Best Practices Securing Data in The DataCenter
Protect Your Digital Treasure
The volume and sophistication of attacks against corporate and government data centers continues to grow at an alarming pace. Published research shows that these attacks tend to center on three major categories:
- Cyber criminals attacking retail and commercial enterprises, such as stores, restaurant chains, banks, etc.
- Hacktivists seeking to deface or cause harm to companies to which they're opposed.
- State-sponsored attacks targeting government or commercial enterprises.
Traditionally, organizations have responded to these attacks by focusing their attention on detecting and preventing threats at the network perimeter and traffic entering and exiting the data center, aka north-south traffic. Many IT administrators assumed that east-west traffic – traffic between systems and applications within a data center – could be trusted and do not require security protections. However, in many documented breaches, once an attacker successfully penetrated the network perimeter, they were able to move laterally, undetected inside the network, locate other servers, access sensitive data, and ship it outside the network perimeter because the same level of security that applied to the perimeter was not applied to internal segments within the data center.
Access to sensitive assets within the data center should be regulated using uncompromised identity credentials and application-based rules, along with a mix of threat inspection and prevention tools – AV, IPS, anti-spyware – to provide sufficient security within the data center. Integrated and extensible security architecture across the entire organization is necessary to protect sensitive information from unauthorized access and leakage – not just at the perimeter but also at the data center edge and internal segments within the data center. This approach is known as the Zero Trust model of information security.
Tip: Identify traffic that is north-south (traffic between the data center and external systems) and east-west (traffic within the data center) and heighten the focus on hidden east-west security weaknesses.
The Zero Trust model (originally proposed by Forrester® Research) assumes that all traffic is threat traffic until proven otherwise. Rather than rely on a perimeter-focused collection of separate security appliances, Forrester advises building a network architecture with a centralized "segmentation gateway," which combines multiple security and encryption operations (firewall, IPS, NAC, content filtering, VPN, etc.) in a single, high-speed device located at the core of the network. This enables administrators to segment the network into zones, which can isolate traffic to a high-value asset from routine, less-sensitive traffic, making it much more difficult for an attacker to gain access to and maintain persistence within these assets, or siphon data out of the network.
Palo Alto Networks® Next-Generation Security Platform – including hardware-based appliances and virtual appliances – enables you to implement an effective Zero Trust security model by allowing you to segment your network, whitelist or blacklist applications, user access, and specific content, as well as inspect all traffic for threats.
A Phased Approach to Securing Data in the Data Center
Whether you recently started implementing Palo Alto Networks products or have been administering them for years, make sure you're maximizing their full value by reviewing our best practices for using the Zero Trust approach to securing data in the data center.
As with any technology, there is usually a gradual approach to a complete implementation, consisting of carefully planned deployment phases meant to make the transition as smooth as possible with minimal impact to your end users. With this gradual transition in mind, we recommend following our data center best practices in three phases, each building on the recommendations before it. The ultimate goal for your data center implementation should be to end up with granular visibility and full inspection into both north-south and east-west traffic to prevent threats in the data center.
Phase 1: Planning Your Data Center Deployment
Replacing a legacy firewall with a new system or implementing a data center firewall for the first time both require complex planning since both options provide the opportunity to start from scratch with a new (Zero Trust) network architecture.
As a first step, make an in-depth inventory and assessment of both the physical and logical data center environments. Identify and document the various systems in the data center, including servers, routers, switches, and other network and security infrastructure. This assessment should identify and characterize all data traffic: traffic between the data center and external systems (including other data centers within your organization), as well as traffic between systems within the data center.
Tip: There are four "levers" you can pull to protect your data center assets: controlling access, inspecting data usage patterns for abuse, disposing of data when the organization no longer needs it, or encrypting data to devalue it in the event that it is stolen.
Plan to deploy the following basic technologies within your Palo Alto Networks platform. These are crucial to helping you understand the traffic flowing through your data center, what it consists of, which assets it's targeting, and who is attempting access, all of which are imperative to effectively protecting your high-value assets.
- User-ID™ verifies the user's identity, as opposed to just IP addresses, using enterprise directories, terminal services offerings or Microsoft® Exchange. User-ID provides detailed context concerning users who are accessing the network.
- App-ID™ natively recognizes and categorizes thousands of applications, including web applications. App-ID helps identify applications that are in use, discover if applications are using custom or default ports, and find unknown or unauthorized applications on the network.
- Content-ID™ enables customers to apply policies to inspect and control content traversing the network. Content-ID combines a real-time threat prevention engine, comprehensive URL database and elements of application identification to limit unauthorized data and file transfers and to detect and block a wide range of exploits, malware and dangerous or unauthorized web (HTTP and DNS) connections. Content-ID is available as part of the Threat Prevention subscription and allows you to implement policy control over unapproved traffic content, limit the unauthorized transfer of files and sensitive data, such as credit card or Social Security numbers, and defend against known and new malware and exploits.
| Policy Type | Description |
| Security | Determine whether to block or allow a session based on traffic attributes, such as the source and destination security zone, source and destination IP address, application, user and service. |
| NAT | Instruct the firewall as to which packets need translation and how to do the translation. The firewall supports both the source and destination address and/or the port translation. |
| QoS | Identify traffic requiring QoS treatment (either preferential treatment or bandwidth-limiting) using a defined parameter or multiple parameters and assign it a class. |
| Policy-Based Forwarding | Identify traffic that should use a different egress interface than the one that would normally be used based on the routing table. |
| Decryption | Identify encrypted traffic that you want to inspect for visibility, control and granular security. |
| Application Override | Identify sessions that you do not want processed by the App-ID engine, which is a Layer 7 inspection. |
| Captive Portal | Identify traffic that requires the user to be known. The captive portal policy is only triggered if other User-ID mechanisms did not identify a user to associate with the source IP address. |
| DoS Protection | Identify potential denial of service (DoS) attacks and take protective action in response to rule matches. |
| Zone Protection | Provides additional protection between specific network zones on the same firewall to protect against attacks, including evasion techniques and adherence to traffic thresholds. |
The application and user visibility and control delivered by App-ID and User-ID, combined with the content inspection provided by Content-ID, enables IT departments to make risk-based decisions that protect the organization from threats and safely enable systems and applications needed to keep business running.
The table below summarizes the various types of policy supported by the Palo Alto Networks Next-Generation Security Platform. Determine which features and policy rules you are going to implement, and in which order, by prioritizing their purpose within the context of your organization's data center priorities, such as system uptime, bandwidth consumption, or data security regulations.
Tips:
- Install the platform in front of any legacy protection device so that it can examine all network traffic before it passes through the legacy device and provide visibility you may be missing.
- SSL decryption can be performed on virtual wire (VWire), Layer 2 or Layer 3 interfaces, or while in Tap mode. For a more well-rounded view of your data center traffic, make sure you're decrypting as much as possible.
- Palo Alto Networks Next-Generation Security Platform can operate in multiple deployments simultaneously because the deployments occur at the interface level.
Phase 2: Complete Visibility into Data Center Traffic
The objective of this stage is to identify and validate all application communication in and out of the data center. When installing the Next-Generation Security Platform for the first time, we recommend deploying it first in Tap mode.
Tap mode provides the ability to passively monitor network traffic without disruption but does not prevent or block any connections. This allows north-south and east-west data center traffic to be monitored and profiled for applications, threats and traffic usage without disrupting production traffic. Reviewing traffic and threat logs created in Tap mode also makes it possible to verify applications, users and threats that have been identified by the earlier review of documents and existing configurations.
Collecting and analyzing network traffic can enable you to quickly profile the environment and detect threats in real time. This data can be used to quickly create custom reports and a Security Lifecycle Review (SLR), which includes:
- Application identification
- Number of sessions and consumed bandwidth associated with each application
- Source and destination networks
- Total scope of unknown threats observed
- Percent of malware detected by the platform that was undetected by third-party AV solutions
- Zero-day malware and advanced persistent threats identified by Palo Alto Networks WildFire
- Application threat vectors and malicious file types
- Risky user behavior
Once the data center's network traffic data is collected and analyzed, you can create alerts for commonly seen threats. This will allow you to further analyze your environment through historical reporting and trending capabilities for traffic validation so that you can begin the process of more comprehensive, advanced policy development.
Once sufficient data is collected in Tap mode, reconfigure the platform in either VWire or Layer 2 (L2) / Layer 3 (L3) mode to begin taking action on unwanted and risky traffic.
VWire provides flexibility in enforcing distinct policies that can be used to manage traffic from multiple internal networks and separate and classify traffic into different zones. This configuration logically isolates a high-value asset environment from other, less critical systems. In VWire mode, the platform is installed transparently on a network segment by binding two ports together. This simplifies installation and configuration and does not require any changes to adjacent network devices. Data center distribution and/or core switches are configured to selectively forward only the relevant high-value asset traffic to the platform (via VLANs), allowing the environment to maintain its VLAN and IP addressing. VWire mode reroutes all traffic through the platform to enable initial policy development and monitor all traffic into and out of the environment.
Use the gathered information to develop an initial security policy that describes authorized access, such as approved sources, destination networks, applications and user groups. Then create security rules for inbound and outbound communication from the data center with groupings of similar, known applications, such as database, web, application, Microsoft, management and infrastructure. This enables you to develop a broad security policy framework to classify approved applications. Apply threat protection profiles to all policies for additional security visibility so that you're in a good position to block exploits, malware, and command-and-control traffic without impacting business communication.
To make sure you're not blocking any essential communication while you build and test your data center policy, implement a catchall "allow any any" security rule at the end of the security policy hierarchy that explicitly allows all communication that isn't already attached to a rule.
Any applications using non-standard ports or protocols, or unknown applications, should be specially reviewed and only allowed after validation with the system owner. The validated application rules should be added above the catchall rule in the hierarchy for safe enablement and logical policy development.
By the end of this phase, the security policy should include all identified and approved applications, ports, protocols, source and destination networks, and users and user groups authorized to access them. The result is that all approved traffic is identified by an application with a specific security policy. Only unapproved traffic will trigger the catchall rule, which you can then review, validate, and create another rule to specifically allow it.
Finally, to enforce active protection, discontinue simple alerting and shift to active blocking of known threats by adding security profiles to your rule set. Replace the catchall rule with a new "deny any any" rule at the end of the policy list that is configured to block and log all denied traffic. This change from a blacklist to a whitelist approach allows the system to deny all traffic that was not expressly allowed, while maximizing visibility and the prevention of threats. At this point you can decommission the legacy security platform and remove it from service.
Phase 3: Advanced Data Center Security
Once you have your basic security platform configured, you can turn your attention to creating additional special reports, fine-tuning policy rules, and implementing additional prevention capabilities, such as strict security profiles, WildFire™ cloud-based malware analysis environment, GlobalProtect™ mobile workforce security service, and Traps™ advanced endpoint protection.
Enable file forwarding to WildFire to ensure that unknown files – particularly those file types with legitimate business uses, like Microsoft Office and Adobe® Acrobat® files – do not contain any advanced persistent threats (APTs) or zero-day malware. WildFire analyzes unknown files and then generates malware, command-and-control, and URL protections when a file is deemed "malicious." WildFire executes suspicious content in multiple versions of the target application located within virtualized operating systems and identifies hundreds of behaviors associated with malicious software, such as modifications to the host, suspicious network traffic, and anti-analysis evasion techniques. Along with application protections, these behaviors are also delivered within a report that can then be used to positively identify infected systems.
If you have assets that communicate externally in any capacity, configure URL Filtering profiles to applicable rules for an additional layer of security so that these assets cannot communicate with malicious and high-risk URLs.
Enable GlobalProtect on users' company-issued phones and laptops to identify them beyond their IP address when they attempt to access assets remotely, extend the security protections on your platform when they're off network, and ensure that their connection to your data center is secure. GlobalProtect is a User-ID™ source that increases the reach of the security platform to your users, wherever they are, and ensures that access to high-value assets within your data center always comply with the security policy.
Deploy Traps Advanced Endpoint Protection on all Windows servers and virtual desktop infrastructure (VDI) running within your data center to provide an additional layer of exploit protection. Traps is an agent that prevents zero-day vulnerability exploits and malware-driven attacks without signatures, protecting assets in your data center from compromise. The Traps agent injects itself into each process as it is started and focuses on the core techniques that an attacker must link together in order to execute an attack. If the process attempts to execute any of the core attack techniques, Traps will immediately block that technique, terminate the process, and notify the admin that an attack was prevented.
Tip: To evaluate your traffic without time-consuming manual log reviews, develop custom reports, such as those covering top applications, top security rules, and traffic matching the catchall "allow any any" security rule. These types of reports provide a historical baseline of data that allow you and your team to continuously profile the traffic into and out of your data center.
Tips:
- The ordering of rules is critical to ensuring your best match criteria. Because policy is evaluated from the top down, more-specific policies must precede more-general ones. A rule that is placed lower is not evaluated if the match criterion is met by another rule that precedes it.
- The ordering of rules is critical to ensuring your best match criteria. Because policy is evaluated from the top down, more-specific policies must precede more-general ones. A rule that is placed lower is not evaluated if the match criterion is met by another rule that precedes it.
- Because multiple layers of encoding can be used as an evasion technique, use Multi-Level-Encoding to ensure that unidentified files that have not been processed for threats do not pass through the firewall to your data center.
- Configure your platform to pull protection updates from WildFire every five minutes.
- Utilize the External Dynamic Lists feature to deter attackers by importing the source IP addresses of repeat offenders who appear within your threat logs within a given amount of time and blocking them for 24 hours or longer.