The deployment of next-generation firewalls can protect network traffic into and out of the perimeter, as well as between servers within the enterprise. 

Executive Summary

Enterprises employ a wide variety of data center architectures. Some opt to run a private, single-organization facility with dedicated physical servers for each application. Others choose a public cloud facility that hosts virtual servers for hundreds or thousands of customers. All of these data centers have something in common: the need to protect the security of their applications and data from a growing number of sophisticated threats.

A critical part of any data center security strategy is to employ next-generation physical and virtual firewalls working in concert to monitor and analyze all network traffic within the data center. Firewall appliances monitor traffic attempting to cross the data center’s network perimeter, while virtual firewalls examine traffic going to or from the data center’s virtual servers. Such an approach provides a robust security solution for cloud environments, where threats can potentially come from others using the same physical server for virtual services. 

IT leaders can address the threats within their data centers by strategically using firewall appliances and virtual firewalls from vendors, such as Palo Alto Networks.

Threats to Data Center Security

The original model for data center security was based on the assumption that threats were external. The security architecture to defend these facilities focused on establishing a network perimeter between the data center and the outside world. The basis of this perimeter was a firewall, which would examine all north-south traffic, which flowed between the data center and the internet. The firewall looked for violations of security policies and other indications of suspicious activity in this data traffic. It then took actions such as blocking traffic, logging additional information and notifying human administrators.

While data centers still have a need to look for external threats within north-south traffic, monitoring security threats has become far more complex. For example, client devices accessing servers hosted at the data center pose a considerable threat. Client devices used to be homogeneous, centrally managed desktop computers located at an organization’s facilities and protected by enterprise security controls. Compromises of client devices caused by malware and other exploits were quickly detected and corrected. 

This is no longer the case in most environments. Client devices are widely varied in terms of the operating systems and applications they run, the vulnerabilities they have, the security controls they use, and the physical locations from which they connect to IT resources. Many client devices are the personal hardware of the user and often employ no security controls at all. IT managers have found that they can no longer assume that client devices aren’t compromised or that compromises will be rapidly detected and eradicated. In this new environment, each client device poses a separate threat.

Another change in data center security threats involves servers within the data center interacting with each other. Unintentional threats have always been a concern, such as a server infected with malware spreading the infection to other servers within a data center. But today, intentional threats may also be an issue. In a data center with multiple customers, such as a public cloud environment, one customer may attempt to compromise another’s server in order to steal proprietary information or tamper with records. 

Network traffic between data center servers is known as east-west traffic. Monitoring this traffic has become essential to finding and stopping threats. Many data centers have far more east-west traffic than north-south traffic (client-to-server traffic), so ignoring east-west traffic means that attacks between virtual or physical servers can go unnoticed. Also, data centers are increasingly hosting high-value applications and sensitive data that previously resided on internal networks that were more isolated and thus better protected. Further, modern data centers must provide logging and auditing services for applications and data in support of operations, such as security compliance initiatives or audit requirements.

Data center operators also must understand how threats have advanced from previous generations. The typical pattern for current threats is to slowly and stealthily pass through an organization’s servers, avoiding detection while moving toward an ultimate target server. Most of today’s threats seek to access and copy sensitive data before transferring it to an external location for financial gain.

Attackers often start their work by gaining access to a rank-and-file user’s authentication credentials. Common ways of achieving this are infecting a client device with malware to capture the credentials, or using phishing or other social engineering techniques to trick the user into supplying credentials to an attacker. The attacker can then use the credentials to gain access to a particular server within the data center, and possibly other servers that support the same credentials. The attacker may need to use other exploits to elevate privileges, gain access to more user accounts or otherwise continue making progress toward the target server. Once the attacker gains access to the target, a final exploit will enable transfer of sensitive data to a system of the attacker’s choosing outside the data center.

Effective Data Center Defense

Data center defenses must be expanded and strengthened to include security monitoring and analysis for east-west traffic. An early approach to achieving this goal was to route all east-west traffic to a centralized firewall for examination before allowing it to continue to its destination. Such an architecture is highly inefficient, adding massive overhead to all network communications. And in today’s cloud environments, it would also miss traffic between virtual machines within a single physical server.

A data center’s north-south traffic can best be monitored by one or more enterprise-class firewall appliances, but east-west traffic is better handled by virtualized firewalls installed on each physical server. These firewalls are used by each server’s hypervisor to monitor not only all network traffic entering and leaving the server, but also all network traffic passing between virtual machines within the server’s hypervisor.

Firewalls within a data center must have robust capabilities for examining and analyzing application traffic. This not only means understanding web, database and other protocol categories often used for communicating between application components, but it also means being able to examine the contents of encrypted network traffic. The same encryption technologies that protect sensitive information also conceal attacks. Several options are available for accessing the contents of these encrypted packets, such as unencrypting traffic in transit, or having a firewall examine its contents and then re-encrypting the traffic before sending it to its final destination, thus giving organizations flexibility in determining how to ensure that firewalls review the contents of all traffic.

Another important consideration is the highly dynamic nature of data centers providing a cloud environment through server virtualization. In such an environment, virtual servers are automatically moved from one physical server to another, and copies of virtual servers are spawned as needed, to handle ever-changing demands and to compensate for operational issues involving physical servers and networks. Safeguarding virtual servers requires the use of firewall technologies that can associate a security policy with each virtual server, and can automatically relocate and enable that policy as the virtual server moves within the data center. These firewall technologies must also have powerful security analysis capabilities. Unfortunately, many firewalls for cloud environments are based on the traditional, highly flawed port-monitoring approach.

Steps to Defending the Data Center

Improving a data center’s defense is best achieved by following a phased approach. Attempting to replace legacy firewall appliances and deploy the necessary virtual firewalls all at one time, especially without rigorously planning the transition, is likely to cause major disruptions to operations and introduce security holes that may negate the value of having the firewalls in the first place. A high-level approach for data center security improvements can be carried out in four phases:

Phase 1: Gather information on the applications, including their components, the sensitivity of the data used by each component and the nature of all traffic flows between components.

Phase 2: Identify the security needs for each application, including each application component and each traffic flow.

Phase 3: Determine where to deploy firewalls to meet these needs, then deploy the firewalls with only basic security capabilities enabled as a starting point.

Phase 4: Enable additional security capabilities over time to protect applications and their data from advanced threats, in accordance with the security needs of each application’s components and data.

Phase 3 is often the most challenging, because IT managers have so many factors to take into consideration when choosing where to deploy firewalls. For example, they generally segment high-value applications and data from other operations to provide stronger protection for high-value assets. However, many other factors should be considered, such as segmenting applications by business unit, user community (customers versus employees), user location, or operational status (such as production, development and test environments). 

In some cases, an organization might need to use network segmentation to separate servers from its subsidiaries and from companies it has recently acquired but not yet integrated into the enterprise IT infrastructure. An organization may need to take several potentially conflicting factors into account when making decisions about using network segmentation in the data center to reduce risk from threats.

Finding firewall technologies that offer next-generation capabilities for detecting today’s advanced application-borne threats within highly dynamic data center environments can be challenging. Palo Alto Networks offers a variety of firewall technologies with advanced capabilities to thwart these threats. By monitoring both north-south and east-west traffic, Palo Alto Networks firewalls can look for suspicious activity during all phases of the attack lifecycle, from an attacker initially connecting to an internet-facing server, to an attacker jumping from server to server en route to an ultimate target. These firewalls not only segment network traffic to reduce attack surfaces, but they also prevent many application-based compromises from succeeding.