When I started working on data center security at Palo Alto Networks years ago, one of the more common questions from customers was how next-generation firewall (NGFW) technologies were applicable in the data center. At the time, most of our deployments were Internet gateway deployments, protecting user access to Internet applications. Years later, with roughly one third of our business coming from data center use cases, and the timely announcement of a 120Gbps next-generation firewall ideal for data center deployments, it is interesting that there are still those in the industry that question whether next-generation firewalls really belong in the data center.
There is a lot of confusion and FUD on this topic, and in many cases, we’re not even talking about the same problem. So, let’s answer this definitively once and for all. Do next-generation firewalls belong in the data center?
Let’s break it down.
First, let’s start by clarifying that there are really two types of data center: Internet-facing and internal. Application and user characteristics, regulatory requirements, and additional, unique security concerns all vary between these two types of data center.
Internet-facing data centers
In Internet-facing data centers such as those used in online banking, auction or dating sites, there are typically relatively few applications, and they’re usually web (i.e., browser-based) applications. Often, these applications will use one of the common web infrastructure “stacks” (e.g., IBM, LAMP, Microsoft, Oracle). Users are many, and often unknown/untrusted. If you are a large content or e-commerce provider, the Internet-facing datacenter is the heart of your business.
Due to low-latency requirements, most enterprises and service providers don’t firewall their Internet-facing datacenters. Traffic goes through DDoS appliances, such as Arbor Networks’, to an application delivery controller, such as Citrix NetScaler ADC, and hits the web servers. There may be web application firewalls sitting in front of the web servers to address web coding errors. And, IPS (or more likely IDS) appliances provide threat prevention. So, when Chris Hoff describes the limitations of a next-generation firewall in mobile service provider networks, well, in fact, firewalls are rarely used in this architecture at all. For Internet-facing data centers, next-generation firewalls are more likely to be deployed for IPS or IDS capabilities.
Internal data centers (and private clouds)
Enterprise data centers on the other hand, host more applications, but have fewer users. Applications come from a variety of origins – they might be packaged, home grown, or customized. Users include employees, contractors or partners.
This environment is one we know is a source of constant attacks; it’s where the “crown jewels” of the enterprise, like intellectual property, reside. Legacy security access controls and firewall policies and the many security holes they provide are well understood by attackers. If unauthorized access is attempted, it will target the most common applications in the data center and the expected open ports.
We know this not through mere speculation; we’ve documented these patterns in Palo Alto Networks Application Usage and Threat Report data. Out of more than 3,000 network assessments performed, 97 percent of exploit logs came from 10 applications. Nine of these 10 were data center applications like SMB, MS-SQL and MS-Office Communicator. Since most exploits target open ports, the right approach is to minimize the reliance on ports and protocol, which is exactly where next-generation firewalls excel. With next-generation firewalls, you can adopt a positive control model, where what isn’t specifically allowed is denied.
What about authorized access? For most data centers protected by legacy security solutions, access is granted from a certain IP range to the data center IP range. This is exactly why we have insiders such as Edward Snowden exploring what they shouldn’t have access to.
Many data centers also provide access for IT administrators to their critical resources via SSH (22), Telnet (23), SSL (443), RDP (3389), FTP (24, 20, 21), TFTP (69), etc. You get the idea. Port numbers don't effectively limit what traffic can communicate to the systems and IP addresses have very little ability to limit who can access a system. Again, next-generation firewalls can help build a least privilege access model, tying policies to actual groups of users, and enabling them access only to specific applications (or functions of applications). In fact, Palo Alto Networks can even log and alert when a non-sanctioned user attempts access to a particular segment or application in the data center, because this may in fact be an indicator of a compromise.
For attackers, getting into the data center through an insider is typically the first step. Moving laterally and learning about the assets is the second step. Close and continuous attention must be paid to exactly what is happening in “allowed” applications, and the only way to do this is to inspect the content for threats. Our complete threat protection framework and WildFire offer this kind of visibility. And since the majority of data center environments are virtualized, we extend this protection to our virtual next-generation firewall to stop exploits, malware and the lateral East-West propagation. Within a virtualized computing environment, we offer integration with orchestration systems and dynamic policies that are “virtualization-aware” so you can continue to enable your policies no matter where your applications move in the data center.
Clearly, the ability to understand and address threats based on apps, users and content -- capabilities provided by true next-generation firewalls -- is as useful for data centers as it has been for the perimeter. The visibility, control and safe enablement we provide can offer even greater benefits in the core of your network-- break the attack chain, stop lateral movement of malware and prevent data exfiltration. There will always be skeptics, but we invite you to try it in your data center and see for yourself – next-gen firewalls absolutely belong in the data center.