Plan Your Data Center Best Practice Deployment
If you’re already familiar with Palo Alto Networks’ platform, this checklist streamlines planning your data center best practice deployment strategy and roll-out so that you can set goals, prepare users for changes, and prioritize what to protect first.
Prepare to implement best practices in your data center by developing a strategy and a roll-out plan. Use positive security enforcement (create rules that allow the user and application traffic you want to allow and deny everything else, also known as whitelisting) to work toward a Zero Trust architecture.
- Set goals.
- Define the ideal future state of your data center network so you have definitive goals to work toward and know when you’ve achieved those goals.
- Protect traffic flows from each area in which connections are initiated:
- Local user traffic flowing into the data center.
- Traffic flowing from the internet to the data center.
- Traffic flowing from the data center to the internet.
- Traffic flowing between servers or VMs within the data center (intra data center east-west traffic).
- Don’t allow unknown users, applications, or traffic in your data center.
- Create a standardized, scalable design you can replicate and apply consistently across data centers.
- Work with stakeholders such as IT/support, security,
and groups that require data center access such as engineering,
legal, finance, and HR, to develop an access strategy.
- Identify users who need access, and the assets to which they need access. Understanding this enables you to create user groups based on access level requirements so you can design efficient Security policy rules by user group.
- Identify the applications you want to allow (sanction) in the data center. To reduce the attack surface, only sanction applications for legitimate business reasons.
- Assess your data center to understand
its current state so you can create a plan to transform data center
security to the desired future state.
- Inventory the physical and virtual environment and assets, including:
- Servers, routers, switches, security devices, load balancers, and other network infrastructure.
- Standard and proprietary custom applications and the service accounts they use to communicate. Compare the application inventory list to the list of applications you want to sanction.Focus on the applications you want to allow because your whitelist Security policy rules allow them and by default deny all other applications to reduce the attack surface. Map applications to business requirements. If an application doesn’t map to a business requirement, evaluate whether you really need to allow it.
- Assess each asset to help prioritize what to protect first. Ask yourself questions such as, “What defines and differentiates our company?”, “What systems must be available for daily operations?”, and “If I lost this asset, what are the consequences?”
- Work with application, network, and enterprise architects, and with business representatives to characterize data center traffic flows and learn about typical baseline traffic loads and patterns so you understand normal network behavior. Use the Application Command Center widgets and traffic analysis tools to baseline traffic.
- Create a Data Center Segmentation Strategy to
prevent malware that gains a foothold in your data center from moving
laterally to infect other systems.
- Use firewalls as segmentation gateways to provide visibility into data center traffic and systems so you can finely control who can use which applications to access which devices. Segment and secure non-virtualized servers with physical firewalls and the virtual network with VM-Series firewalls.
- Group assets that perform similar functions and require the same level of security in the same segment.
- Segment data center applications by segmenting the server tiers that make up an application tier (typically a service chain composed of a web server tier, an application server tier, and a database server tier) and using the firewall to control and inspect traffic between tiers.
- Consider using an SDN solution inside the data center for an agile, virtualized infrastructure that maximizes resource utilization and makes automation and scaling easier.
- Plan to use best practice methodology to inspect all data center
traffic and gain complete visibility, reduce the attack surface,
and prevent known and unknown threats.
- Position physical or virtual firewalls where they can see all data center network traffic.
- Take advantage of the firewall’s powerful toolset to create application-based Security policy rules tied to specific user groups and protected by Security profiles. Forward unknown files to WildFire and deploy decryption to prevent threats from entering the data center in encrypted traffic.
- Manage firewalls centrally with Panorama to enforce consistent policy across physical and virtual environments and for centralized visibility.
- If you have multiple data centers, reuse templates and template stacks to apply consistent security policy across different locations.
- Phase in your best practice deployment over time; start
by focusing on the most likely threats to your business and network,
and protect your most valuable assets first.Taking into account all of the data center users, applications, devices, and traffic flows, and then creating best practice Security policy around them may seem like an overwhelming task if you try to do everything at one time. But by protecting your most valuable assets first and planning a phased, gradual implementation, you can transition in a smooth and practical way from a hope-for-the-best Security policy to a best practice Security policy that safely enables applications, users, and content.
Data Center Best Practice Security Policy
Learn about Palo Alto Networks data center security policy best practices to protect your most valuable assets. ...
How Do I Deploy a Data Center Best Practice Security Policy
Learn how to create and implement a best practice data center security policy that protects your most valuable assets. ...
Define the Initial User-to-Data-Center Traffic Security Pol...
Define who can use which data center applications on which servers and other devices. ...
How to Assess Your Data Center
Discover, list, and evaluate your data center assets to understand which assets to protect first and who should have access to those assets. ...
What Is a Data Center Best Practice Security Policy?
Protect all north-south and east-west traffic flows and prevent attackers from getting into your data center and executing malware or exfiltrating data. ...
Data Center Security Policy Best Practices Checklist
If you’re already familiar with Palo Alto Networks’ platform, this checklist streamlines planning for and deploying security best practices in your data center. ...
Define the Initial Internet-to-Data-Center Traffic Security...
Define the external application traffic from vendors, customers, partners, etc., that can access your data center from the internet. ...
Data Center Best Practice Methodology
Inspect all traffic, reduce the data center attack surface, and prevent known and unknown threats. Phase in protection starting with your most valuable assets. ...
Create Intra-Data-Center Application Whitelist Rules
Create whitelist rules that allow servers in different data center server tiers to communicate so that they can provide application services, while preventing unnecessary communication ...