Dealing with Unknown Traffic in Your Data Center

In previous posts , we have explored various data center security best practices  in protecting the data center, and of course Palo Alto Network’s fundamental approach starts off with application visibility. Applications in the data center can largely be divided into:

  1. Known data center applications – enterprise off-the-shelf, custom and home-grown.
  2. Management applications using RDP, Telnet, SSH to control the enterprise applications in (1)
  3. Rogue or misconfigured applications.

The first set of applications should be allowed for authorized employees, the second set of applications should be enabled only for a select group of IT users, and the third set of applications should be remediated or dropped.

We can achieve each of the objectives above with a combination of App-IDTM and User-IDTM. With our App-ID technologies, we not only identify enterprise applications but we can also create custom App-IDs for unique applications within the individual enterprise. But more importantly, any traffic that cannot be identified is categorized as unknown.

Now, in a data center environment, should there be any unknown traffic? If you’ve identified your applications (and I mean all of your applications), then there should not be any unknown traffic, right? Or at least the unknown is likely to fall in the bucket of threats or rogue applications.

I subscribe to the notion that you can’t control what you can’t see. Therefore, visibility into all traffic is important in a data center with prolific application developers implementing applications on any port that is convenient. Application proliferation (and hence the threat vector within these applications) is becoming more of an issue with the easy instantiation of virtual machines and the ease that applications can be deployed on them.

How do you deal with unknown traffic in the data center? First, take a look at your unknown traffic category in your Application Command Center, or drill into the unknown application reports that we generate once a day. Based on the analysis, if you’ve missed the identification of custom or home-grown applications, you can define a custom-ID for that traffic. Be sure to restrict the custom-ID traffic by source/destination zone and IP address. For enterprise applications that we don’t yet support, send a packet capture to Palo Alto Networks and we will create an application signature for you. Then, for what unknown traffic is left, observe the users, top source and destination addresses, and threats. You can also use detailed traffic and threat logs to drill into the specific communications between two hosts to determine if there is a threat associated with it. Unknown traffic with large session sizes over commonly open ports (like DNS) or strange uncommon ports are things to watch out for.

And, if you haven’t deployed Palo Alto Networks firewalls, we’ll provide you with a comprehensive Application Visibility Report (AVR) on the traffic within your data center when you complete an evaluation with us. The applications we identify in your data center could possibly be what you expect. On the other hand, there may unknown traffic that would be a revelation. Take the Data Center AVR challenge and find out!