How to Segment the Data Center
The next-generation firewall acts as a segmentation gateway and provides tools to segment your network.
How you segment your data center depends on your business requirements and your data center network architecture, including your SDN solution, which may dictate the segmentation method. For example, vwire interfaces control firewall connectivity on an NSX host. Because vwire interfaces don’t route or switch traffic on an NSX host, they must belong to the same zone, so all of the resources for a particular tenant (department, customer, or application tier) reside in one zone and the firewall uses dynamic address groups to segment application traffic within that zone. Each tenant has a separate zone with its own vwire interfaces. For other SDN solutions, separate virtual firewall instances may segment traffic.
Next generation Palo Alto Networks firewalls provide flexible tools to segment traffic:
- Zones—Traffic that crosses zones goes through the firewall for inspection. All allowed data center communication should traverse a firewall and undergo full threat inspection (antivirus, anti-spyware, vulnerability protection, file blocking, WildFire analysis, and URL Filtering for data center traffic that leaves the enterprise and for applications hosted by customer tenants). By default, the firewall denies all traffic between zones (intrazone traffic). You must write specific security policy rules to allow traffic to pass between zones, so only traffic that you explicitly allow can move from one zone to another. How you use zones to segment your data center depends on what assets you need to separate from other assets. For example, a common architecture includes separate zones for development servers and production servers. You can use zones to segment servers that house extremely sensitive information such Payment Card Information (PCI) or Personally Identifiable Information (PII), to segment different internal company departments such as Marketing, Engineering, and Human Resources, and to segment customer resources and customer-hosted applications.Consider using zone protection profiles to protect zones against floods, reconnaissance activities (port scans and host sweeps), Layer 3 packet-based attacks, and non-IP protocol (Layer 2) packet-based attacks.
- Dynamic address groups—For this purpose, dynamic address groups are lists of IP addresses that the firewall imports and uses in security policy to define server groups dynamically instead of statically. Adding and removing IP addresses from a dynamic address group updates security policy automatically, without a commit action on the firewall. Within a zone, using dynamic address groups in security policy whitelist rules allows server-to-server interaction for specified applications and services. For example, in NSX, use dynamic address groups to segment the server tiers within an application tier.
- User-ID—Enable User-ID to create application whitelist rules based on user groups to segment users from applications and server groups.
When you design your data center segmentation plan, keep in mind the following general guidelines:
- How to Assess Your Data Center, so that you can segment it in stages and protect the most valuable and sensitive assets first.
- Use an SDN solution (such as NSX, ACI, OpenStack) inside the data center to provide a scalable, agile, virtualized infrastructure. SDN is the best way to centralize data center network management, maximize compute resource utilization, scale and automate the network, and control and secure traffic on a virtualized network. Although you can create a non-SDN architecture that essentially replicates an SDN architecture, it’s difficult and time consuming to do, prone to errors that result in outages, and is not considered a best practice. SDN solutions maximize the use of the underlying data center compute resources without sacrificing security.
- Use physical next-generation firewalls to segment and secure non-virtualized legacy servers and use VM-Series firewalls to segment and secure the virtual data center network.
- Group assets that perform similar functions and require the same level of security in the same data center segment. For example, place servers that connect to the internet in the same segment.
Base your segmentation plan on multiple criteria to develop the right plan to secure your business.
Plan Your Data Center Best Practice Deployment
If you’re already familiar with Palo Alto Networks’ platform, this checklist streamlines planning your data center best practice deployment strategy and roll-out so that you ...
How to Segment Data Center Applications
Prevent malware from moving between applications, between application tiers, and between server tiers. ...
Network Segmentation Using Zones
Segment your network to reduce the attack surface and make it easier to manage resource protection. ...
How to Assess Your Data Center
Discover, list, and evaluate your data center assets to understand which assets to protect first and who should have access to those assets. ...
How Do I Deploy a Data Center Best Practice Security Policy
Learn how to create and implement a best practice data center security policy that protects your most valuable assets. ...
Segment Your Network Using Interfaces and Zones
Segment Your Network Using Interfaces and Zones Traffic must pass through the firewall in order for the firewall to manage and control it. Physically, traffic ...
Data Center Best Practice Methodology
Inspect all traffic, reduce the data center attack surface, and prevent known and unknown threats. Phase in protection starting with your most valuable assets. ...
Create User-to-Data-Center Decryption Policy Rules
Create rules that decrypt user traffic flowing to the data center so you can inspect the traffic and protect your most valuable assets against malware ...
Create a Data Center Segmentation Strategy
Segment your data center network to protect sensitive systems and to prevent lateral movement of malware. ...