Palo Alto Networks: Solving Government’s Data Center Security Challenges

Feb 03, 2015
7 minutes

Governments worldwide are working hard to implement a number of changes in their data center infrastructures. Some have major data center consolidation projects underway, such as the Federal Data Center Consolidation Initiative in the U.S. Others are taking advantage of the benefits of virtualization or moving to Shared Services models. Finally, many are deciding if a public cloud infrastructure is appropriate for some of their government business. To cater to the U.S. government’s interest in the public cloud, Amazon Web Services (AWS) has developed specialized cloud services, GovCloud and Commercial Cloud Services (C2S) for the Intelligence Community, designed specifically for U.S. government customers.

Having so much to consider for their data center infrastructure plans, security is certainly top of mind.  Here at Palo Alto Networks, we’re doing all we can to support governments as they secure their cyber infrastructure. We have been working with numerous customers – including many in the U.S. federal sector – to evolve their infrastructure, securely, regardless of the stage in their data center transitions.

Recently, we worked with MeriTalk to develop a “health check” with U.S. federal government agencies (read the full report here). The survey queried 300 U.S. Federal IT managers about what security issues were top of mind as they implement changes to their data centers. The results are fascinating and show that many government agencies share common security concerns in their data center and cloud planning.

The good news is that our portfolio provides security solutions that protect customer data no matter where the government is in their data center evolution. Palo Alto Networks is able to solve many of the security challenges the survey respondents identified with their current data center security solutions. Let's look at a few of them:

Integration challenges

Integration can mean many things, but when it comes to data center security it typically refers to how well the solution can tie into the existing physical or virtualized network infrastructure. To integrate easily into an existing physical data center network, each Palo Alto Networks Next-Generation Firewall supports a range of network modes, including L2, L3, Virtual Wire and mixed mode. Virtual Wire makes our Next-Generation Firewalls truly transparent network device, looking much like a bump in the wire which solves many customer network integration challenges and can be used in both Active-Passive and Active-Active high availability modes.

From a virtualized computing environment perspective, integration means how tightly the security solution ties into the hypervisor and orchestration tools in use. The Palo Alto Networks VM-Series of virtualized firewalls allows customers to deploy the exact same next-generation firewall and advanced threat prevention features used in our physical appliances in private, public or hybrid cloud computing environments. The VM-Series supports a range of hypervisors including VMware ESXi and NSX, Amazon Web Services and KVM with OpenStack. In each of these environments, customers analyze traffic moving into and across the cloud environment, protecting both applications and data from advanced threats. Additionally, the VM-Series incorporates a fully-documented XML API to simplify integration of third party orchestration and management tools. Our ease of provisioning, noted below, helps ensure seamless integration as changes happen within the data center or cloud, regardless of your platform choice or data center instantiation.

Time to provision

In both physical and virtualized network environments, customers struggle with managing the discrepancies that may occur between compute workload additions, removals or changes and how quickly a security policy can be deployed. To help minimize these delays, Palo Alto Networks firewalls provide a rich set of native management features that streamline policy deployment so that security keeps pace with the changes in your compute workloads (physical and virtual).

As compute workloads change, are added or removed, features within the PAN-OS security operating system will see those contextual changes, proactively learning which IP addresses are changing, then apply those updates to the security policy automatically. The result is a dramatic reduction in the delay that can occur between workload changes and security policy updates. In the event that many virtual or physical Palo Alto Networks next-generation firewalls are deployed, our Panorama technology makes managing them easy and ensures that security policies are applied consistently and cohesively. Panorama also provides centralized logging and reporting capabilities that give users visibility into virtualized applications, users and content.

Performance shortcomings

In order to address the computationally intensive nature of full application traffic classification and inspection, Palo Alto Networks Next-Generation Firewall appliances are purpose-built to deliver predictable performance with security features enabled. A single-pass software architecture performs its defined functions only once on a given set of traffic, eliminating the multi-pass scan and decision making process that UTMs and other security solutions follow. This single pass software architecture is matched to purpose-built hardware that uses dedicated processing for the key areas of networking, security, content inspection and management. The end result is a next-generation firewall architecture that is fully capable of 120 Gbps of cyber security processing. Customers who have used proxy-based firewalls and UTMs are astonished at the performance gains our platforms provide.

Fragmented solutions

One of the advantages of the Palo Alto Networks Enterprise Security Platform is the contextual control it provides by knowing what applications are being used, who is using them and what data they contain. All visibility, policy control, logging, reporting and forensics features within our enterprise security platform take full advantage of this contextual awareness to provide a closed-loop feedback platform for network and data center security. All security functions employed – advanced threat prevention with WildFire™, known threat prevention with IPS, network anti-virus and anti-spyware, mobile security management with GlobalProtect™– are correlated and shared across the platform to continuously update and employ the very latest attack preventions for the data center and your network.

Lack of security for virtual machines

Palo Alto Networks VM-Series virtualizes the functions of its enterprise security platform, allowing customers to secure virtualized workloads while preventing advanced cyberattacks. In fact, it was a global government customer who gave us the idea years ago to create a virtualized instance of our platform and customers love it. If you use AWS GovCloud, the VM-Series for AWS is available as a Bring Your Own License (BYOL) model and the VM-Series also supports VMware ESXi/NSX, KVM or Citrix SDX. You can purchase the VM-Series from your authorized Palo Alto Networks partner.

With the power of the Palo Alto Networks Enterprise Security Platform, we can protect your north-south traffic as well as your east-west traffic. We ensure that attackers are not only blocked as they enter your overall network, but are also blocked as they attempt to move laterally into and through your data center.

Additional resources to assist you in your data center to cloud security needs:

See what the media has to say about the results of the MeriTalk survey:



Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.