Illumio Blog
October 8, 2019

Fire Your Firewall for Segmentation: It's Slow to Deploy

Dan Gould,

Why hack in when you can log in? That is the wisdom of attackers today.

Phishing campaigns that deliver malicious attachments or URLs have proven highly effective in harvesting user credentials. This means attackers can merely log in with stolen credentials — and no longer have to bother with exploit kits or other more sophisticated approaches.

This is why we implement segmentation as part of defense-in-depth – to ensure single security events don’t become enormous, headline-driving breaches. Once they have a foothold, we shouldn’t be surprised to know attackers tend to move laterally to find and exfiltrate valuable data or intellectual property.

However, as many of us have learned, getting to responsive, effective segmentation today is slow, complicated, expensive, and not entirely reliable.

This is why we implement segmentation…to ensure single security events don’t become enormous, headline-driving breaches.

Why is this? It is because we use the wrong tool for the job.

We rely on the firewall, designed in the 1990’s to separate trusted internal networks from the outside internet, to segment our clouds and data centers.

Fortunately, we have finally reached a point with segmentation innovation where we can fire the firewall from segmentation duties given the untenable segmentation headaches they create and risk they introduce.

It is important to note that we must still use NGFWs at the perimeter to stop malware and attacks – those firewalls are still vitally important.

There are significant shortcomings of using firewalls for internal data center segmentation. Over the coming weeks, we’ll examine these shortcomings: they take too long to deploy, are complicated, punitively expensive, and do not inspire 100 percent confidence.

Slow, Lengthy Deployments

Far too often, we measure firewalls deployments for segmentation in fiscal quarters. Getting them fully deployed and tuned with the right rulesets to protect the right segments will take six months, nine months, a year even.

The expression "forklift upgrade" is not an exaggeration. A large data center firewall chassis, robust enough to support the 100 gbps bandwidth demands from data centers, is often 10-20 rack units in size.

Forklift upgrade:
"The term is believed to have originated when the individual components of an IT system were much larger, and may have required a forklift to haul old components away and bring new components in.”

The deployment begins by having the data center firewall chassis delivered to the loading dock. Yes, this is where a forklift may be involved. Then begins the process of racking and stacking to get them set up.

This all takes time and the clock is ticking.

How about change control processes? You must have a process in place and agreed upon to change ACLs between network segments to accommodate new applications or application behaviors as they come online. With DevOps in the driver’s seat in many cases, these updates come quickly.

For these reasons, getting internal firewalls effectively deployed takes too long. We have to wonder aloud in 2019 if this is the most business-ready option. This is just one of the reasons why we have designed better, more innovative security segmentation that lets us fire the firewall.

Have you felt this pain? If so, we encourage you to have a look for yourself at how Illumio can let you get powerful, simpler segmentation in place fast.

In our next post, we’ll look at just how complicated segmentation can be using network constructs and IP addresses. Stay tuned.

Share this post: