Network Segmentation

Problem

The continued, high frequency of successful cyberattacks against today’s enterprises has made it abundantly clear that traditional, perimeter-centric security strategies are no longer effective. There is inadequate visibility, control and protection of user and application traffic transiting high-risk network boundaries, and an outdated assumption that everything on the inside of an organization’s network should be trusted.

The Zero Trust architecture approach, first proposed by Forrester Research, is intended to address this by promoting "never trust, always verify" as its guiding principle. With Zero Trust there is no default trust for any entity—including users, devices, applications, and packets—regardless of what it is and its location on or relative to the corporate network. By establishing Zero Trust boundaries that effectively compartmentalize different segments of the network, you can protect critical intellectual property from unauthorized applications or users, reduce the exposure of vulnerable systems, and prevent the lateral movement of malware throughout your network.

Some organizations use virtual local area networks (VLANs) to segment their network, but VLANs simply isolate network traffic – they are unable to enforce the control of privileged information. In addition, by itself, a VLAN cannot inspect your traffic for threats. True Zero Trust network segmentation requires an enterprise security platform that understands your applications, users, and content.

Solution

Palo Alto Networks enterprise security platform addresses critical Zero Trust concepts such as:

  • Secure access - GlobalProtect™ delivers consistent secure IPsec and SSL VPN connectivity for all employees, partners, customers, and guests wherever they’re located (e.g., at remote/branch offices, on the local network, or over the Internet). Policies to determine which users and devices can access sensitive applications and data can be defined based on application, user, content, device, and device state.
  • Inspection of ALL traffic - App-ID™ accurately identifies and classifies all traffic, regardless of ports and protocols, evasive tactics such as port hopping, or encryption. This eliminates methods that malware may use to hide from detection and provides complete context into applications, associated content, and threats. Least privileges access control- The combination of App-ID, User-ID™, and Content-ID™ deliver a positive control model that allows organizations to control interactions with resources based on an extensive range of business-relevant attributes, including the specific application and individual functions being used, user and group identity, and the specific types or pieces of data being accessed (e.g., credit card or social security numbers). Compared to alternative solutions which let too much traffic through because they’re limited to port and protocol level classification, the result is truly granular access control that safely enables the right applications for the right sets of users while automatically eliminating unwanted, unauthorized, and potentially harmful traffic from gaining access to the network.
  • Advanced threat protection - A combination of anti-virus/malware, intrusion prevention, and advanced threat prevention technologies (Content-ID and WildFire™), provide comprehensive protection against both known and unknown threats, including threats on mobile devices. In addition, support for a closed-loop, highly integrated defense ensures that inline enforcement devices and other components in the threat protection framework are automatically updated with the findings from WildFire and other sources of threat intelligence.

To get started, IT security teams can take advantage of our virtual wire deployment mode to non-disruptively deploy Palo Alto Networks devices at one or more locations within your network. Configured in listen-only mode, you can then obtain a detailed picture of transaction flows throughout the network, including where, when and to what extent specific users are using specific applications and data resources. Armed with these details, your security team can then incrementally deploy devices in appropriate locations to establish internal trust boundaries for identified trust zones, and configure the appropriate enforcement and inspection policies to effectively put each trust boundary "on line."

With the right Zero Trust architecture for your network, you will gain unparalleled situational awareness of malicious activity, prevent the exfiltration of sensitive data and simplify adherence to compliance regulations.

Resources

Zero Trust WhitePaper
This paper discusses the need for and details of a Zero Trust approach to network security. It also itemizes the essential criteria and capabilities required of a Zero Trust solution, explains how the Palo Alto Networks® next-generation security platform delivers on these requirements, and provides guidance on how to progressively migrate to a Zero Trust design.

Forrester Research Paper – Transform Your Security Architecture and Operations for the Zero Trust Ecosystem
Forrester's Zero Trust Model of information security banishes the old security motto of "trust but verify" and replaces it with a new motto: "Always verify, never trust." This report provides security and risk (S&R) professionals with an overview of how security architectures and operations are evolving to support the Zero Trust model.

PCI White Paper
Diving deeper into the subject of achieving PCI-DSS compliance, this white paper discusses how you can dramatically reduce your costs and the complexity of achieving PCI compliance with network segmentation using our next-generation firewalls.

Videos

Overview on Zero Trust by John Kindervag, VP and Principal Analyst, Forrester
In this video, John Kindervag, Principal Analyst at Forrester Research, defines the "Zero Trust" network architecture, the three key concepts, and the architecture elements that make up a Zero Trust network.

聊天
有问题吗?
与我们沟通寻求答案。
立即聊天