Do you want to block applications from connecting to your network? Learn why Application Control is the new security standard.
Application Control Is The New Security Standard
Application Control is a new security standard for the next-generation firewall. It is not just another technology among many others but rather a foundational technology. Also, it should be used with any other technology to achieve maximum effectiveness.
All of the next-generation firewalls have some sort of application inspection capability, some more advanced than others. For instance, Palo Alto Networks has a very powerful and flexible way of controlling applications. The use case for Application Control is very clear – you want to isolate your network from specific applications and deny them access to your private network.
Network segmentation allows you to create multiple virtual networks on single physical network infrastructure. Thus, it allows you to separate different types of traffic into different segments. I will continue my discussion and describe how you can go even further by using application segmentation as well.
Application Segmentation – A Step Further Than Network Segmentation
What is application segmentation? Segmenting applications means that you put all traffic related to a specific application in its segment or VLAN. This means that you isolate all traffic related to a given application into its isolated segment where only this application has access to resources.
Application segmentation can be used with or without network segmentation. If you have multiple networks and an application needs access to all those networks, then it’s a good idea to use application segmentation. This is even if you have network segmentation in place already.
It works like this, you put all traffic related to an application into one VLAN. Then allow this VLAN access to all networks through firewall rules (or network device configuration). VLAN 1 is usually the default VLAN for all untagged traffic.
Therefore, it can be used for application segmentation as well as for network segmentation purposes. If you’re new to networking, here’s a quick primer. A VLAN is a virtual LAN that allows you to logically segregate users based on their needs and/or job function without having to reconfigure your physical infrastructure.
Normally, VLANs are configured on Layer 2 switches such as Cisco Catalyst switches. But they can also be configured on routers using an 802.1q.
Topology Diagram For Application Segmentation
The network consists of three segments: Internet, Internal Network, and DMZ. Each segment has its function. The Internet segment contains the router which allows you to access the Internet.
The Internal Network segment contains the server and desktop computers that offer services to users. The DMZ segment contains web servers, email servers, and so on. Each segment has its firewall (Netscreen NS-5GT in my example). It allows only specific types of traffic to pass through it.
For instance, a firewall rule for the Internet segment allows only HTTP traffic to pass through it. This is whereas a different rule would allow only FTP traffic to pass through it. Also, the next step is to apply application inspection rules on the firewalls.