Don’t Neglect Your Internal Firewalls and Network Segments

In terms of attention, it seems that external firewalls see the most action. After all, they’re out there defending the enterprise from all things the Internet can throw at them. Reflecting inwards, toward the core of the network, things are a bit more calm – and trusted. If network traffic is internal, it must be somehow “good” or it wouldn’t have been allowed to enter in the first place, right? That’s hardly the case.

Whether or not internal firewalls and network segments are treated with higher regard in your organization, they need to be front and center – a core part of your information security program. Here are several things you must do to ensure true information security harmony across your network, not just at the outermost layer:

• Scrutinize internal firewall rules. How exactly can users – and presumably malware running on an infected machine – access your critical systems? What about business partners and customer connections? Are they introducing unnecessary risks?
• Segment where it’s needed. Written policies are mostly worthless. Ditto for basic VLAN configurations. The best way to set your users up for success is to make it technically impossible for them to do something stupid. This can be handled through your internal firewall(s) management systems in most situations.
• Build on segmentation. Treat all parts of the network as if they’re a DMZ or a cardholder data environment under PCI DSS. You no doubt have information that’s not cardholder related – things like employee records, intellectual property, and the like – that needs attention as well. If you can’t handle this level of information protection at the network layer, then do what it takes and invest in security controls that are located close to where the information resides.
• Know your rules. Step through every firewall rule and determine the business reasoning. What’s the requirement? How long is the rule needed? Are there other compensating security controls? What’s truly at risk if the rule stays or is removed?

I see organizations – including medium and large-sized corporations and government agencies with dedicated network teams – that are lacking in many of these areas, sometimes all. It’s scary stuff!

Truly reasonable and effective information security covers all aspects of the network. Not just those assumed to be most at risk. Not just those that some regulatory body says have to be locked down. And (especially) not just those that are easiest to secure. Internal network security can be, and likely should be, fairly complex in your organization. How much time, money, and effort are you dedicating to protecting your assets from the inside? It may not be enough. Only you will know.

We’re entering the next generation of security where due care is expected. It’s no longer a convenient excuse that something simple was overlooked. Address the basics. Solve the solvable. Seek out and fix the internal network security issues that need attention before someone – or some event – calls you on it.