In today's interconnected world, traditional network security perimeters are no longer sufficient to protect against sophisticated cyber threats. Zero Trust is a security framework that assumes no user or device can be trusted by default, even within the network.
Firewalla can empower homes and small businesses to implement this Zero Trust architecture effectively, strengthening security posture. Now, with the introduction of the Firewalla AP7, we can push Zero Trust further into the network by protecting both your LAN and WAN.
To learn more about Firewalla AP7, please see https://firewalla.com/ap7
Learn more about getting started with your Firewalla AP7 here, and check out the video below:
Key Principles of Zero Trust
- Segmentation and Microsegmentation: Divide your network into smaller segments to limit the lateral movement of threats.
- Least Privilege Access: Grant users and devices only the minimum access necessary to perform their functions on the network.
- Continuous Monitoring: Continuously monitor and verify the security posture of all users and devices.
Segmentation and Microsegmentation
What is Segmentation?
Network segmentation is the practice of dividing a network into multiple subnetworks. This is done to improve security, performance, and manageability. By segmenting a network, you can control traffic flow and prevent unauthorized access to sensitive data. Network segmentation at the network level (IP / Layer 3) is supported only on Gold and Purple Firewalla boxes in router mode.
Tutorials of segmentation features at the network level supported by the Firewalla box:
Learn more about Layer 3 segmentation here.
What is Microsegmentation?
Segmentation at the network layer often requires network redesigns, network renumbering, and topology changes. There is a need for a simpler solution that’s easy to set up, requires minimal technical knowledge, and can be managed through mobile devices.
This solution would address the needs of small networks, like homes and small businesses, by providing essential security without the complexity of traditional VLANs. The network can be microsegmented easily into smaller groups without redesigning the network. Microsegmentation in Firewalla works mostly at Layer 2, or the Data Link layer.
Microsegmentation can work in conjunction with network layer segmentation to add another layer of protection.
Check out the video below for a quick overview of microsegmentation with Firewalla AP7.
Groups and Microsegments
A microsegment membership in Firewalla is defined as a "group." All the devices described in a group are part of the Microsegment. (A "User" is also a group)
What is VqLAN?
VqLAN (virtual quarantine LAN) is Firewalla’s implementation of Layer 2 network microsegmentation. It functions somewhat like VLAN but within the same network. VqLAN is simple to set up and it doesn’t have issues working with multiple VLANs. It can operate within an existing VLAN or your main network without needing to change IP addresses. Microsegmentation using VqLAN complements segmentation done through ports or VLAN.
- Firewalla AP7 will use VqLAN to microsegment Wi-Fi-managed devices.
How to Enable VqLAN in Firewalla
VqLAN can be enabled using a single button in Firewalla Groups or Users.
After this button is enabled, once a device connects to the Firewalla AP7, it will be microsegmented with the members of the group. This means they can talk to other devices within their group, but not with devices outside of the group.
- VqLAN groups will always allow multicast and broadcast traffic.
Device Isolation
Inside a VqLAN, devices can also be isolated from each other. Once Device Isolation is enabled, devices in the group won’t be able to access any other devices. This is very useful if you are implementing a simple guest network and don’t want guest devices to bother each other.
Device Isolation can also be applied to individual devices connected to Firewalla AP7.
- When devices are isolated on the LAN, they can still access the WAN. To prevent that, you can add an internet-blocking rule.
Allowed Devices
The “Allowed Devices” feature acts as an exception to the VqLAN and Device Isolation settings. For example, if VqLAN is enabled on your IoT group to prevent any traffic in and out of the group, but you still need to access a printer inside the group to print files from your laptop, you can go to the printer’s device detail page, scroll down to locate ‘Allowed Devices,’ and add your laptop to the list. Firewalla will then allow traffic between the printer and your laptop while keeping everything else blocked.
(This feature is currently only available to 1.64 Early Access App)
How to Assign Known Devices to Groups/Microsegments
Firewalla microsegments can be defined via users or device groups. If you already know the device (the device is already connected to your network), you can add the device to an existing or new group or user.
This mechanism is good for kids or IoT devices, where you know their MAC address; by placing them into a VqLAN-enabled group, microsegmentation will come magically. Learn more about how to add devices to a user group.
How to Assign “New” or "Any" Devices Dynamically to Groups/Microsegments
New devices are devices that are not known to the Firewalla or have their MAC address changed via randomization. Creating microsegments using SSID + personal keys assures devices join the right group/segments automatically when connected to your network.
Assign any device dynamically to a microsegment by using:
- New Device Quarantine.
- SSIDs mapping to a specific user/group. Learn more about SSID to User/Group mapping here.
- SSIDs + Personal Keys to map to a user/group. Learn more about SSIDs + personal keys here.
Microsegment Using SSID + Personal Key
In traditional home Wi-Fi, all devices share the same SSID and password making it difficult to match new devices to a specific person or group.
With the Firewalla AP7, you can now personalize your SSID with a personal key instead of a traditional password. By using a personal key, you can easily send any known or unknown device to a group or link it to a user. This mechanism works with both VqLAN and VLAN. (PPSK is only supported in WPA2 mode.)
First, create a group, user, or VLAN network that you want to add the new devices to. Then, go into the Firewalla Wi-Fi settings, create a microsegment with a personal key, and point the microsegment to a:
- Group
- User
- VLAN (Dynamic VLAN
Any device connecting to the SSID with a personal key (regardless of the MAC address they used) will be placed within the configured group/user/VLAN network.
Note: Microsegmentation with personal keys is only supported on networks with WPA2 or WPA/WPA2 security settings. The 6 GHz band is not available if microsegments are enabled.
For a quick example, please see our AP7 Tutorial on Microsegmentation/Segmentation.
Least Privilege Access
Firewalla AP7 and Firewalla Rules are powerful tools for enforcing least privilege access. By creating rules that control which devices and apps can access specific resources, Firewalla helps limit the risk of unauthorized access and data breaches. Firewalla also helps monitor and control network traffic, helping you identify and block suspicious activity. Here’s how Firewalla can help implement least privilege access:
- Firewalla rules can be applied to groups or microsegments based on VqLAN, port-based segments, or VLAN-based segments to control your access to the internet. Learn more about managing rules here.
- VqLAN and Device Isolation limit LAN access on your devices, as most devices don’t need to communicate with each other, or only talk to a few devices in your group.
- In the future, you’ll be able to create rules for managing VqLAN-to-VqLAN communication.
Learn more about how you can control your network with Firewalla.
Continuous Monitoring
Firewalla provides full visibility to your network, offering a foundation for secure network management, and preparing users for further layers of control and protection. Here’s how Firewalla helps implement continuous monitoring:
- Device Inventory and Identification: Firewalla allows users to view, rename, and manage all wired and wireless devices on their network. It can alert users of new devices and block unauthorized access.
- Traffic Monitoring: Firewalla provides detailed insights into device activities, showing data destinations, volume, and traffic type (inbound/outbound). This helps users understand network interactions and identify potential risks.
- Network Flows and Blocked Flows: Firewalla logs all traffic, highlighting blocked flows, sources, and block reasons, helping users analyze risks and refine security rules.
- Alarms and Active Protect: Firewalla can notify users of network anomalies through alarms, and “Active Protect” can automatically block malicious traffic from your network.
Learn more about how you can gain network visibility with Firewalla.
Building Your Zero Trust Network with Firewalla and Firewalla AP7
-
Identify and Segment Assets: Create different microsegments and determine how authentication works with these segments.
- In the Firewalla app, you can create groups, users, or VLAN networks.
- After creating a group, turn on the VqLAN button to isolate traffic from other devices.
-
Authenticate Devices: Configure the AP7 to authenticate and assign segments.
- This can be done using a traditional SSID and password for known devices.
- Use an SSID and personal keys to send known or unknown devices to specific groups. This is great for Guest networks or strong quarantine groups.
-
Implement Access Controls: Enforce strict access controls for each segment, granting only the necessary permissions to authorized users and devices.
- With Firewalla access rules, you can create complex controls, like blocking all traffic while selectively allowing access, to narrow down the sites that each device can talk to.
- Monitor and Analyze Traffic: Continuously monitor network traffic for anomalies and suspicious activity. Use Firewalla's insights to identify and respond to potential threats.
- Regularly Review and Update Policies: Regularly review and update your Zero Trust policies to adapt to changing threats and network requirements.
FAQ
- When to Use VLAN-Based Segmentation?
- When to Use Microsegmentation?
- What is the Difference Between Segmentation and Microsegmentation?
- Can a Zero Trust Network Be Made Without AP7?
When to Use VLAN-Based Segmentation?
- You want more complex rules between your device groups, such as controlling devices and ports.
- You already have multiple networks, and fully understanding network discovery (via SSDP or IGMP) may be difficult across VLAN segments.
- Your devices are connected to switches from different vendors, and devices needing control are not all under the AP7
When to Use Microsegmentation (VqLAN)?
- You don’t want to re-design the network and change device IP addresses
- You have a single flat network
- Devices needing control are all managed by the AP7
- Your LAN device policy is simple, including practices such as:
- Grouping devices together
- Isolating devices
What is the Difference Between Segmentation and Microsegmentation?
Segmentation and Microsegmentation are the foundations of engineering a Zero Trust Network. Their primary function is to divide the network up and quarantine related devices together. These two concepts are complementary.
-
Microsegmentation is at Layer 2, where different segments will have the same IP address range. Microsegmentation is more focused on quarantine and isolation between devices.
- VqLAN is our implementation of microsegmentation on the LAN.
- With Firewalla AP7, only devices connected to the AP7 can be microsegmented.
- Segmentation is at Layer 3 or the IP layer, where each segment has different IP address ranges. You can use existing Firewalla rules to control traffic between segments. This is implemented either using port or VLAN-based networks.
In a typical network, you can segment using VLAN or ports and then create groups with VqLAN to enable microsegmentation within these bigger segments.
Can a Zero Trust Network Be Made Without AP7?
Yes, it can. Firewalla has already built a Zero Trust Network that does segmentation, least access rules, and extensive monitoring. Please see https://help.firewalla.com/hc/en-us/articles/4408644783123-Network-Segmentation
AP7 will add the ability to:
- Control devices on the LAN with microsegmentation
- Access control devices you don’t know (or with MAC randomization) and send them to a microsegment or segment
Comments
0 comments
Please sign in to leave a comment.