Site-Based Firewall (SBFW)

What is Site-Based Firewall?

A site-based firewall is installed at a specific physical location, such as a school, office, or data center, to monitor and control internet traffic entering and exiting that site. It acts like a security guard at the front door, checking all incoming and outgoing data to block threats like hackers or viruses and enforce rules set by the organization. This setup is different from cloud-based firewalls, as it protects a specific location rather than users or devices spread across multiple sites.

Why Site-Based Firewall?

The following image represents a traditional network, characterized by a flat, unsegmented architecture where each site connects to a router, and all traffic flows through a single firewall located at a central site.

While once effective, this legacy design is no longer sufficient in the face of today’s evolving security threats.

If a single device becomes infected with malware, the lack of segmentation allows the malware to spread laterally across devices and eventually reach other sites.

This was the problem faced by several of our largest customers. They approached Zayo asking for a solution to the rampant malware.

Our solution was the Site-Based Firewall (SBFW), which involved placing a firewall at each site for east-west protection. This creates a physical and logical segmentation by campus or building.

The core benefits of Site-Based Firewall (SBFW) include enhanced visibility into traffic patterns at both the site and device levels, enabling IT teams to monitor and better understand network behavior. It provides greater control, allowing proactive IT departments to isolate compromised sites quickly and contain threats. By segmenting network traffic, SBFW helps reduce the attack surface, making it more difficult for malware to move laterally across the network. Additionally, it supports faster incident response by enabling quicker detection, isolation, and recovery from threats, without disrupting the entire district’s operations.

East to West?

In a Site-Based Firewall (SBFW) architecture, blocking east-west traffic means restricting or controlling internal data flow between devices within the same site, such as between classrooms, departments, or local servers. While traditional firewalls often focus on north-south traffic (data entering and exiting the network), SBFW extends protection by inspecting and managing east-west traffic as well. This prevents malware or other threats from moving laterally across the network after breaching a single device or segment. By doing so, SBFW significantly reduces the attack surface and helps contain security incidents within isolated areas, protecting the broader environment from widespread compromise.

Core Features of SBFW Architecture

Network Segmentation

SBFW architecture is built around the principle of proactive security through network segmentation. It is designed to be in place before any attack occurs, dividing the network into smaller, controlled segments. This segmentation limits the potential spread of threats and enables more precise control over traffic within the network.

Rapid Isolation

One of the key strengths of SBFW is its ability to isolate compromised network segments on demand. IT teams can quickly quarantine a specific site while maintaining the flow of critical services, such as VoIP. This targeted approach to isolation ensures that business operations remain uninterrupted even during a security incident.

Visibility & Detection

SBFW provides deep visibility into network activity, allowing administrators to identify devices accessing known malware sites or exhibiting suspicious behavior. Early detection capabilities help uncover intruder reconnaissance attempts before they escalate. Devices can be identified by MAC address and device type, enabling accurate threat assessment and response.

SBFW Firewall Policy

Unified Policy Management

Site-Based Firewall (SBFW) leverages unified policy management to ensure consistent enforcement of security rules across all sites. All firewalls operate under a central set of policies—commonly referred to as firewall rules—providing streamlined administration and standardized protection across the entire network. Despite the centralized approach, the architecture remains flexible; IT teams can define VLAN-specific or site-specific policies to address local needs without compromising global consistency. This balance of uniformity and customization allows organizations to maintain strong security governance while adapting to individual site requirements.

Zayo-Created Protection Response Policies

To further strengthen incident response capabilities, Zayo has developed a set of Protection Policies designed to be activated during active threats or confirmed compromises. These predefined policies can immediately shut off all network traffic from a compromised site or segment to prevent further spread. In critical scenarios, traffic can be limited to essential communications only—for example, allowing VoIP while blocking all other protocols. This targeted approach ensures operational continuity for emergency communication channels while containing the threat.

Data Protection and Containment

In addition to controlling communication flows, Zayo's response policies also support data protection by restricting traffic to and from sensitive infrastructure. When an outbreak policy is triggered, the firewall can block access to critical servers and data stores, safeguarding valuable organizational assets from exfiltration or damage. These response mechanisms help minimize the impact of security incidents and accelerate recovery efforts, all while maintaining control at the site level.

These protection policies are disabled until a customer requests activation. A customer can either enable the policies themselves or call CTAC.

Zayo will not enable any policy without a customer’s request. SBFW is a Partnership!

Common Protection Policies

Here is a list of common protection policies used in a Site-Based Firewall (SBFW):

1. Negate Internet Rule
   This policy blocks all outbound internet traffic by default, except for traffic explicitly allowed. It's typically used to lock down a site or segment until a threat is contained, ensuring that no device can access external resources without permission.

2. Allow Voice
   This policy permits VoIP (Voice over IP) traffic to continue flowing, even during security incidents. It ensures that critical communication systems remain operational while other traffic may be restricted.

3. Allow DNS
   Allows access to DNS services, enabling devices to continue resolving domain names. This is useful when you want to maintain basic network functionality while limiting broader access or performing investigations.

4. Global Destination Block
   Blocks traffic to known malicious or high-risk IP addresses and domains across all sites. This centralized rule helps prevent devices from being compromised by threat actors or participating in external attacks.

5. Data Protection Shutoff
   Denies access to or from critical infrastructure, such as file servers, databases, or administrative systems, during an incident. It’s designed to prevent data theft, corruption, or unauthorized access in the event of a compromise.

6. Shut It All Down / All Emergency Shutoff Policy
   This is a comprehensive emergency policy that blocks all inbound and outbound network traffic, effectively isolating a site. It’s used as a containment measure to stop all communication and prevent threat escalation immediately.

Process for Enabling Protection Policies

If there is an incident and a customer needs to lock down a site or enable other policies. SBFW Customers have two options for enabling a protection policy:

1. Self-Service via myENA

Log in to the myENA portal, navigate to Managed Firewall, select the appropriate site, then choose the firewall. From there, click on Policies and enable the policy that best fits the current situation.

2. Request via Support

Contact the CTAC and request that the appropriate protection policy be enabled based on your specific needs.

myENA SBFW Reports & Tools

Event Details is a feature within the SBFW portal that provides users with a centralized view of triggered security events. It serves as an interface to Fortinet’s event handler system, displaying alerts generated by predefined conditions such as threat detections, policy violations, or anomalous behavior. This view enables users to identify and investigate individual events quickly, providing insight into what occurred, when it happened, and which devices were involved.

Event Details streamlines incident awareness and supports faster decision-making by presenting actionable information in an organized, easy-to-navigate format.

Clicking View Details on any event (located in the right-hand column) allows you to drill down into additional, in-depth information specific to that event. There are three levels for each event.

In the screenshot below, the second-level detail view displays key information about the event, including its status—whether it is marked as handled or unhandled, indicating whether the Fortinet system had an automated procedure associated with the event. Note that a handled status does not necessarily mean the event was blocked. Additional details include the event type, event count (the number of times the event occurred), and device count (the number of unique devices that triggered the event). It also displays the severity level, the timestamp of the first occurrence, and the timestamp of the most recent occurrence, along with specific information captured during the event.

The third level of event detail provides a comprehensive view of a specific security event, allowing users to examine the exact log entry associated with the activity. At the top, it summarizes the event name along with the timestamps for the first and last occurrences, giving context on how long the behavior has been observed. The event table highlights key information, including the source and destination IP addresses, ports, service used, action taken (e.g., pass or block), and the severity level. This allows for quick identification of the nature and scope of the event.

Expanding a specific log entry reveals detailed attributes about the incident, including the threat level, log ID, session ID, and the actual message associated with the event (e.g., the detection of P2P traffic, such as BitTorrent). Source information, such as IP address, port, and MAC address (if available), is displayed, along with classification data including the event type and subtype. This detailed view helps administrators assess potential risks, trace activity to specific devices, and determine appropriate response actions.

myENA Tools - Traffic History

Traffic History provides a pre-filtered view of logs, simplifying search and analysis. Customers can explore traffic by category, viewing details such as session counts, risk levels, and bandwidth usage, with the ability to drill down further to identify individual clients within each category.

Additional Information & Reports

━ Additional Reports
━ Live Logs: Real-time log flow for the last 5 minutes. Flow can be paused to help with problem-solving
━ Log Export: Log data reaching back approximately two weeks. Data can be filtered and exported as needed.
━ Additional tools and reports are available, including live log views, log export capabilities, and detailed VPN information.