Security

Enterprises Mount Interior Defense to Protect Traffic Flowing Through Data Centers

Next-generation firewalls offer organizations sophisticated protections both inside the data center and on the network perimeter, and companies need to defend both fronts.

Alan Joch

Twitter

Alan Joch has been an independent business and technology writer for more than a decade. His expertise includes server and desktop virtualization, cloud computing, emerging mobile applications, and cybersecurity.

CIOs and CISOs know that despite their best security efforts, sophisticated attackers continue to force their way inside organizations’ network perimeters. Enterprises are dynamic entities that continuously evolve, with new business processes, hardware, software and partners. Staying ahead of these changes and the ways cyberattackers exploit new openings is challenging for even the best security teams.

High volumes of traffic are flowing within data centers — among physical and virtual servers in traditional data centers as well as private, public and hybrid cloud configurations. Organizations that don’t fully secure these growing traffic volumes risk seeing a breach gain a foothold on one machine and quickly spread throughout the data center.

Enterprise IT teams are finding that it is no longer an effective strategy to focus their efforts only on the network perimeter. Traffic flows inside the data center also must be protected to optimize security efforts. Many organizations are now employing firewalls to monitor this data center traffic and protect IT resources within the enterprise.

Of course, data centers aren’t the only areas of concern. The rise of the mobile workforce represents another evolution of the threat landscape. Further eroding the perimeter is a host of other digital innovations, including hybrid and public cloud computing and emerging Internet of Things deployments. In short, “the perimeter is everywhere,” says Scott Miles, senior director of portfolio marketing for Juniper Networks.

How can security personnel plug these holes and apply policies to address today’s enterprise realities? The answer consists of a range of technologies that are often applied in concert as part of defense-in-depth security strategies. Key pieces of such strategies are firewalls, including models designed for running inside data centers, and next-generation firewalls (NGFWs) that can provide protection both inside the data center and on the perimeter.

New Threats from Different Directions

In years past, firewalls had it easy. Their primary job was to keep malicious “north-south” data traffic (from points within and outside a data center) from infecting enterprises. Now, IT security professionals are increasingly using firewalls to protect “east-west” traffic moving within data centers.

“In the last couple of years, enterprises crossed an inflection point where the majority of server workloads have been virtualized,” says Eric Parizo, senior analyst with Current Analysis. “The majority of traffic generated by those machines is east-west, hence it is never seen by the NGFWs or intrusion protection systems that have typically existed at the network perimeter.”

Security experts say that compromised servers have become commonplace without the proper controls. “IT managers should assume that their servers are compromised and try to keep lateral movement by the attacker from jumping to new servers,” says Joel Snyder, senior partner at Opus One, an IT consulting firm specializing in networking and security.

Firewalls within data centers also help enterprises achieve regulatory compliance for rules such as the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA), Parizo says.

Data center firewall options include Cisco’s Adaptive Security Virtual Appliance and Juniper’s SRX Series Services Gateways. These and other data center firewalls include models with a range of specialized features, including multigigabit performance, traditional stateful firewalling and intrusion-protection capabilities.

NGFWs may also be used within data centers. “We’re seeing an increase in NGFWs built to be used as internal network segmentation firewalls, thanks largely to hardware acceleration capabilities in the last couple years that have greatly improved NGFW performance,” Parizo says. “Increasingly, virtual NGFWs have quickly become the preferred segmentation and inspection method for east-west traffic.”

Evolving to Stay Ahead of Cybersecurity Dangers

Many enterprises are finding edge orientation to be an important feature of NGFWs. “Next-gen firewalls really shine by protecting users at the edge of networks, where security managers are working to secure applications,” Snyder says. “They also give organizations the tools to spend more time on security management, without creating a significant maintenance liability above a normal firewall.”

In addition to advanced firewall safeguards, NGFWs typically bundle related protections, such as antivirus filters, data loss prevention capabilities and secure web gateways for filtering Internet traffic. Many provide “sandboxing,” the ability to execute suspicious software in a protected area away from the production network, where it can be safely analyzed and discarded if a threat is confirmed.

Today’s NGFWs are merging sandboxing with cloud services. “In many cases, it’s easier for enterprises to avoid performance issues and take advantage of more sophisticated analysis capabilities by moving these activities to the cloud,” Parizo says. “But that requires vendors to provide close integration between the NGFW and the sandbox.”

Leading NGFWs include Cisco FirePOWER 4100 Series appliances, which can handle up to 80 gigabits per second of firewall throughput. Enterprises can create multiple 40Gbps Ethernet interfaces in each platform stack. The devices can be paired with Cisco FirePOWER Management Center, a web-based console that integrates with FirePOWER NGFWs and Cisco-integrated services routers.

Juniper’s SRX Series Services Gateways include the SRX300, which combines NGFW and unified threat management capabilities, as well as routing, switching and wide area network interfaces. Network segmentation enables organizations to tailor policies for individual zones, virtual local area networks and virtual private networks. The vSRX is a virtual NGFW designed for securing virtualized and cloud environments. It supports VMware ESXi and kernelbased virtual machine platforms, as well as orchestration with OpenStack and VMware vRealize Orchestrator.

Emerging Security Trends Affect Firewall Decisions

Incident response orchestration (IRO) is a growing trend in the security industry, evidenced by a number of recent, high-profile acquisitions, such as IBM’s purchase of Resilient Systems, says Eric Parizo, senior analyst with Current Analysis.

IRO solutions evaluate security data from a variety of sources to simplify the process of developing policies for determining when and how to automate incident response practices. “IRO is one of the toughest jobs to manage, and organizations increasingly want to apply technology to the problem,” Parizo explains. “The goal is to have as many incidents as possible dealt with automatically so there are fewer manual processes and less burden on the IT staff.”

Tying together various technologies involved with investigating an incident, such as the network, endpoints and identity access systems, is a direction in which vendors of next-generation firewalls are moving, he adds. Another growing area is endpoint detection and response (EDR), an emerging class of solutions designed to replace signaturebased anti-virus software. “If an EDR product finds something suspicious on an endpoint, it needs to communicate the information to the NGFW so it can spot future attacks,” Parizon says.

Petrovich9/ThinkStock