Biannual Journal Monadi for Cyberspace Security (AFTA)

fa تکامل دیواره آتش نسل جدید: اعمال سیاست توزیع شده در نقاط پایانی (یک رویکرد عملی برای ایجاد پیرامون های نرم افزار-محور (SDP)) The Evolution of Next-Generation Firewalls: Distributed Policy Enforcement at the Endpoints (A Practical Approach to Building Software-Defined Perimeters (SDP)) رمز و امنیت اطلاعات Cryptology and Information Security کاربردی Applied Article <div style="text-align: justify;">حرکت جانبی هسته اصلی حملات باج‌افزاری مدرن است که پس از نفوذ اولیه، به مهاجم اجازه می‌دهد تا در شبکه گسترش یافته و به دارایی‌های حیاتی دسترسی پیدا کند. راهکارهای سنتی بخش‌بندی شبکه مبتنی بر VLAN یا دیواره آتش‌های داخلی، به دلیل پیچیدگی در پیاده‌سازی و مدیریت، اغلب در مهار این تهدید ناکارآمد هستند. این مقاله یک تجربه صنعتی در پیاده سازی رویکردی نوین برای ریزبخش بندی مبتنی بر میزبان را ارائه می‌دهد. در این معماری، با استفاده از یک عامل نرم‌افزاری بر روی هر دارایی، “حباب‌های امنیتی” مستقلی پیرامون سرویس‌دهنده‌ها و سرویس‌گیرنده‌ها ایجاد می‌شود که ارتباطات مجاز را به صورت دقیق و بر اساس سیاست‌های مرکزی تعریف می‌کنند. این روش، وابستگی به تغییرات پیچیده در زیرساخت شبکه را از بین برده و ابزارهای واکنش سریع، مانند قابلیت انسداد اضطراری، را برای مهار فوری تهدید فراهم می‌آورد. نتایج عملیاتی نشانگر کاهش چشم‌گیر سطح حمله و توانایی بی‌نظیر در توقف آنی حملات باج افزاری در مراحل اولیه است.</div> <div style="text-align: justify;">Introduction and Problem Statement Next-Generation Firewalls (NGFWs) have long been established as the cornerstone of perimeter security in enterprise networks. By providing centralized control over inbound and outbound traffic, these devices play a vital role in primary defense. However, the modern security paradigm faces a fundamental challenge: once an adversary breaches the perimeter defense, they can often move with relative freedom within the network to access critical assets. This technique, known as lateral movement, is an integral part of advanced persistent threats (APTs) and particularly ransomware attacks, which account for a significant portion of successful breaches. Traditional network segmentation solutions based on VLANs or Internal Segmentation Firewalls (ISFWs) often fail to contain these threats effectively due to implementation complexity and high management overheads. In response to this limitation, Zero Trust Architecture (ZTA) has emerged as a strategic standard. Its foundational principle, “never trust, always verify,” requires organizations to shift security from a centralized, perimeter-based model to a distributed, identity-based one. A key pillar for implementing this architecture is the concept of “micro-segmentation,” where granular security policies are applied directly around each asset or application to minimize the attack surface. This paper presents an industrial experience in implementing a novel approach for host-based micro-segmentation. We propose a practical architecture for evolving traditional NGFWs toward a model of distributed policy enforcement at endpoints. By creating software-defined perimeters at the host level, we demonstrate how Zero Trust principles can be effectively implemented. This architecture not only paralyzes the lateral movement of threats but also eliminates dependency on complex network infrastructures by distributing the policy enforcement load, thereby significantly increasing cyber resilience. Industrial Challenge and Limitations of Traditional Approaches The fundamental challenge in modern network security lies not in the absence of the segmentation concept, but in the exorbitant complexity and cost of its effective implementation. Theoretically, solutions exist for controlling “East-West” traffic. For instance, organizations can deploy numerous internal firewalls or implement complex Access Control Lists (ACLs) at the switch level to divide their networks into smaller security zones. However, in practice, these approaches face significant hurdles that often lead to the failure of micro-segmentation projects:</div> <ul> <li style="margin-left: 8px; text-align: justify;">High Infrastructure Costs: Deploying and managing dozens or hundreds of internal firewalls in an enterprise network requires a massive investment in hardware and licensing.</li> <li style="margin-left: 8px; text-align: justify;">Operational Complexity: Defining, applying, and maintaining thousands of ACL lines or firewall policies for every permitted communication between applications is a management nightmare. This not only makes the process extremely time-consuming but also significantly increases the likelihood of human error and the creation of unintended security holes.</li> <li style="margin-left: 8px; text-align: justify;">Dependency on Network Topology: Any change in network architecture, such as moving a server or introducing a new service, requires extensive revisions to security policies, disrupting organizational agility.</li> </ul> <div style="text-align: justify;">Consequently, many organizations face a dilemma: settle for broad, inefficient VLAN-based segmentation and accept the risk of lateral movement, or embark on costly, complex micro-segmentation projects with unclear return on investment (ROI). A solution is needed that decouples security control from the physical network infrastructure and enforces it via software directly at the endpoints with minimal management overhead. Proposed Architecture: Distributed Policy Enforcement To overcome the cost and complexity challenges associated with traditional approaches, we introduce a novel architecture for distributed policy enforcement at endpoints. This solution decouples security control from the physical network infrastructure and transfers it directly to each asset (server or client). This represents an evolution for Next-Generation Firewalls, combining centralized management with a powerful, distributed policy enforcement engine at the host level. The proposed architecture consists of two main components: 1 - Multi-Functional Software Agent: A lightweight software agent is installed on every asset requiring protection. This agent acts as the distributed enforcement point, implementing a set of control capabilities directly at the operating system level:</div> <ul> <li style="margin-left: 8px; text-align: justify;">Authentication and Trust Establishment: Upon installation, the agent initiates verification by sending unique identifiers (MAC Address, IP Address, Host Name) to the central console. Only verified agents are permitted to communicate within the secure environment.</li> <li style="margin-left: 8px; text-align: justify;">Layer 2-7 Security Policy Enforcement: The agent is responsible for the real-time execution of all defined policies, including identity-based access control, application of custom ARP and DNS tables, and traffic blocking based on advanced rules.</li> <li style="margin-left: 8px; text-align: justify;">Client-to-Client Traffic Encryption: The capability to encrypt traffic between two verified agents using Pre-Shared Keys (PSK) and standard algorithms like AES-256 guarantees internal communication security at Layer 7. Unlike traditional VPNs, this model operates without encapsulation, avoiding packet fragmentation and resulting in negligible overhead undetectable by clients.</li> <li style="margin-left: 8px; text-align: justify;">Immediate Isolation Execution: The agent provides “Emergency Blocking” capabilities, allowing security administrators to instantly isolate suspicious assets from the network with a single click. The agent can execute immediate management commands such as “Block Access to Network” for complete isolation or “PowerOff-System” in critical threat scenarios, received directly from the central console.</li> </ul> <div style="text-align: justify;"> 2 - Integrated Central Management Console: This console acts as the system’s brain and single point of management, allowing administrators to define and apply complex security policies through a unified user interface without configuring multiple network devices. Key capabilities include multi-factor identity management (User, Group, IP, MAC, Hostname), granular policy definition (scheduling, service definition, specific logging actions), and management of agent-less devices by defining LAN Areas for unified policy application. Operational Evaluation and Performance Analysis Implementation of this architecture follows a logical, automated process: deployment and verification of agents, definition of multi-factor policies, dynamic synchronization (e.g., every 10 seconds), and distributed execution where each agent independently enforces policies to create a software-defined perimeter around its host. To assess the operational impact, the software agent was installed on a standard workstation (Intel Core i5, 8GB RAM), and key performance metrics were measured. The results demonstrate that the agent is a highly “lightweight” solution with no significant impact on host system performance or network traffic: </div> <ul> <li style="margin-left: 8px; text-align: justify;">CPU Usage (Idle): ~0.1%</li> <li style="margin-left: 8px; text-align: justify;">CPU Usage (Under Load): < 2%</li> <li style="margin-left: 8px; text-align: justify;">Memory Usage (RAM): ~3 MB</li> <li style="margin-left: 8px; text-align: justify;">Maximum Added Network Latency: < 1 millisecond</li> <li style="margin-left: 8px; text-align: justify;">Central Policy Enforcement Time: < 10 seconds</li> </ul> <div style="text-align: justify;"> These high-efficiency metrics enable widespread deployment in organizational environments without concerns about performance degradation. Key Achievements and Conclusion Implementing the distributed policy enforcement architecture yields significant operational benefits that directly address modern security challenges:</div> <ul> <li style="margin-left: 8px; text-align: justify;">Paralyzing Lateral Movement: The most critical achievement is curbing attacker lateral movement. Since each asset resides in its own “security bubble” with default-deny communication, a compromised workstation cannot easily scan the network or access critical servers. Unauthorized communication attempts are blocked and logged at the source, effectively stifling the attack chain.</li> <li style="margin-left: 8px; text-align: justify;">Significant Attack Surface Reduction: By requiring agent verification and enforcing granular policies, this solution implements a true Zero Trust model. Only essential, pre-defined communications are allowed, reducing the network attack surface from thousands of potentially open ports to a handful of monitored pathways.</li> <li style="margin-left: 8px; text-align: justify;">Rapid Response and Threat Containment: Capabilities like “Emergency Blocking” provide incident response teams with powerful tools to instantly contain threats. Administrators can isolate a compromised asset with a single click, preventing ransomware spread or data exfiltration before serious damage occurs.</li> <li style="margin-left: 8px; text-align: justify;">Simplified Compliance: The architecture simplifies compliance with regulations (like PCI-DSS) by providing software-based micro-segmentation and detailed logging for every policy.</li> <li style="margin-left: 8px; text-align: justify;">Infrastructure Independence: Since security policies are attached to the assets themselves rather than network infrastructure (like VLANs or switch ACLs), organizations achieve unprecedented agility. Moving a server from a physical data center to a cloud environment or changing network topology has no impact on the applied security policies.</li> </ul> <div style="text-align: justify;"> In conclusion, this paper presents a practical and efficient architecture for evolving NGFWs toward a distributed policy enforcement model. By deploying intelligent agents at endpoints and centrally managing policies, we demonstrated how software-defined perimeters can be dynamically created. This approach not only effectively neutralizes lateral movement and implements a genuine Zero Trust strategy but also drastically reduces operational complexity by eliminating reliance on network topology. This evolution is a necessary step for securing the modern, hybrid, and borderless digital landscape.</div> ریزبخش‌بندی, معماری اعتماد صفر, حرکت جانبی, پیرامون نرم‌افزار-محور, دیواره آتش نسل جدید Micro Segmentation, Lateral Movement, Software Defined Perimeter (SDP), Next Generation Firewall (NGFW), Zero Trust Network Access (ZTNA) 29 35 http://monadi.isc.org.ir/browse.php?a_code=A-10-407-19&slc_lang=fa&sid=1 Mahdi Faraji مهدی فرجی Mahdi.Faraji@Takian.ir 10031947532846002163 10031947532846002163 Yes Takian Co., Tehran, Iran شرکت تاکیان، تهران، ایران