What is really the best way to protect your network? The fact is that it depends on what you want to protect and how you use your systems. There are different solutions you can use, for example data diodes, security gateways or firewalls. But what is really the difference between the solutions? In this blog post, we explain the functionalities of three solutions that can protect your network, so that you can better understand what might be the best one for you!
When and why do you need network security?
If you work with sensitive information, network security is highly necessary. Network segmentation reduces the risk and limits the damage of a cyberattack. Without it, there is a risk that sensitive information can leak or be manipulated, and that malware and ransomware can spread uncontrollably and quickly. Attackers do not normally take the direct path to the target asset, for example company intellectual property or the SCADA system of an electricity producing company. Instead, they worm their way in via weak points far out in the architecture, via email or customer service, to reach their goal. State-funded attackers are also patient, prepared to work long-term doing everything in small steps, and are unfortunately often one step ahead. The harsh reality is that industrial control systems may have been attacked without anyone noticing.
However, it is neither practical nor economically justifiable to protect all information in the same way. To safeguard critical information, strict network segmentation must be applied with a combination of physical and logical separation.
Where do you need physical separation? Critical information requires physical separation. Simply put, an isolated island is created without connection to the outside world. This minimises the risk area – the attacker has to sit at the computer containing the critical information. Physical separation is extremely effective, but to be practical in today’s world, controlled information exchange has to be possible without compromising isolation. So, where is logical separation appropriate? Everywhere besides when protecting critical information. Office networks should use logical separation. Different parts of the business create their own zones – finance, marketing, sales, customer service, operational technology, etc. – each with different security requirements, such as Identification and Access Management (IAM). As a co-worker, you may only access what you need to do your job, i.e. relevant documents, not the entire folder structure. Logical separation works as the inner walls of a fort making it difficult for attackers to proceed within the systems and access the entire IT environment.
What is a data diode?
A data diode is a cybersecurity solution that ensures unidirectional information exchange. This high assurance hardware device maintains both network integrity by preventing intrusion, as well as network confidentiality by protecting the most security sensitive information.
Data diodes are the failsafe way to protect sensitive systems and confidential data. Data diodes are small hardware devices, also called “unidirectional security gateways”, which sit between two networks. Working like a check valve, the function of a data diode is to allow all data to pass in the forward direction, while blocking all data in the reverse direction. And as it is not software, it cannot be directly attacked by malicious code, which results in high assurance.
Read more about data diodes and how they work!
What is a security gateway?
A security gateway is a device that controls the information exchange that takes place between different security domains.
If you have security sensitive or even classified information, you may need a solution that offers secure and filtered bidirectional communication. In this case, you need to ensure secure bidirectional communication and be sure that nothing malicious enters your sensitive networks, and that sensitive information and data does not leak to a less sensitive and less protected network.
The purpose is to apply strict information-level control during information transfers and mitigate cybersecurity threats such as manipulation, data leakage and intrusion. A security gateway only forwards received information when it complies with its policy which is derived from your organisation’s information security policy. The policy implemented in the security gateway defines accepted structures, formats, types, values and even digital signatures. When a message is sent from one security domain to another across a security gateway, information in the message is analysed according to the configured policy. Approved parts of the received message are put into a new message which is sent to the intended receiver in the other domain. In this way, you know that only allowed information crosses this boundary.
Advenica’s solution is ZoneGuard, read more about it here!
What is a firewall?
A firewall protects your network by only allowing certain traffic to enter or exit. It monitors and filters traffic based on rule setups.
With a firewall, it is difficult to know exactly what information is being exported or imported into the system. A firewall configuration often becomes complex, which increases the risk of misconfiguration. Firewalls also do not separate administration and data flow in a way that protects the information from insiders. Organisations that have sensitive information and that operate in critical infrastructure, public sector or the defence industry, need their networks to keep a higher level of security. That is why more solutions than a firewall are often needed.
How can you protect your network?
So, what is the best way to protect your network? There is no straight answer – what kind of solution you need depend on what kind of operations you run and what kind of information that you need to protect.
Are you interested in what kind of solutions that we can offer? Have a look on our website!
Read more about our data diodes and our ZoneGuard!
Do you have any questions? Do not hesitate to contact us!