How NOT to secure your Hybrid Network

(With thanks to Fortinet) – Most organizations of any size use a hybrid network these days. This transformation to an increasingly- remote workforce been happening for a while, and COVID-19 kicked it into overdrive. That’s not news of course, but what might be, is that organizations will have to bring forward digital business transformation plans by at least five years as a survival plan, according to Gartner. They foresee a “permanently higher adoption of remote work and digital touchpoints.”

What is a Hybrid Network?

First, lets define our terms. A hybrid network is any network that can use more than one type of connecting technology. For example, a home network that uses both Wi-Fi and Ethernet cables to connect computers is a hybrid. Hybrids allow organizations to keep important data on-premises. In theory, this keeps those assets safer. However, even as organizations become more spread out, they still need the same standards of security.

A Hybrid Network is hard to secure

Workers, applications, resources, and devices connect from anywhere now. Applications, assets, and data follow users everywhere they connect from and on whatever device they are using. And these networks that connect it all span data centers and multiple cloud environments. And all this needs to be completely secure for business to happen.

Not only that, hybrid networks need to be able to expand, alter, and morph at will, as fast as possible.

Let’s face it, the modern hybrid network is a tenuous, deeply vulnerable, and highly enticing series of connections that attracts a lot of predators. Sort of like a huge net full of fish in a dark ocean full of predators you can’t see. And the predators can choose the time, place, and method of attack. Cheerful thought.

Most of today’s solutions are simply not fast enough, nor smart or responsive enough. They don’t operate in enough places, and can’t adapt as quickly as modern business requires. This is especially true in multi-vendor environments with disparate security solutions that don’t integrate when deployed. The inherent lack of integration makes it impossible to securely use the flexible network environments needed to operate.

Networks need to be able to adapt in real-time, where the difference between success and failure can measure in microseconds. They require networking and security to function as a single solution. They need a security platform like the Fortinet Security Fabric. It’s designed to span, adapt to, and protect today’s dynamic environments. And Fortinet is uniquely qualified to meet this challenge, because they innovated the built-in, security-first SD-WAN firewall capability that is now so prevalent in firewall technology.

Thing NOT to do #1

Over-rotate to a cloud-based solution: Few organizations have a cloud-only environment. Actually, most have a hybrid network, and that’s likely to be the reality going forward. Over-pivoting to a cloud-only security setup ignores the needs of users still working on-premises, after all. Cloud-based and hardware security solutions are not two versions of the same thing, they operate in different areas of the network – in conjunction.

According to Gartner, “Classic datacenter edge firewall designs are not obsolete and must be maintained in support of traditional inbound data flow patterns and residual outbound connections from internal users that remain on-site in campus environments or at large branches.” So there.

Thing NOT to do #2

Think the on-premises data center is obsolete: Many organizations simply can’t move critical services from the data center to the cloud. For a lot of reasons. But many of your applications need to remain available for external customers and corporate users. So they need to be available on the cloud. This reinforces the importance of traditional, on-premise firewalls.

And there are challenges related to cloud providers’ built-in security offerings. They meet with some skepticism. Here’s Gartner again: “A significant minority of organizations consider these offerings to be immature when compared to third-party vendor solutions and sometimes deploy network virtual appliance (NVA) versions of these third-party solutions directly in public cloud IaaS instances.”

Basically, the industry is trending towards hybrid (not cloud-only) networks, that includes on-premise (not cloud-only) security, preferably from a third-party vendor. In other words, they want their firewalls to be made by firewall experts.

Hybrid networks need security designed to operate natively in any environment. They need security that protects all edges, seeing and sharing threat intelligence across the network. Security that delivers coordinated security enforcement anywhere. That starts with a common network firewall platform deployed at every network edge: campus, data center, branch, private and public clouds, and as a cloud-based service for remote and mobile workers.

Thing NOT to do #3

The Best-in-Breed Myth: There is a mistaken belief that a best-of-breed approach provides better security at the edge. But, such an approach usually leads to product sprawl. This results in an overly complex network and isolated security architectures that can’t effectively share threat intelligence. You end up with different brands that don’t speak the same language.

For example, how would a best-of-breed approach handle the case of a user with a compliant laptop who inserts an unauthorized USB thumb drive? Most isolated network security devices have no way to detect or respond. But an endpoint detection and response solution designed to collaborate with other security systems can inform the firewall about this policy violation. It can then provide policy enforcement such as isolating the device or removing it from the network.

Thing NOT to do #4

Not thinking holistically: Hybrid networks present a huge attack surface, with inherently reduced visibility. To make matters worse, the volume of encrypted traffic will soon reach 95%.5. But most network firewalls can’t inspect encrypted traffic nearly fast enough to maintain the performance a hybrid network demands.

So how do you secure a network when you only have real visibility into 5% of your traffic? IT types need to choose an NGFW that can operate at scale without bogging down with compute-intensive operations like SSL decryption, threat detection, and automated remediation.

This begins with a solution designed to support the latest encryption standards, like TLS 1.3. It also means ensuring that current TLS 1.2-based communications are not broken. In a nutshell, care must be taken to select an NGFW solution capable of learning about the ever-changing state of private and public cloud resources. It must be able to deliver consistent end-to-end security across this hybrid architecture for a strong and consistent security posture.

Thing NOT to do #5

Implicitly trust. Traditionally, flat networks focus on preventing attacks from the outside. But they give attackers lots of latitude once the perimeter has been breached. A firewall solution has to be able to provide security beyond the edge.

In addition to dynamically segmenting the network to prevent lateral threat movement, firewall must also dynamically adjust levels of trust by monitoring behavior. This is done through tools like user and entity behavior analytics. And it must be able to reduce or revoke trust if a user or device begins to behave suspiciously.

A firewall solution must also integrate with zero-trust network access solutions to control access to network resources, down to granular per-application segments. And it must also manage the increase of headless devices, like IoT / Industrial IoT.

In short (if that’s possible at this point), the hybrid network requires a firewall that can provide consistent protection, visibility, and control across even the most distributed and dynamic environments. One that can operate at any edge, in any form factor.

It must seamlessly integrate networking and provide consistent policy enforcement, real-time intelligence sharing, and coordinated threat response. And the Fortinet Security Fabric is purpose-built for this set of requirements. Corporate Armor are true Fortinet specialists, and if you have any questions at all, please reach out to us here, or call 877-449-0458. Thanks for reading!

FortiGate 400F datasheet