Enterprises employ a wide variety of data center architectures. Some opt to run a private, single-organization facility with dedicated physical servers for each application. Others choose a public cloud facility that hosts virtual servers for hundreds or thousands of customers. All of these data centers have something in common: the need to protect the security of their applications and data from a growing number of sophisticated threats.
A critical part of any data center security strategy is to employ next-generation physical and virtual firewalls working in concert to monitor and analyze all network traffic within the data center. Firewall appliances monitor traffic attempting to cross the data center’s network perimeter, while virtual firewalls examine traffic going to or from the data center’s virtual servers. Such an approach provides a robust security solution for cloud environments, where threats can potentially come from others using the same physical server for virtual services.
Improving a data center’s defense is best achieved by following a phased approach. Attempting to replace legacy firewall appliances and deploy the necessary virtual firewalls all at one time, especially without rigorously planning the transition, is likely to cause major disruptions to operations and introduce security holes that may negate the value of having the firewalls in the first place. A high-level approach for data center security improvements can be carried out in four phases:
Phase 1: Gather information on the applications, including their components, the sensitivity of the data used by each component and the nature of all traffic flows between components.
Phase 2: Identify the security needs for each application, including each application component and each traffic flow.
Phase 3: Determine where to deploy firewalls to meet these needs, then deploy the firewalls with only basic security capabilities enabled as a starting point.
Phase 4: Enable additional security capabilities over time to protect applications and their data from advanced threats, in accordance with the security needs of each application’s components and data.
Phase 3 is often the most challenging, because IT managers have so many factors to take into consideration when choosing where to deploy firewalls. For example, they generally segment high-value applications and data from other operations to provide stronger protection for high-value assets. However, many other factors should be considered, such as segmenting applications by business unit, user community (customers versus employees), user location, or operational status (such as production, development and test environments).
In some cases, an organization might need to use network segmentation to separate servers from its subsidiaries and from companies it has recently acquired but not yet integrated into the enterprise IT infrastructure. An organization may need to take several potentially conflicting factors into account when making decisions about using network segmentation in the data center to reduce risk from threats.
Finding firewall technologies that offer next-generation capabilities for detecting today’s advanced application-borne threats within highly dynamic data center environments can be challenging. Palo Alto Networks offers a variety of firewall technologies with advanced capabilities to thwart these threats. By monitoring both north-south and east-west traffic, Palo Alto Networks firewalls can look for suspicious activity during all phases of the attack lifecycle, from an attacker initially connecting to an internet-facing server, to an attacker jumping from server to server en route to an ultimate target.
These firewalls not only segment network traffic to reduce attack surfaces, but they also prevent many application-based compromises from succeeding.
Learn more about the need for next-generation firewalls and about Palo Alto Networks by downloading the free white paper, "Protecting Traffic in the Data Center."