> East-west security -- traffic between devices within a network -- is enforced by ACL8 zone isolation. Devices communicate only with their designated service gateway. The service gateway communicates only with the designated cloud service. Lateral movement between devices or zones is architecturally prevented by the absence of any permitted route to any other destination.
I must be missing something or misinterpreting that section because if there is no "lateral movement" how do people in an office print a file, access a network drive, connect to the Exchange server? And those are only the most naive scenarios.
That's a good question and the core over-states it.
The east-west means that natively clients don't arp and icmp from each other they do it from ACL8 on the GW. Your printer registers, you mark it anonymous, anyone can get to it, and when you arp for it, it answers.
But when you have 2,000 clients on a vlan and you want 1999 of them to only reach the internet and not each other, you make one rule at the ACL server.
It means everything goes to the ACL8 server for a decision even on the local network.
Presumably they pay cloud vendors for cloud printing, cloud storage and cloud groupware, so to send something on the local network they simply send it to the cloud vendor and then download it again. That's what people in our office do. Very helpful for the cloud vendor's profitability.
I must be missing something or misinterpreting that section because if there is no "lateral movement" how do people in an office print a file, access a network drive, connect to the Exchange server? And those are only the most naive scenarios.