Network Security

Modern networks need modern security. So where do you start?

Modern networks need modern security.  So where do you start?
Written by ga_dahmani
Modern networks need modern security.  So where do you start?

Today’s networks are hybrid collections of interconnected systems made up of campuses, physical and virtual data centers, multi-cloud environments, and branch offices. And they also include a work-from-anywhere workforce that needs constant access to apps and resources, whether you’re working on-premises, at home, or on the go.

But digital acceleration is not only transforming our networks and the way we do business. In terms of network security, the days of placing a firewall at the edge of the network perimeter and calling it a day are over as well. To provide consistent protection for all users and devices, regardless of location, security must be agile, adaptable, scalable, and integrated. This has left organizations with an alphabet soup of new security strategies and solutions designed to protect these expanding and changing environments. Tools like SD-WAN, SASE, ZTE and ZTNA have entered the cybersecurity lexicon and many leaders are still unsure where or when to implement them.

Of course, the thought of buying and plugging in a new device to make your security issues go away is no more possible now than ever. But for networks in a state of constant change, the legacy approach of installing a box to protect the network is less effective than ever. Protecting today’s highly dynamic and ever-expanding networks requires rethinking security from the ground up. And part of two fundamental ideas: convergence and consolidation.

Start with convergence and consolidation

Most security tools are designed to protect static environments with predictable data flows. Therefore, legacy security tools are forced to update whenever the underlying network changes. Unfortunately, this often involves manual intervention or the implementation of overly broad policies that can be easily evaded. Cybercriminals have had a field day exploiting the resulting security holes. By converging network and security into a unified system, protections can dynamically adapt with the network.

Consolidate security in a single and integrated platform reduces dispersion of suppliers and solutions. Buying new technology every time a new security issue arises is like playing an expensive game of whack-a-mole. Having dozens of siled security solutions deployed on the network, each with its own management interface and unique policy and configuration requirements, actually diminishes IT teams’ ability to detect and respond to threats. What is needed is a security platform of advanced security solutions integrated through a common operating system, open APIs, and common standards. It must also support multiple form factors and centralized management so that the same security can be deployed everywhere to ensure an automated and coordinated response to any attack.

Zero trust, ZTE, ZTNA, SD-WAN and SASE

With convergence and consolidation as the backbone, organizations are in a strong position to take full advantage of new security strategies and solutions designed for today’s evolving networks. Let’s take a look at each:

zero trust: Most networks have been designed with some implicit trust built in. The idea is that any user or device behind the perimeter is trusted to some degree, allowing them to freely move around the network to access applications and resources. However, those same privileges are extended to the attacker when that network is breached. This issue is at the heart of most successful attacks, especially ransomware.

Zero Trust is a philosophy that any user or device on the network is already potentially compromised. As a result, trust is only extended to a user or device after explicitly confirming its identity and status. They are then only granted access to those resources that they explicitly require to do their jobs using segmentation and control zones. The network then continues to monitor them, looking for abnormal behavior based on various criteria. And you can immediately revoke their access based on your policy.

ZTE (Zero Trust Edge): Converting your network to a zero trust model is not something you can implement over a weekend. It requires retooling and rethinking critical network systems. But realizing many of the benefits of a zero-trust approach can start from day one by dividing the network into critical functions. The first place to start is with the Zero Trust Edge to ensure constant protection and control across all access points in the hybrid network.

As new network edges are introduced and data and applications are distributed across the network, it becomes increasingly difficult to control who and what has access to them. The network, however, is only as strong as its weakest link. ZTE combines NGFW, SD-WAN and ZTNA appliances on premises, and ZTNA, Secure Web Gateways (SWGs), Cloud Security Gateways (CSGs) and Cloud Access Security Brokers (CASBs) in the cloud to create consistent levels of protection around the world. all access points. However, ZTE’s implementation using point solutions from different vendors makes consistent policy orchestration, solution management, and automated response impossible, which is why ZTE is ideally delivered and supported by a single vendor.

ZTNA (Zero Trust Network Access): For many organizations, the weakest link in the network is the new home office, where users and devices connect to applications from their largely insecure home network. Incidents of cybercriminals targeting home networks and then hijacking VPN connections to the corporate network have skyrocketed in the last two years. Unlike VPN, which is simply an encrypted tunnel, ZTNA verifies the identity of the user and the device, determines the posture of the device and the user’s entitlement to access an application, and then creates a per-session TLS encrypted connection to that application. policy-based. ZTNA is a critical component of ZTE deployed on premises, in the cloud, or in the home office.

SD-WAN (Software Defined Wide Area Network): SD-WAN enables organizations to build highly adaptable wide area networks between locations, whether between branch or retail locations, between remote locations and the campus or data center, or between clouds or the cloud and the physical network. It is especially effective for creating secure, reliable, and on-demand connections for applications, whether in the cloud or on-premises, over any type of connection (ie broadband, LTE/5G, and MPLS). Traditionally, a full complement of security is not included with SD-WAN solutions, requiring security to be added as an overlay, which can leave security gaps and complicate coordination of security and connectivity. Organizations looking to use SD-WAN as the foundational on-premises technology for their ZTE deployment are encouraged to use a Secure SD-WAN solution that integrates a full security stack into the device and can also be fully integrated into the consolidated security fabric. larger. .

SASE (Secure Access Service Edge): SASE enables remote users to securely connect to any resource from any location without the latency that can result from backhaul traffic to the data center firewall. It combines cloud-hosted security (FWaaS, SWG, and CASB), ZTNA (for secure application access), and advanced networking (such as optimized path selection and application-based routing) in a single solution to close the security gap introduced by the new edge work from anywhere.

Build the network you need without compromising security

Modern networks require security solutions designed to scale and adapt to their changing parameters and seamlessly extend to each new edge. Starting with a foundation of convergence and consolidation, organizations can replace implicit trust with a zero-trust model that, instead of restricting traffic, allows them to build the single infrastructure they need to succeed in today’s digital marketplace.

Find out how the Fortinet Security Fabric The platform offers broad, integrated and automated protection across an organization’s digital attack surface. to provide consistent security across networks, endpoints, and clouds.

Copyright © 2022 IDG Communications, Inc.

About the author


Leave a Comment