Segment your network to reduce the attack surface and
make it easier to manage resource protection.
The larger the network, the more difficult it is to
protect. A large, unsegmented network presents a large attack surface
that can be difficult to manage and protect. Because traffic and
applications have access to the entire network, once an attacker
gains entry to a network, the attacker can move laterally through
the network to access critical data. A large network is also more
difficult to monitor and control. Segmenting the network limits
an attacker’s ability to move through the network by preventing lateral
movement between zones.
A security zone is a group of one or more physical or virtual
firewall interfaces and the network segments connected to the zone’s interfaces.
You control protection for each zone individually so that each zone
receives the specific protections it needs. For example, a zone
for the finance department may not need to allow all of the applications
that a zone for IT allows.
To fully protect your network, all traffic must flow through
the firewall. Configure Interfaces and Zones to create separate
zones for different functional areas such as the internet gateway,
sensitive data storage, and business applications, and for different
organizational groups such as finance, IT, marketing, and engineering.
Wherever there is a logical division of functionality, application
usage, or user access privileges, you can create a separate zone
to isolate and protect the area and apply the appropriate security
policy rules to prevent unnecessary access to data and applications
that only one or some groups need to access. The more granular the
zones, the greater the visibility and control you have over network
traffic. Dividing your network into zones helps to create a Zero Trust architecture that
executes a security philosophy of trusting no users, devices, applications,
or packets, and verifying everything. The end goal is to create
a network that allows access only to the users, devices, and applications that
have legitimate business needs, and to deny all other traffic.
How to appropriately restrict and permit access to zones depends
on the network environment. For example, environments such as semiconductor
manufacturing floors or robotic assembly plants, where the workstations
control sensitive manufacturing equipment, or highly restricted
access areas, may require physical segmentation that permits no
access from outside devices (no mobile device access).
In environments where users can access the network with mobile
devices, enabling User-ID and App-ID in conjunction with segmenting
the network into zones ensures that users receive the appropriate
access privileges regardless of where they access the network, because
access privileges are tied to a user or a user group instead of
to a device in one particular zone.
The protection requirements for different functional areas and
groups may also differ. For example, a zone that handles a large amount
of traffic may require different flood protection thresholds than
a zone that normally handles less traffic. The ability to define the
appropriate protection for each zone is another reason to segment
the network. What appropriate protection is depends on your network
architecture, what you want to protect, and what traffic you want
to permit and deny.