Dec 29 2016
Security

A 4-Phased Approach to Improving Data Center Security

Security threats are increasing, but this high-level roadmap can help organizations better defend the data center.

Enterprises employ a wide variety of data center architectures. Some opt to run a private, single-organization facility with dedicated physical servers for each application. Others choose a public cloud facility that hosts virtual servers for hundreds or thousands of customers. All of these data centers have something in common: the need to protect the security of their applications and data from a growing number of sophisticated threats.

A critical part of any data center security strategy is to employ next-generation physical and virtual firewalls working in concert to monitor and analyze all network traffic within the data center. Firewall appliances monitor traffic attempting to cross the data center’s network perimeter, while virtual firewalls examine traffic going to or from the data center’s virtual servers. Such an approach provides a robust security solution for cloud environments, where threats can potentially come from others using the same physical server for virtual services.

Steps to Defending the Data Center

Improving a data center’s defense is best achieved by following a phased approach. Attempting to replace legacy firewall appliances and deploy the necessary virtual firewalls all at one time, especially without rigorously planning the transition, is likely to cause major disruptions to operations and introduce security holes that may negate the value of having the firewalls in the first place. A high-level approach for data center security improvements can be carried out in four phases:

Phase 1: Gather information on the applications, including their components, the sensitivity of the data used by each component and the nature of all traffic flows between components.

Phase 2: Identify the security needs for each application, including each application component and each traffic flow.

Phase 3: Determine where to deploy firewalls to meet these needs, then deploy the firewalls with only basic security capabilities enabled as a starting point.

Phase 4: Enable additional security capabilities over time to protect applications and their data from advanced threats, in accordance with the security needs of each application’s components and data.

Phase 3 is often the most challenging, because IT managers have so many factors to take into consideration when choosing where to deploy firewalls. For example, they generally segment high-value applications and data from other operations to provide stronger protection for high-value assets. However, many other factors should be considered, such as segmenting applications by business unit, user community (customers versus employees), user location, or operational status (such as production, development and test environments).

In some cases, an organization might need to use network segmentation to separate servers from its subsidiaries and from companies it has recently acquired but not yet integrated into the enterprise IT infrastructure. An organization may need to take several potentially conflicting factors into account when making decisions about using network segmentation in the data center to reduce risk from threats.

Finding firewall technologies that offer next-generation capabilities for detecting today’s advanced application-borne threats within highly dynamic data center environments can be challenging. Palo Alto Networks offers a variety of firewall technologies with advanced capabilities to thwart these threats. By monitoring both north-south and east-west traffic, Palo Alto Networks firewalls can look for suspicious activity during all phases of the attack lifecycle, from an attacker initially connecting to an internet-facing server, to an attacker jumping from server to server en route to an ultimate target.

These firewalls not only segment network traffic to reduce attack surfaces, but they also prevent many application-based compromises from succeeding.

Learn more about the need for next-generation firewalls and about Palo Alto Networks by downloading the free white paper, "Protecting Traffic in the Data Center."

How Palo Alto Networks Firewalls Defend the Data Center

Palo Alto Networks firewalls work together to protect all types of application traffic and servers within a data center that may involve sensitive information. For example, a data center could deploy Palo Alto Networks PA-5000 and PA-7000 series firewalls for handling all north-south traffic at the network perimeter and core. East-west traffic could then be handled using Palo Alto Networks VM-Series products, which are virtualized next-generation firewalls for a wide variety of public and private cloud platforms, including VMware, Linux KVM, Amazon Web Services, Microsoft Azure and Microsoft Hyper-V.

Among the benefits of using Palo Alto Networks firewalls throughout a data center:

  • Prevention of data breaches by isolating applications and data, which reduces attack surfaces, deters attacker movement and malware propagation from server to server, and potentially blocks the exfiltration of sensitive data to external systems
  • Flexibility, scalability, agility and cost savings of cloud environments on demand, such as the ability to quickly provision a new application to capture an emerging market
  • Expedited auditing processes by already having a source of audit logs for all application-related activity in the data center
  • Centralized management capabilities to optimize the use of administrators’ time — for example, an administrator can monitor all firewalls and automatically apply or update the organization’s security policies throughout the data center, no matter where all applications’ components are located
ValeryBrozhinsky/Thinkstock

More On

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now