Taking a fresh look at firewall security

It’s the question keeping network and security leaders up at night: When was the last time you evaluated your firewall security strategy?

That probably wasn’t the question you were expecting—but maybe it should be.

The downsides of bolt-on firewall security

Firewall security is a tried-and-true pillar of every IT security strategy. Adding network firewalls to IT infrastructure whenever a new resource is added, a security risk point is identified, or a compliance requirement calls for access control is common practice. Yet this approach might not always be the best way to protect the organization.

What are the consequences of “bolting-on” security like this?

• Adding security elements in a disjointed fashion can over time lead to a patchwork of systems that increases not only architectural but operational complexity. Digital sprawl can lead to spiraling costs and time sinks spent managing multiple, disparate pieces.
• The more moving parts to manage, the more likely something could go wrong. Misconfigurations and inconsistencies in firewall security policies and enforcement can expose the organization to security gaps and potential cyber security risk.
• Poor user experience. Firewall security inspection that requires “hair pinning” traffic through firewalls can introduce latency and diminish performance, frustrating users. Access and security must be balanced to ensure firewalls don’t create bottlenecks.

A new approach: Firewall security built into the network

While dedicated firewalls are not going away, a growing number of organizations are reaping the benefits of a built-in security approach that encompasses identity-driven global policy, role-based access security, dynamic segmentation, and edge-to-cloud enforcement.

Built-in security helps security leaders provide users with the easily available network connectivity they need without sacrificing cybersecurity protection. With firewall security capabilities built into network infrastructure, organizations can deliver security at the point of access where it’s needed most to protect valuable resources. This eliminates the hair pinning and complexity that slows performance and contributes to digital sprawl.

Most importantly, this built-in approach can not only enhance protection, it also enables more efficient use of resources—a critical benefit when staffing and investments must stretch further than ever.

4 ways to bring the benefits of built-in firewall security to your organization

Rethinking firewall security strategy doesn’t need to be all-or-nothing. Many security leaders find that they can begin integrating built-in security within their organization without the need for a rip-and-replace of existing infrastructure.

Here are just a few examples of how you can use built-in security to enhance protection and efficiency throughout your organization.

• Enforce Zero Trust at the point of access: HPE Aruba Networking policy enforcement, built into HPE Aruba Networking access points, switches, and gateways, and shared with other policy enforcement points (such as perimeter firewalls, VPN, etc.), delivers comprehensive, dynamic role-based access control for users and devices. Policy Enforcement Firewall (PEF) uses identity, traffic attributes, and other context to enforce centrally defined access privileges in a distributed manner, closer to the source. This allows you to close the gap between when a device connects and a policy is enforced, limiting lateral movement of attack.
• Extend Zero Trust Network Access to campus and WAN fabrics: Using stateful application-aware role-based policies defined within HPE Aruba Networking Central NetConductor, you can simply define, and “push-button” propagate, granular network access policies from edge to cloud to edge. Role-based policies are enforced at the source of access on HPE Aruba Networking gateways or CX switching infrastructure, or carried over the WAN to be enforced at the destination by HPE Aruba Networking gateways or EdgeConnect SD-WAN, depending on choice of overlays. This enhances protection against internal threats within the network that would have otherwise gone undetected by traditional perimeter firewalls.
• Replace branch firewalls with advanced secure SD-WAN: HPE Aruba Networking EdgeConnect SD-WAN delivers next-generation firewall capabilities so you can streamline branch architectures for quicker, easier, more efficient deployments without compromising security. Combining the flexibility of SD-WAN virtual overlays with firewall security capabilities, your branches get security for IoT devices, secure connections through data encryption, and optimal application performance.
• Bring Zero Trust into the data center: Micro segmentation of workloads and applications often entails bolting on stateless ACL-based switches, hardware firewall appliances, virtualized firewall appliances, and software agent-based firewalls—approaches that offer insufficient security, significant design/management complexity, very high CapEx/OpEx costs, and limited security scaling and performance. Instead, consider a built-in security approach with the HPE Aruba Networking CX 10000 series distributed services switch with AMD Pensando. This industry-first DPU-enabled switch delivers 800G of distributed stateful firewall for east-west traffic, microsegmentation to support Zero Trust, IPsec VPN encryption, NAT, and pervasive telemetry services—delivered inline, across every port, closer to critical enterprise applications, for 10x the performance at 1/2 TCO of traditional virtualized software agent-based solutions.^(1)</sup/>

Going beyond firewall security

Security-first, AI-powered networking from HPE Aruba Networking has Zero Trust Security built-in, so you can power distinctive experiences and innovative business results with least possible risk. Gain advanced visibility, insights, centralized policy management, data protection, threat defense, and access control from a single platform—turning your network into a Zero Trust Security “first responder” that aids early detection of threats and alleviates the burden on expensive, resource-intensive firewalls elsewhere. Our AI-powered networking approach also helps you reduce manual effort, improve visibility and anomaly detection, and enhance monitoring and diagnostics, freeing your teams to focus on innovation.

Explore HPE Aruba Networking security-first, AI-powered networking

Conquering the complexity of a reshaped landscape calls for networking that puts security first. Learn how HPE Aruba Networking can help.

• eBook: Easing Zero Trust Security adoption
• Solution brief: The network as a security solution
• FAQ: What is secure SD-WAN?

⁽¹⁾Aruba Introduces the Next Evolution of Switching Architecture