We finally wrapped up our worldwide 10-city data center summit tour last week. I personally logged more than 40,000 miles, advanced my ability to work in a cramped airline seat, and sampled local cuisine from Singapore Chilli Crab to Australian King Prawns. But the highlight for me, of course, was meeting attendees, customers and partners at the summits and being able to share our data center story.
Perform or Else
The attendees I met had data center designs that varied greatly, from Internet-facing data centers with high-transaction rates and private cloud providers to enterprises from every vertical. Top of mind for many of the attendees was threats and performance, as expected. The Internet-facing data center for a gambling site worried about the firewall performance in the data center and how it would affect their ability to transact. A private cloud provider offering computing services to multiple customers needed to decrypt traffic from customers and of course the performance of the firewall with decryption enabled came into play again. It’s clear if you can’t support the performance objectives of the data center, your network security solution does not belong.
Many attendees were interested in how our App-IDTM, User-IDTM and Content-IDTM capabilities made internal data center network segmentation much more meaningful. They liked the comprehensive access control the next-generation technologies offered for network segmentation, but more importantly liked the ability to easily show auditors how they complied with regulations.
VDI and Security
Within the data center environment, the fact that many were already deploying server virtualization was expected. But, I was surprised at how many enterprises were also deploying virtual desktop infrastructure (VDI). A big driver behind this is BYOD. Because of the difficulty in controlling endpoints, VDI facilitates secure access to applications without the need to manage the complexities of multiple operating systems on multiple endpoints. The trends with server virtualization, VDI and cloud showcase the increasing importance of security within the data center and its impact on business growth and productivity.
What Does Defense-in-Depth Mean?
What was also enlightening from discussions with attendees in many regions is the popularity of the two-tier firewall design. Examples of this: vendor A firewall on the outside and vendor B firewall on the inside; or firewall A as the primary firewall, firewall B as the secondary firewall. The reason behind such setups is to maintain defense-in-depth with the idea that if an intruder takes advantage of a vulnerability on vendor A’s firewall, they still cannot penetrate vendor B’s
Presumably this was a best practice that probably originated years ago, when different firewall vendors addressed only certain ports. At that time, the only way to deal with access control was to make sure you layered your protection and port-knowledge. It was also likely a sales angle by vendors to position another set of firewalls when the enterprise already had an existing firewall.
Defense-in-depth doesn’t justify additional devices if those devices don’t provide value. Without the ability to understand all application traffic and address all types of threats, two tiers of stateful inspection firewalls is just two tiers of redundant devices. In other words, unless one of those two sets of firewalls is a next-generation firewall, you’re not being protected. Vulnerabilities within vendor products and the vendor’s ability to maintain quality code or to provide patches quickly should be part of the evaluation process when you select a firewall vendor.
Looking Forward to More
I want to thank everyone who attended the data center events in each city. I enjoyed meeting and speaking with all of you. Look for other data center events happening at a city near you. Stay tuned.