An internal firewall is a security solution designed to protect a network from attacks that have already gotten past the perimeter. A firewall, in general, is a device or software designed to monitor traffic and prevent unauthorized access, and an internal firewall is an advanced application of that concept.
When comparing an internal firewall versus a perimeter firewall, there are several key differences. Unlike a traditional perimeter firewall, an internal firewall must proactively provide visibility and protection from internal threats, and it must be fast enough to keep up with the demands of internal traffic. Today, cyber-attacks are increasingly likely to make it past the network perimeter, and internal firewalls minimize the damage such attacks can do.
Although all businesses should have internal firewalls and similar security measures in place, internal firewalls are particularly useful for very large enterprises with multiple network segments for different departments, as well as for networks that have large attack surfaces due to running distributed services across public and private clouds.
Internal firewalls work by employing two key strategies:
Instead of trying to identify and neutralize each threat individually, an internal firewall leverages a deeper understanding of internal traffic to identify activity that doesn’t conform to the behavior that administrators expect to see. It defines policy at both the network and process level to mitigate threats that leverage multiple attack vectors. An internal firewall sits at strategic points within the internal network and utilizes a zero-trust approach to isolate threats and limit the potential damage. In other words, it assumes that threats have already found their way in and prevents them from moving freely throughout the internal network.
An internal firewall monitors and secures east-west (internal) network traffic, rather than north-south traffic at the perimeter. An external firewall monitors the network’s perimeter and prevents unauthorized access from the outside. The two types of firewalls are intended to solve different problems: While an external firewall simply protects against outside intruders, an internal network needs to monitor all traffic on the network to identify bad actors and potential threats. Because of this, internal and external firewall design differs in key ways:
An internal firewall is a crucial part of network firewall security, especially as networks grow more distributed and it becomes more difficult to keep attackers out of the network perimeter. It complements a perimeter firewall and provides an extra layer of security to lock down east-west traffic and prevent the lateral movement of threats within your enterprise. With cyberattacks increasing in number and sophistication, it’s almost inevitable that an organization’s network perimeter will be breached. When that happens, an internal firewall minimizes the damage that attackers can do.
Perimeter firewalls provide a first line of defense against external attacks, but they’re no longer enough to protect your enterprise from sophisticated threats. With more users and devices on the network than ever before, plus a larger attack surface thanks to the increase in distributed services running across public and private clouds, it’s risky to assume that securing the perimeter is enough. If a threat does find its way past the network perimeter, it can gain unfettered access to your internal networks—unless there’s a protective measure like an internal firewall in place.
According to a recent report, 59 percent of attacks involve attempted lateral movement—so it’s crucial to defend your network against these threats. An internal firewall prevents attackers from running rampant in your network and limits the harm they can do.
Although an internal firewall differs from a perimeter firewall in purpose and design, internal firewall best practices are similar to standard network firewall best practices. Here are a few common principles:
Data Center Security