Microsegmentation, Passwordless MFA Everywhere

Turbocharging Firewalls with MFA-based Microsegmentation

Published September 12, 2022 by Nicholas DiCola

Firewalls seem like they would offer good protection against security breaches. But the truth is that they can only go so far. This is especially true when it comes to microsegmentation—the next-generation network security measure that every organization needs to prevent a hacker from getting past their firewall’s defenses and moving laterally within their network.

Why is this the case? It’s because, like the fortress walls around a medieval town, an old-school firewall is simply protecting the inside from the outside, and it doesn't involve segmenting every machine in the network. At best, old-school firewalls can sometimes offer a kind of rough segmentation, but even this comes at a remarkably high cost and involves lots of tedious, manual work.

As a result, many organizations who rely on old-school firewalls (e.g., from Palo Alto Networks), know they need to add something more robust to their security stack and protect their assets from the inside. This is where Zero Networks comes in...

Zero Networks has been working with many of our customers to augment their existing network security measures and protect every machine and asset (regardless of its location and type) through our unique MFA-based microsegmentation solution.

Why microsegmentation is crucial (and a firewall is not enough)

Implementing MFA-based microsegmentation means isolating every element in the network within its own software-defined border (like a bunch of miniature, impenetrable DMZ’s). We’ll use the example of Palo Alto Networks to illustrate why this approach is needed. Without microsegmentation, the Palo Alto firewall is a simple “zone of trust”. This means that if someone from outside the organization’s network needs to connect to an on-premise application or port, they would need an IP address that falls within this designated perimeter or “zone of trust”. With a valid IP address, they are granted access and can work freely within the network.

This is an important first step, but it doesn’t go far enough to fully protect a network from attacks since the firewall is only protecting the outer perimeter of the network and does nothing to stop attackers once they’re inside.

The Zero Networks difference

After adding Zero Network’s unique MFA-based microsegmentation, an organization is protected against the vast majority of attack vectors that ransomware and advanced attackers use to spread inside. This is because Zero Networks effectively eliminates this concept of a “zone of trust”—now, to access a port, application or any other asset, you need some additional MFA credentials for the risky things that admins and attackers do. Once this protocol is in place, even if an attacker manages to penetrate the network, they have nowhere to move and are stopped in their tracks.

Zero Networks makes this kind of military-grade network security possible in a much more effective and cost-efficient way because our solution is software-based (as opposed to infrastructure-based). We offer our customers an easy, airtight way to segment all their assets.

This is something that, until now, was very hard to implement in practice. But with Zero Networks it can be done with the click of a button. In fact, it works so well that many customers are removing their old-school firewall appliances, and keeping only the absolute bare minimum (e.g., those that separate the organization from the internet). And, for the firewall appliances that remain, customers are actually using Zero Networks to provide MFA for access to the admin console of the firewall itself!

Essentially, Zero Networks protects the things that organizations use to protect themselves:

The future of network security

The bottom line is that old-school network security, and especially the firewall, falls short when it comes to protecting against breaches and attacks in today’s world. This is because it’s not just threats from the outside that organizations need to be wary of, but the security measures they have inside their network as well. This idea of protecting assets within a network from lateral movement and attacks is the heart of Zero Network’s innovation. It's why organizations, even those who already have other security measures in place, are turning to us to help fully secure their network, inside and out.

For now, Zero Networks and these other solutions work together to protect our customers. But it won’t be that way forever. Zero Networks is working towards a holistic solution that that blocks threats from the outside and the inside—and one that can be deployed with the click of a button (without the need for agents or cumbersome rule manipulation). Stay tuned to hear more about this soon…