I had an interesting conversation several days ago with a network admin who was looking into making changes to the network at his company’s main office. This office housed around 100 folks and was fairly straight-forward with technology needs. They had a handful of VLANs for different departments and functions.
What I liked about this setup was the fact that the VLANs were all trunked through to the pair of high-performance, high-availability firewalls at the office that were also the site’s L3 routers. In this way they were able to apply security filtering (AV/IPS/App control) to all inter-VLAN connections rather than leaving this protection at the internet border only. The network admin that I was conversing with wanted to break off this routing, though, so that all VLANs terminated at a dedicated router and the firewalls would only be used as the border gateway.
This is the traditional Cisco way of thinking, and functionally it works. It works great! I have a background in Cisco networking so I understand this very well, and I also realize that different size networks will have different needs – not every design works efficiently for every network. Keep in mind that I’m writing this here while thinking about this small office, and so many companies I’ve worked with that have offices of similar sizes.
Unfortunately, times are changing and this separation of router and firewall is no longer the best direction for small sites. After a few quick searches you can see that more and more threats today come from inside the network. New technology concepts such as BYOD, IoT, web proxies and private VPN’s are all technical contributors to this problem. Especially considering the human factor, administrators should no longer completely trust internal devices. It is too easy for a user to take home their work laptop home and come back into the trusted network where a new virus on that machine can spread un-checked. The typical IT organizations managing these smaller businesses no longer have reasons to allow this to happen:
- High-performance network devices are common and affordable; performance on the network cannot be a reason to not implement Next-Gen Firewall (NGFW) protection. Throughput on today’s hardware with NGFW features enabled can easily be greater than 1Gbps while still being very affordable, even for small businesses.
- Network availability is not a concern as any business-grade equipment from a reputable vendor should support HA capabilities. Insist on stacked switches for redundancy behind those firewalls? Great! Go for it. Just don’t let those switches be your internal layer 3 routers.
- Firewalling should be more than just blocking and allowing ports on the network. Here is the big differentiator between your common router and your NGFW firewall: the router with an ACL is only going to block ports/IP addresses. A firewall of course has this capability, but adds user identification, antivirus, intrusion detection, application control, DDoS protection, and more. If you’re saying to yourself that you’re fine with your Cisco 2900 router because you have ACL’s between your VLANs, you’re wrong. If you want to keep them that is your choice; maybe add a transparent firewall in there too, though.
Lets take network security to the next level. Don’t assume that yesterday’s network design is still the best fit for today’s world. And don’t assume that your inside devices are trusted! Take steps to protect your network at every level. That’s next-gen thinking.
