Plan Your Data Center Best Practice Deployment

If you’re already familiar with Palo Alto Networks’ platform, this checklist streamlines planning your data center best practice deployment strategy and roll-out so that you can set goals, prepare users for changes, and prioritize what to protect first.
Prepare to implement best practices in your data center by developing a strategy and a roll-out plan. Use positive security enforcement (create rules that allow the user and application traffic you want to allow and deny everything else, also known as whitelisting) to work toward a Zero Trust architecture.
  1. Set goals.
    • Define the ideal future state of your data center network so you have definitive goals to work toward and know when you’ve achieved those goals.
    • Protect traffic flows from each area in which connections are initiated:
      1. Local user traffic flowing into the data center.
      2. Traffic flowing from the internet to the data center.
      3. Traffic flowing from the data center to the internet.
      4. Traffic flowing between servers or VMs within the data center (intra data center east-west traffic).
    • Don’t allow unknown users, applications, or traffic in your data center.
    • Create a standardized, scalable design you can replicate and apply consistently across data centers.
  2. Work with stakeholders such as IT/support, security, and groups that require data center access such as engineering, legal, finance, and HR, to develop an access strategy.
    • Identify users who need access, and the assets to which they need access. Understanding this enables you to create user groups based on access level requirements so you can design efficient Security policy rules by user group.
    • Identify the applications you want to allow (sanction) in the data center. To reduce the attack surface, only sanction applications for legitimate business reasons.
  3. Assess your data center to understand its current state so you can create a plan to transform data center security to the desired future state.
    • Inventory the physical and virtual environment and assets, including:
      • Servers, routers, switches, security devices, load balancers, and other network infrastructure.
      • Standard and proprietary custom applications and the service accounts they use to communicate. Compare the application inventory list to the list of applications you want to sanction.
        Focus on the applications you want to allow because your whitelist Security policy rules allow them and by default deny all other applications to reduce the attack surface. Map applications to business requirements. If an application doesn’t map to a business requirement, evaluate whether you really need to allow it.
      • Assess each asset to help prioritize what to protect first. Ask yourself questions such as, “What defines and differentiates our company?”, “What systems must be available for daily operations?”, and “If I lost this asset, what are the consequences?”
    • Work with application, network, and enterprise architects, and with business representatives to characterize data center traffic flows and learn about typical baseline traffic loads and patterns so you understand normal network behavior. Use the Application Command Center widgets and traffic analysis tools to baseline traffic.
  4. Create a Data Center Segmentation Strategy to prevent malware that gains a foothold in your data center from moving laterally to infect other systems.
    • Use firewalls as segmentation gateways to provide visibility into data center traffic and systems so you can finely control who can use which applications to access which devices. Segment and secure non-virtualized servers with physical firewalls and the virtual network with VM-Series firewalls.
    • Use the firewall’s flexible segmentation tools such as zones, dynamic address groups, App-ID, and User-ID to design a granular segmentation strategy that protects sensitive servers and data.
    • Group assets that perform similar functions and require the same level of security in the same segment.
    • Segment data center applications by segmenting the server tiers that make up an application tier (typically a service chain composed of a web server tier, an application server tier, and a database server tier) and using the firewall to control and inspect traffic between tiers.
    • Consider using an SDN solution inside the data center for an agile, virtualized infrastructure that maximizes resource utilization and makes automation and scaling easier.
  5. Plan to use best practice methodology to inspect all data center traffic and gain complete visibility, reduce the attack surface, and prevent known and unknown threats.
    • Position physical or virtual firewalls where they can see all data center network traffic.
    • Take advantage of the firewall’s powerful toolset to create application-based Security policy rules tied to specific user groups and protected by Security profiles. Forward unknown files to WildFire and deploy decryption to prevent threats from entering the data center in encrypted traffic.
    • Use GlobalProtect in internal mode as a gateway to control data center access.
    • Authenticate users to prevent unauthorized access and configure Multi-Factor Authentication for access to sensitive applications, services, and servers, especially by contractors, partners, and other third-parties who require access to your data center.
    • Manage firewalls centrally with Panorama to enforce consistent policy across physical and virtual environments and for centralized visibility.
  6. Phase in your best practice deployment over time; start by focusing on the most likely threats to your business and network, and protect your most valuable assets first.
    Taking into account all of the data center users, applications, devices, and traffic flows, and then creating best practice Security policy around them may seem like an overwhelming task if you try to do everything at one time. But by protecting your most valuable assets first and planning a phased, gradual implementation, you can transition in a smooth and practical way from a hope-for-the-best Security policy to a best practice Security policy that safely enables applications, users, and content.

Related Documentation