Protecting Traffic in the Data Center
The deployment of next-generation firewalls can protect network traffic into and out of the perimeter, as well as between servers within the enterprise.
Enterprises employ a wide variety of data center architectures. Some opt to run a private, single-organization facility with dedicated physical servers for each application. Others choose a public cloud facility that hosts virtual servers for hundreds or thousands of customers. All of these data centers have something in common: the need to protect the security of their applications and data from a growing number of sophisticated threats.
A critical part of any data center security strategy is to employ next-generation physical and virtual firewalls working in concert to monitor and analyze all network traffic within the data center. Firewall appliances monitor traffic attempting to cross the data center’s network perimeter, while virtual firewalls examine traffic going to or from the data center’s virtual servers. Such an approach provides a robust security solution for cloud environments, where threats can potentially come from others using the same physical server for virtual services.
IT leaders can address the threats within their data centers by strategically using firewall appliances and virtual firewalls from vendors, such as Palo Alto Networks.
Threats to Data Center Security
The original model for data center security was based on the assumption that threats were external. The security architecture to defend these facilities focused on establishing a network perimeter between the data center and the outside world. The basis of this perimeter was a firewall, which would examine all north-south traffic, which flowed between the data center and the internet. The firewall looked for violations of security policies and other indications of suspicious activity in this data traffic. It then took actions such as blocking traffic, logging additional information and notifying human administrators.
While data centers still have a need to look for external threats within north-south traffic, monitoring security threats has become far more complex. For example, client devices accessing servers hosted at the data center pose a considerable threat. Client devices used to be homogeneous, centrally managed desktop computers located at an organization’s facilities and protected by enterprise security controls. Compromises of client devices caused by malware and other exploits were quickly detected and corrected.
This is no longer the case in most environments. Client devices are widely varied in terms of the operating systems and applications they run, the vulnerabilities they have, the security controls they use, and the physical locations from which they connect to IT resources. Many client devices are the personal hardware of the user and often employ no security controls at all. IT managers have found that they can no longer assume that client devices aren’t compromised or that compromises will be rapidly detected and eradicated. In this new environment, each client device poses a separate threat.
Another change in data center security threats involves servers within the data center interacting with each other. Unintentional threats have always been a concern, such as a server infected with malware spreading the infection to other servers within a data center. But today, intentional threats may also be an issue. In a data center with multiple customers, such as a public cloud environment, one customer may attempt to compromise another’s server in order to steal proprietary information or tamper with records.
Network traffic between data center servers is known as east-west traffic. Monitoring this traffic has become essential to finding and stopping threats. Many data centers have far more east-west traffic than north-south traffic (client-to-server traffic), so ignoring east-west traffic means that attacks between virtual or physical servers can go unnoticed. Also, data centers are increasingly hosting high-value applications and sensitive data that previously resided on internal networks that were more isolated and thus better protected. Further, modern data centers must provide logging and auditing services for applications and data in support of operations, such as security compliance initiatives or audit requirements.
Data center operators also must understand how threats have advanced from previous generations. The typical pattern for current threats is to slowly and stealthily pass through an organization’s servers, avoiding detection while moving toward an ultimate target server. Most of today’s threats seek to access and copy sensitive data before transferring it to an external location for financial gain.
Attackers often start their work by gaining access to a rank-and-file user’s authentication credentials. Common ways of achieving this are infecting a client device with malware to capture the credentials, or using phishing or other social engineering techniques to trick the user into supplying credentials to an attacker. The attacker can then use the credentials to gain access to a particular server within the data center, and possibly other servers that support the same credentials. The attacker may need to use other exploits to elevate privileges, gain access to more user accounts or otherwise continue making progress toward the target server. Once the attacker gains access to the target, a final exploit will enable transfer of sensitive data to a system of the attacker’s choosing outside the data center.
Traditional vs. Next-Generation Firewalls
When evaluating firewall products, IT leaders should understand that their capabilities vary widely. The first differentiator is whether a firewall uses traditional analysis mechanisms, focused on standard ports and protocols, or whether it offers robust next-generation capabilities. Among the major differences between traditional and next-generation approaches:
Network monitoring: Traditional approaches monitor only particular ports and make assumptions about the protocol used on each port. Network traffic for any service running on a nonstandard port may be ignored; a limitation that attackers take advantage of to avoid detection. Next-generation approaches make no such assumptions about which protocol is used on any port, so they can see and parse traffic regardless of the port it uses.
Handling unusual protocols: Traditional approaches assume that all traffic uses only the most common application protocols. A traditional firewall is stymied by unknown protocols. By default, it either allows them to pass without analysis, which is risky, or it blocks them, which can disrupt authorized operations. Next-generation firewalls have a much broader understanding of application protocols, allowing them to make better, more precise decisions.
Establishing traffic-management rulesets: Managing firewall policies to reflect real-world traffic is generally more complicated for a traditional firewall. A traditional firewall uses rulesets based on IP addresses and port numbers for both source and destination, as well as protocol type and other packet characteristics. Further complicating this is that firewalls often rely on anti-virus servers, intrusion prevention servers and other technologies to supplement their capabilities. Using these technologies may require adding rules for each type of traffic and ensuring that all rules are kept in the proper sequence. Firewall policy maintenance for these rulesets is time-intensive and error-prone, causing operational disruptions and creating holes that may allow attackers to pass through a firewall undetected.
Effective Data Center Defense
Data center defenses must be expanded and strengthened to include security monitoring and analysis for east-west traffic. An early approach to achieving this goal was to route all east-west traffic to a centralized firewall for examination before allowing it to continue to its destination. Such an architecture is highly inefficient, adding massive overhead to all network communications. And in today’s cloud environments, it would also miss traffic between virtual machines within a single physical server.
A data center’s north-south traffic can best be monitored by one or more enterprise-class firewall appliances, but east-west traffic is better handled by virtualized firewalls installed on each physical server. These firewalls are used by each server’s hypervisor to monitor not only all network traffic entering and leaving the server, but also all network traffic passing between virtual machines within the server’s hypervisor.
Firewalls within a data center must have robust capabilities for examining and analyzing application traffic. This not only means understanding web, database and other protocol categories often used for communicating between application components, but it also means being able to examine the contents of encrypted network traffic. The same encryption technologies that protect sensitive information also conceal attacks. Several options are available for accessing the contents of these encrypted packets, such as unencrypting traffic in transit, or having a firewall examine its contents and then re-encrypting the traffic before sending it to its final destination, thus giving organizations flexibility in determining how to ensure that firewalls review the contents of all traffic.
Another important consideration is the highly dynamic nature of data centers providing a cloud environment through server virtualization. In such an environment, virtual servers are automatically moved from one physical server to another, and copies of virtual servers are spawned as needed, to handle ever-changing demands and to compensate for operational issues involving physical servers and networks. Safeguarding virtual servers requires the use of firewall technologies that can associate a security policy with each virtual server, and can automatically relocate and enable that policy as the virtual server moves within the data center. These firewall technologies must also have powerful security analysis capabilities. Unfortunately, many firewalls for cloud environments are based on the traditional, highly flawed port-monitoring approach.
How Palo Alto Networks Firewalls Defend the Data Center
Palo Alto Networks firewalls work together to protect all types of application traffic and servers within a data center that may involve sensitive information. For example, a data center could deploy Palo Alto Networks PA-5000 and PA-7000 series firewalls for handling all north-south traffic at the network perimeter and core. East-west traffic could then be handled using Palo Alto Networks VM-Series products, which are virtualized next-generation firewalls for a wide variety of public and private cloud platforms, including VMware, Linux KVM, Amazon Web Services, Microsoft Azure and Microsoft Hyper-V.
Among the benefits of using Palo Alto Networks firewalls throughout a data center:
- Prevention of data breaches by isolating applications and data, which reduces attack surfaces, deters attacker movement and malware propagation from server to server, and potentially blocks the exfiltration of sensitive data to external systems
- Flexibility, scalability, agility and cost savings of cloud environments on demand, such as the ability to quickly provision a new application to capture an emerging market
- Expedited auditing processes by already having a source of audit logs for all application-related activity in the data center
- Centralized management capabilities to optimize the use of administrators’ time — for example, an administrator can monitor all firewalls and automatically apply or update the organization’s security policies throughout the data center, no matter where all applications’ components are located
Steps to Defending the Data Center
Improving a data center’s defense is best achieved by following a phased approach. Attempting to replace legacy firewall appliances and deploy the necessary virtual firewalls all at one time, especially without rigorously planning the transition, is likely to cause major disruptions to operations and introduce security holes that may negate the value of having the firewalls in the first place. A high-level approach for data center security improvements can be carried out in four phases:
Phase 1: Gather information on the applications, including their components, the sensitivity of the data used by each component and the nature of all traffic flows between components.
Phase 2: Identify the security needs for each application, including each application component and each traffic flow.
Phase 3: Determine where to deploy firewalls to meet these needs, then deploy the firewalls with only basic security capabilities enabled as a starting point.
Phase 4: Enable additional security capabilities over time to protect applications and their data from advanced threats, in accordance with the security needs of each application’s components and data.
Phase 3 is often the most challenging, because IT managers have so many factors to take into consideration when choosing where to deploy firewalls. For example, they generally segment high-value applications and data from other operations to provide stronger protection for high-value assets. However, many other factors should be considered, such as segmenting applications by business unit, user community (customers versus employees), user location, or operational status (such as production, development and test environments).
In some cases, an organization might need to use network segmentation to separate servers from its subsidiaries and from companies it has recently acquired but not yet integrated into the enterprise IT infrastructure. An organization may need to take several potentially conflicting factors into account when making decisions about using network segmentation in the data center to reduce risk from threats.
Finding firewall technologies that offer next-generation capabilities for detecting today’s advanced application-borne threats within highly dynamic data center environments can be challenging. Palo Alto Networks offers a variety of firewall technologies with advanced capabilities to thwart these threats. By monitoring both north-south and east-west traffic, Palo Alto Networks firewalls can look for suspicious activity during all phases of the attack lifecycle, from an attacker initially connecting to an internet-facing server, to an attacker jumping from server to server en route to an ultimate target. These firewalls not only segment network traffic to reduce attack surfaces, but they also prevent many application-based compromises from succeeding.
CDW: A Security Partner that Gets IT
As a leading provider of technology solutions, CDW offers a highly trained and certified team of security experts to help organizations boost productivity, regulate IT costs, enhance flexibility and drive innovation.
CDW’s solution architects offer extensive expertise in designing custom data center security solutions and have solid partnerships with major security vendors. CDW’s advanced technology engineers can assist with cloud implementation and long-term cloud management solutions.
The CDW approach to data center security includes:
- An initial discovery session to understand business goals, requirements and budget
- An assessment review of the existing environment and definition of project requirements
- Detailed manufacturer evaluations, recommendations, future environment design and proof of concept
- Procurement, configuration and deployment of the final solution
- Telephone support and product lifecycle support
CDW account managers and solution architects are ready to assist in choosing and leveraging the right solutions for your cloud security needs.
Palo Alto Networks' natively integrated next-generation security platform brings network, cloud and endpoint security into a common architecture, with complete visibility and control, ensuring your organization can detect and prevent attacks. The next-generation security platform streamlines day-to-day operations and boosts security efficacy, and the one-of-a-kind, multi-layered defense model prevents threats at each stage of the attack lifecycle.