User-to-Data-Center Traffic Security Approaches

Learn the risks of the traditional approach to securing user traffic to the data center and how the best practice approach mitigates those risks.
The traditional legacy approach to securing user traffic flowing to the data center leaves valuable assets exposed to risk, while the best practice approach protects your valuable assets.
The Traditional ApproachRiskThe Best Practice Approach
Port-based rules provide sufficient security because the data center is inside a trusted network.Malicious applications access the network by spoofing port numbers, tunneling through a port, or using port hopping to avoid detection.Application whitelist rules tie together applications, users, and servers so that only legitimate users using sanctioned applications can access the right sets of data center servers.
When you transition from port-based to application-based rules, in the rulebase, place the application-based rule above the port-based rule it will replace. Reset the policy rule hit counter for both rules. If traffic hits the port-based rule, its policy rule hit count increases. Tune the application-based rule until no traffic hits the port-based rule for a period of time, then remove the port-based rule.
Trust internal users and allow the application the user accesses to determine whether access is allowed based on credentials and possibly on IP address rules. An attacker gains access to a data center endpoint and then moves laterally to any other data center endpoint to exploit stolen credentials or server-side vulnerabilities. Unknown users gain access to data center endpoints.Enable User-ID, block unknown users, and whitelist access for sanctioned users. Create separate identity domains for employees, partners, and contractors. Use multi-factor authentication (MFA) for partner, contractor, and sensitive server access.
Analyzing unknown files is unnecessary because the data center is inside a trusted network.Users may inadvertently download malware from file sharing and other cloud applications. Send all unknown files to WildFire for analysis to identify new and unknown malware and protect against it.
A mix of threat prevention profiles from multiple vendors.A conglomeration of individual tools leaves security holes for attackers and may not work together well. The Palo Alto Networks suite of coordinated security tools works together to plug security holes and prevent attacks.

Related Documentation