Ransomware Containment

Why Firewalls Aren't Enough to Combat Ransomware


Not too long ago, network administrators and security professionals relied exclusively on physical or virtual firewalls to contain security breaches. But with the proliferation of networks, the rise of the cloud, and an explosion of ransomware and other attacks, organizations need a new approach.

What enterprises need today is a cost-effective, easy-to-manage way to enforce micro-segmentation. In other words, they need a method to isolate compromised machines, networks and applications so they can't spread ransomware throughout the organization's IT environment.

Host-based segmentation points the way forward thanks to potential ease of use, scalability and affordability. Here's why.

Three options for segmentation

Segmentation falls into three broad categories:

  1. Segmentation via the network
  2. Segmentation via firewalls
  3. Host-based segmentation

Network administrators used to depend on networks architecture to help secure data. They isolated applications and workloads within networks to keep them from sharing data. In this way, any compromised machines couldn't interfere with machines or workloads on separate networks. Virtual networks and virtual LANs served this function as well as physical networks.

For example, administrators could place finance systems on one virtual network and HR systems on a different network, preventing them from talking to each other.

You can think of this approach as similar to train tracks; data can only go where the network goes. And it's effective, but it doesn't lend much flexibility to your environment as it makes it difficult for workloads to share data.

Connecting virtual networks is where the firewall comes in. Here, complications quickly arise as administrators must work out what ports need to stay open, what information needs to go across to what other assets, and which rules have to change in response to new threats.

Still, the firewall approach to segmentation persists as the main segmentation method for large organizations. To use them, administrators create groups and define both "allow" and "deny" list rules to control communication between those groups. Rules may be enforced through physical, virtual or distributed hypervisor firewalls.

The firewall acts like passport control. After identifying users, machines and networks, you let them through or block them depending on what they or the organization wants to do.

The firewall approach is still common because organizations typically have built up significant firewall investments over time that they want to leverage in response to new attacks. Their teams also know how to manage them, and they don't want to add more products and costs to their IT portfolios.

However, the nature of today's IT environments and threat landscape has got ahead of the segmentation capabilities of traditional firewalls. That's why enterprises now need the scale, speed and performance of host-based segmentation.

With host-based segmentation, administrators create simple labels for each workload and develop rules for communication between label combinations. This approach can be more cost-effective and provide better security than firewalls on their own. That's because firewalls come with many limitations.

The trouble with firewalls

Firewalls face several critical limitations:

  • Lack of visibility
  • Slower speed
  • Inability to implement application ring-fencing
  • Complexity
  • Lack of granularity
  • Cost
  • Vulnerability to ransomware

A firewall's slow time to implementation is critical in an era of expanding workloads and corresponding threats.

A big firewall may depend on a list of 1,000 or more rules. If you want to change one of those, you have to ensure that the change doesn't affect any of the rules further down the list. And you can't test that changed rule; you simply have to deploy it and hope something doesn't break. All of which takes time. Time during which vulnerabilities can proliferate and ransomware spread.

Given the complexity and time involved, it's no wonder that one estimate puts the number of firewall breaches due to firewall misconfiguration at 99 percent.

In contrast, host-based segmentation can take much less time and removes complexity from the process of rewriting rules. It relies on visibility.

How host-based segmentation works

Rather than having to scramble to rewrite lists of rules during a ransomware attack, workload-based segmentation provides both proactive and reactive functions to help teams stay on top of threats.

Host-based segmentation lets security and IT teams see all communication flows and identify risk.

Illumio provides an application dependency map of connections between networks, machines and workloads. Users can simply click on a link in the map to test and then apply a rule immediately across the environment.

From there, organizations can quickly and easily block unnecessary access routes and high-risk ports or take other proactive steps to segment traffic in order to limit the lateral movement of malware or attackers.

When all else fails, segmentation functions like a big red emergency button. Hitting it can instantly block ransomware from spreading across vulnerable workloads.

Micro-segmentation with Illumio

The cloud presents additional challenges to traditional firewalls. Moving services into the cloud also moves your Internet gateway into the cloud, so you don't own it anymore. And that firewall that was doing your segmentation goes with it, requiring you to come up with a different solution for that function anyway. Illumio can be that solution.

Illumio works with existing host-based firewalls to provide real-time visibility and protection for your entire IT environment, whether in the cloud, on-premises or hybrid configurations. It also provides scale; it works the same way whether you have two servers or 200,000.

Of course, complex environments can quickly become difficult to visualize; it's difficult to see what's going on in something that looks like a big bowl of spaghetti. That's why Illumio breaks up visualization into easy-to-understand maps. For example, it can show assets by geography or cloud service.

Want to see what's happening with your data in the U.S.? What's happening in Europe? Or in AWS, Azure or Google? How about that suspicious communication between a server in Australia and a fish tank thermostat in Germany?

Illumio makes it easy to visualize it all because it retrieves that information from the actual process in the workload. From there, it lets you use the workload itself to do segmentation, rather than an external firewall, giving you the speed, flexibility and responsiveness you need to meet today's threats — wherever they appear.

Calculating costs for firewalls vs. host-based segmentation

The cost of firewalls quickly adds up. Firewall pricing depends on size, which depends on factors such as the following.

  • Throughput — i.e., the sum of Ethernet interfaces to be addressed.
  • Processor cores required to run virtual firewalls — typically consuming about 25 percent of a server's resources.
  • Number of sockets — dictating how many workloads the server can support.

The higher the throughput, the more cores you need, which means you need more sockets and a more expensive server. Such costs can quickly add up.

These total cost of ownership calculations include the cost of the products, the number of changes typically needed in a week, the cost of people implementing changes, and other factors.

The future of segmentation

Illumio abstracts layers of complexity, making it as simple as possible for administrators to segment assets proactively or in direct response to threats, without worrying about how to configure their networks.

It's what today's IT environments require. Just as network segmentation on its own gave way to firewalls, workload-based segmentation is the next technological step needed to build on what's gone before.

In the era of cloud workloads and expanding threats, what's needed now is visibility and segmentation based on workloads. It's all to provide the Zero Trust approach to security that's vital to today's enterprises.

Micro-segmentation based on workloads also frees IT professionals more productive tasks than laboriously rewriting firewall rules. And that can give companies a crucial competitive advantage in a tight labor market where they must undergo digital transformation at breakneck speed to keep up.

Learn more about the benefits of micro-segmentation or talk with our experts about how it can help protect your organization against ransomware and other cyberattacks.

Related topics

No items found.

Related articles

Raising the Bar for Attackers: How Micro-Segmentation Can Protect Organizations From Kaseya-Like Attacks
Ransomware Containment

Raising the Bar for Attackers: How Micro-Segmentation Can Protect Organizations From Kaseya-Like Attacks

How micro-segmentation could have reduced the attack-surface and mitigated the consequences of the Kaseya attack.

How to Meet CISA’s Phobos Ransomware Guidance With Illumio
Ransomware Containment

How to Meet CISA’s Phobos Ransomware Guidance With Illumio

Be prepared for Phobos ransomware with the Illumio Zero Trust Segmentation Platform.

Assume Breach with Zero Trust Endpoint Security
Ransomware Containment

Assume Breach with Zero Trust Endpoint Security

Learn why traditional approaches to endpoint security aren't enough and how Illumio Endpoint can complement your existing detection tools.

No items found.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?