Problem

Virtualization technology is fueling a significant change in today’s modern data centers, resulting in architectures that are commonly a mix of traditional and private cloud computing environments. For purposes of definition, private cloud implies that you manage the entire virtualization infrastructure — from the componentry to the applications. While the benefits of a private cloud are well known and significant, so too are the security challenges, exemplified by recent high-profile data breaches. Whether stored in a physical data center or in a public, private or hybrid cloud, your data is the cybercriminal’s target.

A private cloud enables your data center to evolve from a fixed environment, where applications run on dedicated servers, toward an environment that is dynamic and automated, where pools of computing resources are available to support application workloads that can be accessed anywhere, anytime, from any device. Yet security remains a challenge when you embrace this new dynamic, cloud computing environment. Many of the principles that make cloud computing attractive run counter to network security best practices.

  • Cloud computing does not lessen existing network security risks.
    The security risks that threaten your network today do not change when you move to the cloud. In some ways, the security risks become more significant due, in part, to the many applications on a single server premise that virtualization enables. Many data center applications use a wide range of ports, rendering traditional security ineffective, and it is well known that cybercriminals will use multiple vectors to compromise your network and then hide in plain sight, using common applications to complete their mission.
  • Security wants separation and segmentation; the cloud relies on shared resources.
    Security best practices dictate that mission-critical applications and data be separated in secure segments on the network. On a physical network, segmentation is relatively straightforward to accomplish, using firewalls and policies based on application and user identity. In your cloud computing environment, direct communication between virtual machines within a server occurs constantly, in some cases across varied levels of trust, making segmentation a difficult task. Mixed levels of trust, when combined with a lack of intra-host traffic visibility by virtualized port-based security offerings, may introduce a weakened security posture.
  • Security deployments are process-oriented; cloud computing environments are dynamic.
    The creation or modification of your virtual workloads can often be done in minutes, yet the security configuration for this workload may take hours, days or weeks. Security delays are not purposeful; they are the result of a process that is designed to maintain a strong security posture. Policy changes need to be approved, the appropriate firewalls identified, and the relevant policy updates determined. In contrast, virtualization teams operate in a highly dynamic environment, with workloads being added, removed and changed in a dynamic manner. The result is a discrepancy between security policy and virtualized workload deployment and a weakened security posture.
     

 

Solution

Our VM-Series is a virtualized implementation of the next-generation firewall and advanced threat prevention features found in our physical form factor appliances. The VM-Series allows you to protect your private cloud infrastructure using application-centric security policies to protect your private cloud and the data within.

Applying next-generation security to virtualized environments
The VM-Series natively analyzes all traffic in a single pass to determine the application identity, the content within, and the user identity. These are then used as integral components of your security policy, resulting in an improved security posture and a reduction in incident response time.

Isolate mission-critical applications and data using Zero Trust principles
Security best practices dictate that your mission-critical applications and data should be isolated in secure segments using Zero Trust (never trust, always verify) principles at each segmentation point. The VM-Series can be deployed in your cloud environment, allowing you to protect east-west traffic between VMs at the application level.

Block lateral movement of cyberthreats
Today’s cyberthreats will commonly compromise an individual workstation or user and then move across the network, looking for a target. Within your virtual network, cyberthreats will move laterally from VM to VM, in an east-west manner, placing your mission-critical applications and data at risk. Exerting application-level control using Zero Trust principles in between VMs will reduce the threat footprint while applying policies to block both known and unknown threats.

Automated, transparent deployment and provisioning
A rich set of APIs can be used to integrate with external orchestration and management tools, collecting information related to workload changes, which can then be used to dynamically drive policy updates via Dynamic Address Groups and VM Monitoring.

  • RESTful APIs: A flexible, REST-based API allows you to integrate with third-party or custom cloud orchestration solutions. This enables the VM-Series to be deployed and configured in lockstep with virtualized workloads.
  • Virtual Machine Monitoring: Security policies must be able to monitor and keep up with changes in virtualization environments, including VM attributes and the addition or removal of VMs. Virtual Machine Monitoring (VM Monitoring) automatically polls your virtualization environments for virtual machine inventory and changes, collecting this data in the form of tags that can then be used in Dynamic Address Groups to keep policies up to date.
  • Dynamic Address Groups: As your virtual machines are added, removed or change, building security policies based on static data, such as IP address, delivers limited value. Dynamic Address Groups allow you to create policies using tags [from VM Monitoring] as an identifier for virtual machines, instead of a static object definition. Multiple tags representing virtual machine attributes, such as IP address and operating system, can be resolved within a Dynamic Address Group, allowing you to easily apply policies to virtual machines as they are created or travel across the network.

Centrally manage virtualized and physical form factor firewalls
Panorama™ network security management enables you to manage your VM-Series deployments, along with your physical security appliances, thereby ensuring policy consistency and cohesiveness. Rich, centralized logging and reporting capabilities provide visibility into virtualized applications, users and content.

 

 

Related Content


 

Product Summary Specsheet

Key features, performance capacities and specifications for all Palo Alto Networks firewalls.

  • 31
  • 57852

PA-3000 Series Specsheet

Key features, performance capacities and specifications for our PA-3000 Series.

  • 10
  • 38028

Firewall Feature Overview Datasheet

This eight-page datasheet provides a comprehensive overview of the critical PAN-OS features that power all next-generation firewalls from Palo Alto Networks. This datasheet is available in Chinese Simplified, Chinese Traditional, German, Italian, Portuguese, Spanish, Russian, and Turkish.

  • 8
  • 31865

PA-500 Specsheet

Key features, performance capacities and specifications for our PA-500.

  • 7
  • 29811

PA-5000 Series Specsheet

Key features, performance capacities and specifications for our PA-5000 Series.

  • 2
  • 25532

PA-7000 Series Specsheet

Key features, performance capacities and specifications for our PA-7000 Series.

Palo Alto Networks, Santa Clara, CA
  • 12
  • 25973