanfullysoftware-definedarchitecture,networkengineerswon’tthinkintermsof“arouter”or“afirewall”butratherintermsofadevicethatsupportsadynamicrangeofpolicy-enforcementandnetworkingfunctionsincludingrouting,loadbalancing,IDS/IPS,DDOSprotection,firewalling,webgateways,andmore.Secure Routing Fabrics

Theoutcomeofthisapproachisadramaticre-thinkingoftheroleofroutingitself.Asnotedabove,theroleofthenetworkoverallshiftsfrom“transportmostpackets,denysome”to“transportonlythattrafficwhichisvalidatedassafe,andproperlyencrypted.”Insteadofrelyingonlistsandrulestodeterminewhichtrafficmaynotbetransported(andtransportingallelse),withzerotrusttheonlytrafficthatistransportedisthatwhichhasbeenexpresslygreen-lighted.Thisrequireda“deny-by-default”routingfabric,coupledwithhop-by-hopsessionauthenticationanddynamicencryptionofdata-in-motion.Securityisthereforebakedintothenetworkitself,notjustpaintedontotheperimeter,makingthenetworkfabricandroutingalgorithmsthemselvesthetoolstomountamoreeffective,simple,lessexpensive,distributeddefenseagainstincreasingsecuritythreats.

Page 13: Firewall, You’re Fired! - 128 Technology · layers of security measures at multiple levels: Access Control Lists (ACLS) in edge and backbone switches, coupled with complex and ever-growing

©NemertesResearch2018www.nemertes.comDN706712

Youcould,infact,thinkofitasthepermethrinapproachtosecurity.Liketheinsecticidepermethrinthathikersandotheroutdoorsyfolkusetoprotectthemselvesagainstticks,mosquitos,andotherdangerousbugs,zero-trustsecurityisinfusedintothefabricitself.Nomoreswattingmosquitos—theynevermakeitthrough!Business Value of Zero-Trust Security

Improved Risk Mitigation and Security Posture

Theprimarybusinessbenefitofzerotrustsecurityis,ofcourse,improvedsecurity,whichinturntranslatestoreducedrisk.Byimplementingzero-trustsecurity,companiescanreduceboththelikelihoodandtheimpactofbreaches.Breacheshappenlessoften,andwhentheydo,thedamageismoreeffectivelycontained.Moreover,theautomationinherentinzerotrustmeansthatmistakes(whichcanintroducevulnerabilitiesandincreasecosts)arelesslikelytooccur.Additionally,complianceimproves(particularlyviadeepsegmentation).Complianceinvolvesnotonlyprotectingregulatedassets,butalsodemonstratingthattheseassetshavebeenprotected—anddeepsegmentationdeliversboth(validationaswellasprotection.)Reduced Costs: Capital and Operational

Integratingsecurityandnetworkfunctionsintoacommonhardwareplatformcanresultinreductions,sometimesdramatic,incapitalcostsforthenetwork,especiallywhennetworksgrowintothethousandsofsites.WithothervirtualizationapproachessuchasSD-WAN,Nemerteshasdocumentedseencapexsavingsof30%ormore.Whiledataisjustemergingforzerotrust,weanticipatesavingsthatarecomparable.Therearealsopowerandcoolingcostsavingstotakeintoconsideration,whichisnon-negligibleforlarge,complexenvironments. Moresignificantly,reducingthenumberofdevices—andimplementingtechniquessuchasautomated,policy-drivendeepsegmentation—alsoreducesthecostofongoingsupportandmaintenance.Anobviousbenefitofreducingresponsetimeisthatittakeslesstimetodetect,understand,andrecoverfrombreaches;andlesstimeequatestolowercosts.Andbecauseautomationreducesthelikelihoodoffailedpolicyimplementation,iteliminatesstaff-hoursspentcleaningupafterafailedpolicyimplementationormodification.Whileit’sstilltooearlytoquantifytheopexsavingsfromamovetozerotrustsecurity,weanticipatethey’llbeontheorderof50%ormore,basedonourworkwithSD-WANandwithserverandnetworkvirtualization.Improved Agility

Agilityisanotherbusinessbenefitthatresultsfromthedeploymentofzero-trustsecurityinthenetwork.Today,businessoperationsareoftenheldupbythetimeittakestosecure

Page 14: Firewall, You’re Fired! - 128 Technology · layers of security measures at multiple levels: Access Control Lists (ACLS) in edge and backbone switches, coupled with complex and ever-growing

©NemertesResearch2018www.nemertes.comDN706713

them.Forinstance,settingupthatbranchofficeinShanghaimayneedtowaituntilthefirewallhasbeenshipped,delivered,andconfigured,whichcouldtakeweeks.Whenthatprocesschangesto“downloadandlaunchsoftwaremodule,”thetimerequiredcandroptohoursorminutes,whichmeansthatShanghaibranchofficeisupandrunningimmediately.Conclusion Zerotrustupendsourbasicunderstandingofhowbesttoprotectdata,systems,andusers.Itrequiresaradicalre-thinkingofnetworks,includingtheroles—andeventheexistence—ofconventional,separaterouterandfirewalls.Routingshiftsfromthefamiliar“greenlighting”approachtoanapproachthatacceptsonlyauthorizedtraffic,andre-authorizesitonahop-by-hopbasis.Toeffectivelyimplementzero-trustsecurityinthenetwork,thefocusmustbeoncentrallymanaged,policy-driven,deeplysegmentedandencryptednetworkfabrics.Thisisthenecessaryprecursortoplacingsecurityautomationwhereitbelongs:attheheartofsecurityoperations.Anditbringswithitallthebenefitsofautomation:reliability,agility,andscalability,allatreducedcostsandwithreducedrisks.ITprofessionalsseekingtobringthebenefitsofzerotrusttotheirenvironmentsshould:

• identifywheretobeginimplementingzerotrustprinciplesinthenetwork• re-thinktheroleandfunctionsofthenetwork,particularlyrouting• enabledeepsegmentation• protectacrossallthreedomains• makesecurityautomationacorefocus• buildabusinesscaseforfundingzerotrustinthenetworkaroundcostreductions,

riskreduction,andagility.AboutNemertes:Nemertesisaglobalresearch-basedadvisoryandconsultingfirmthatanalyzesthebusinessvalueofemergingtechnologies.Since2002,wehaveprovidedstrategicrecommendationsbasedondata-backedoperationalandbusinessmetricstohelpenterpriseorganizationsdeliversuccessfultechnologytransformationtoemployeesandcustomers.Simplyput:Nemertes’betterdatahelpsclientsmakebetterdecisions.


MANAGED SERVICES: CISCO IOS FIREWALL · IOS Firewall allows service providers to offer a managed firewall solution through download of firewall, access control lists (ACLs), and other

Emerg Acls

ACLS Medications.ppt

ACLS Scenario

acls UPTODATE

ACLS Algorithm

Access Control List (ACL) W.lilakiatsakun. ACL Fundamental Introduction to ACLs Introduction to ACLs How ACLs work How ACLs work Creating ACLs Creating

Configuring Template ACLs - cisco.com · Configuring Template ACLs WhenuserprofilesareconfiguredusingRADIUSAttribute242orvendor-specificattribute(VSA) Cisco-AVPairs,similarper-useraccesscontrollists(ACLs

ACLS Provider Manual Supplementary Materialahainstructornetwork.americanheart.org/idc/groups/ahaecc-public/... · ACLS Core Rhythms ... ACLS Provider Manual Supplementary Material

Pediatrica Acls

In-depth analysis of the Great Firewall of China · 2016-12-21 · Abstract Created by the Golden Shield Project, the Great Firewall of China (GFW) is the backbone of world’s largest

ACLS Arrest

Acls Manual

ACLS Drugs

ACLS NEWS ACLS · 2|ACLS Newsletter vol.10 2015.11 ACLS Newsletter vol.10 2015.11|3 The ACLS International Summer School 2015 was held at the University of Oxford and Imperial

ACLS Spanish

ACLS Module.ppt

Router ACLs

ACLS Rhythms for the ACLS Algorithms

ACLS HANDBOOK - Hancock Medical Training CPR ACLS PALShmttraining.com/uploads/3/2/3/6/3236415/hmt_acls_handbook.pdf · ACLS Handbook • ACLS SURVEY – Airway • Airway patent •

FDCC Implementers Workshop - NISTFDCC Challenges FIPS Setting Mobile Users ActiveX Controls Firewall Miscellaneous File system ACLs Certificate errors (IE) Unsigned Drivers Imaging

Configuring IP ACLs - Cisco · † IPv6 ACLs— The device applies IPv6 ACLs only to IPv6 traffic. † MAC ACLs—The device applies MAC ACLs only to non-IP traffic. For more information,

ACLs EXT ACLs

ACLS Algorithms

Update ACLS

ACLS Teori

ACLS Rhythms for the ACLS Algorithms - Consurgo

ACLS Update

Slide ACLS

ACLS for Experienced Providers Instructor Candidate Workbook · ACLS for Experienced Providers . Instructor Candidate Workbook . ... Manual ... ACLS and ACLS EP Audiences

ACLS Lecture

Acls update

Firewall-On-Demand - TERENA · PDF fileNeed for better tools to mitigate transient attacks and ... Firewall-On-Demand 15-16 February 2012, ... ACLs . BGP blackhole

ACLS Module

ACLS Pharmacology