How to Segment the Data Center
Table of Contents
Expand all | Collapse all
- Plan Your Data Center Best Practice Deployment
- Follow Post-Deployment Data Center Best Practices
- What Is a Data Center Best Practice Security Policy?
- Why Do I Need a Data Center Best Practice Security Policy?
- Data Center Best Practice Methodology
- How Do I Deploy a Data Center Best Practice Security Policy?
- How to Assess Your Data Center
- Create the Data Center Best Practice Antivirus Profile
- Create the Data Center Best Practice Anti-Spyware Profile
- Create the Data Center Best Practice Vulnerability Protection Profile
- Create the Data Center Best Practice File Blocking Profile
- Create the Data Center Best Practice WildFire Analysis Profile
- Use Cortex XDR Agent to Protect Data Center Endpoints
- Create Data Center Traffic Block Rules
- Order the Data Center Security Policy Rulebase
- Maintain the Data Center Best Practice Rulebase
- Use Palo Alto Networks Assessment and Review Tools
How to Segment the Data Center
The next-generation firewall acts as a segmentation gateway and provides tools to segment your network.
How you segment your data center depends on your business requirements and your data center network architecture, including your SDN solution, which may dictate the segmentation method. For example, vwire interfaces control firewall connectivity on an NSX host. Because vwire interfaces don’t route or switch traffic on an NSX host, they must belong to the same zone, so all of the resources for a particular tenant (department, customer, or application tier) reside in one zone and the firewall uses dynamic address groups to segment application traffic within that zone. Each tenant has a separate zone with its own vwire interfaces. For other SDN solutions, separate virtual firewall instances may segment traffic.
Next generation Palo Alto Networks firewalls provide flexible tools to segment traffic:
- Consider using zone protection profiles to protect zones against floods, reconnaissance activities (port scans and host sweeps), Layer 3 packet-based attacks, and non-IP protocol (Layer 2) packet-based attacks.
When you design your data center segmentation plan, keep in mind the following general guidelines:
- Use an SDN solution (such as NSX, ACI, OpenStack) inside the data center to provide a scalable, agile, virtualized infrastructure. SDN is the best way to centralize data center network management, maximize compute resource utilization, scale and automate the network, and control and secure traffic on a virtualized network. Although you can create a non-SDN architecture that essentially replicates an SDN architecture, it’s difficult and time consuming to do, prone to errors that result in outages, and is not considered a best practice. SDN solutions maximize the use of the underlying data center compute resources without sacrificing security.
- Use physical next-generation firewalls to segment and secure non-virtualized legacy servers and use VM-Series firewalls to segment and secure the virtual data center network.
- Group assets that perform similar functions and require the same level of security in the same data center segment. For example, place servers that connect to the internet in the same segment.
Base your segmentation plan on multiple criteria to develop the right plan to secure your business.