Firewall rules are notoriously complex and voluminous in nature. Even small organizations have multiple firewalls and significant complexity. But large organizations are overwhelmed.
Besides classic firewalls, next-gen firewalls, VPN, reverse-NAT and remote access servers, each switch and router with rules acts as a firewall. Firewall proliferation is obviously driven first by number of physical sites – a direct correlate to growth for many organizations. But your number of firewalls also increases proportional to how fine-grained you attempt to make your network security. Today, perimeter firewalls between the Internet and internal network are just the beginning. Here’s a few of the special segments within many networks that are or should be protected by internal firewalls:
- PCI requires controls for all devices within the “Cardholder Data Environments”
- Red forest domain controllers and secure administrative workstations
- Management network of hyper-visors and related systems (e.g. vCenter)
- Guest/visitor networks
- SCADA networks
- Quarantine segments
- Control plane networks for cloud and service providers
Internal segmentation will keep growing because of the constant threat of persistent attackers. With the intensity and sophistication of today’s attacks, we assume there’s always someone loose on your network. Internal network controls are critical for denying them complete freedom of movement to run amok.