It is proving increasingly difficult, if not impossible, to better secure the enterprise by placing protection on the edge. Intruders, and the malware they bring, have become much more sophisticated.

Malware is encrypted, which makes firewall detection impossible. Once the intruder has gotten past the edge, the rest of the network is unfiltered. Inside of the network, the traffic is called east-west traffic. In the past, east-west traffic flowed unfiltered. Now, organizations are scrambling to find a way to filter internal traffic.

Network approach

It’s difficult to get away from managing security at edge locations. Enterprises and network security companies have focused on the network as a detection and enforcement point. As such, products like Palo Alto Networks’ firewalls and VMware NSX have become the first stop to filtering east-west traffic. These two products address the challenge from a network-centric approach. Security policies are created to control the network flow from device-to-device.

SEE: VMworld 2016: VMware lays out its strategy for cross-cloud support

VMware’s NSX solution filters virtual machine (VM) network traffic. NSX enables any network-level filtering between nodes, regardless of the network topology. Palo Alto Networks is an example of a solution that focuses on physical hosts. Both Palo Alto Networks and VMware integrate to enable streamlined automation.

However, there are concerns around scale for physical workloads and limitations for cloud-based workloads. Also, taking a pure network approach can leave potential holes.

Endpoint-based security

A growing line of thought is that the best way to protect enterprise data is to protect the endpoint, thus reducing the biggest attack surface area. In the past, this included basic policies such as limiting administrative rights and hardening the OS. In many environments, the resulting impact is the increase of support calls, as poorly-written applications stopped working. The next level of security was endpoint firewalls and data loss prevention (DLP) software.

Management of endpoint firewall and DLP software has proved to be a challenge in many organizations. Understanding application flows and which endpoints should communicate with each other is difficult. As the number of applications grows, so does the management complexity. Instead of true microsegmentation that leverages whitelists, organizations fall back to blacklists. Most endpoint firewall rules deny the most commonly-used malware ports such as SMTP or FTP. However, some companies, like startup Illumio, use a whitelist approach to endpoint security.

Illumio installs an agent on endpoints. The agent uses the native firewall features of the local OS. The agent approach allows Illumio to support both cloud-based and private workloads. Once installed, Illumio will monitor application traffic flows. Administrators can leave the security policy in a learning mode until enough traffic flow information exists. Once an application traffic baseline is established, whitelist access is enabled.

The endpoint has become the focus of malware writers. Whether via network segmentation or updated endpoint protection, or a combination of the two, organizations need to change the focus from the perimeter to the endpoint.