Segment Your Network for a Reduced Attack Surface
Focus
Focus
Next-Generation Firewall

Segment Your Network for a Reduced Attack Surface

Table of Contents

Segment Your Network for a Reduced Attack Surface

Learn about how to segment your network for a reduced attack surface.
Where Can I Use This?What Do I Need?
  • NGFWs
  • No prerequisites needed
Traffic must pass through the NGFW in order for the NGFW to manage and control it. Physically, traffic enters and exits the NGFW through interfaces. The NGFW determines how to act on a packet based on whether the packet matches a Security policy rule. At the most basic level, each Security policy rule must identify where the traffic came from and where it is going.
On a Palo Alto Networks NGFWs, Security policy rules are applied between zones. A zone is a grouping of interfaces (physical or virtual) that represents a segment of your network that is connected to, and controlled by, the NGFW. Because traffic can only flow between zones if there is a Security policy rule to allow it, this is your first line of defense. The more granular the zones you create, the greater control you have over access to sensitive applications and data and the more protection you have against malware moving laterally throughout your network.
For example, you might want to segment access to the database servers that store your customer data into a zone called Customer Data. You can then define security policies that only permit certain users or groups of users to access the Customer Data zone, thereby preventing unauthorized internal or external access to the data stored in that segment.
The following diagram shows a very basic example of network segmentation using zones. The more granular you make your zones (and the corresponding security policy rules that allows traffic between zones), the more you reduce the attack surface on your network. This is because traffic can flow freely within a zone (intra-zone traffic), but traffic cannot flow between zones (inter-zone traffic) until you define a Security policy rule that allows it.
Additionally, an interface cannot process traffic until you have assigned it to a zone. Therefore, by segmenting your network into granular zones you have more control over access to sensitive applications or data and you can prevent malicious traffic from establishing a communication channel within your network, thereby reducing the likelihood of a successful attack on your network.
To start configuring zones and interfaces, click here.