Learn the risks of the traditional approach to securing
internet traffic entering the data center and how the best practice
approach mitigates those risks.
The traditional legacy approach to securing data center
traffic flowing to the data center from the internet leaves valuable
assets exposed to risk, while the best practice approach protects
your valuable assets. The major risks from traffic entering the
data center are inadvertently downloading malware from an infected
external server or inadvertently placing malware on an external
server from a compromised data center server.
The Traditional Approach
The Best Practice Approach
Create port-based security policy.
Malicious applications access the network by
spoofing port numbers, tunneling through a port, or using port hopping
to avoid detection.
Application allow rules prevent applications
from running on non-standard ports. Log and monitor allow list violations.
When you transition from port-based to application-based rules,
in the rulebase, place the application-based rule above the port-based rule
it will replace. Reset the policy rule hit counter for both rules.
If traffic hits the port-based rule, its policy rule hit count increases.
Tune the application-based rule until no traffic hits the port-based rule
for a period of time, then remove the port-based rule.
An Intrusion Prevention System (IPS) is often
deployed as an Intrusion Detection System (IDS).
An IPS is an in-band detection and prevention
system, while an IDS is an out-of-band detection system. Deploying
an IPS as an IDS takes intrusion detection out of the direct communication
path between the source and the destination, so real-time prevention
can’t occur and threats can enter the data center.
In-band on the firewall, use Palo Alto Networks
App-ID, User-ID, and Content-ID to create application allow list
security policies that tightly control access. Apply the security
profiles to stop known and new threats.
A web application firewall is sufficient to protect
the data center.
An attacker places command-and-control (C2) software
onto a compromised data center endpoint, opening the network to
attack and potentially serving client-side exploits in a watering-hole attack.
Stop attackers from placing C2 software
on data center endpoints simply by assigning the strict Anti-Spyware
security profile to the security policy rule that controls the traffic.
This profile is one of the firewall’s included features, so it costs
you nothing extra to apply this protection.