Data Center Best Practice Methodology
Inspect all traffic, reduce the data center attack surface, and prevent known and unknown threats. Phase in protection starting with your most valuable assets.
The following best practice methodologies ensure detection and prevention at multiple stages of the attack life cycle.
Best Practice Methodology
Why Is This Important?
Inspect All Traffic to Gain Complete Visibility
Seeing network traffic enables you to identify the presence of attackers. Inspect traffic to see the users, applications, and content that flow into, through, and out of the data center:
Visibility into traffic enables the firewall to use its native App-ID, Content-ID, and User-ID technologies to tie the applications, threats, and content to users, regardless of user location or device type, port, encryption, or evasive technique.
Reduce the Attack Surface
The attack surface is all of the points of network interaction, both hardware and software, including applications, content, and users, along with servers, switches, routers, and other physical and virtual equipment. Reducing the attack surface leaves fewer vulnerabilities for attackers to target. The more you reduce the attack surface, the harder it is to breach the network.
Prevent Known Threats
Security profiles attached to security policy allow rules scan traffic for known threats such as viruses, spyware, application-layer vulnerability exploits, malicious files, and more. The firewall applies an action such as allow, alert, drop, block IP, or a connection reset to those threats based on the security profile configuration.
Follow content update best practices and install content updates as soon as possible after downloading them to update the security profiles and apply the latest protections to your data center. Security profiles are fundamental protections that are easy to apply to security policy rules.
External dynamic lists (EDLs) also protect against known threats. EDLs import lists of malicious and risky IP addresses, URLs, or domains into the firewall to prevent known threats. EDLs come from trusted third parties, from predefined EDLs on the firewall, and from custom EDLs that you create. EDLs are updated dynamically on the firewall without requiring a commit.
Preventing known threats is another reason that enabling decryption is important. If you can’t see the threat, it doesn’t matter if you know about it, you may still be victimized because you can’t see it.
Prevent Unknown Threats
How do you detect a threat nobody has seen before? The answer is to forward all unknown files to WildFire for analysis.
WildFire identifies unknown or targeted malware. The first time a firewall detects an unknown file, the firewall forwards the file to its internal destination and also to the WildFire cloud for analysis. WildFire analyzes the file (or a link in an email) and returns a verdict to the firewall in as little as five minutes. WildFire also includes a signature that identifies the file, transforming the unknown file to a known file. If the file contained a threat, the threat is now known. If the file is malicious, the next time the file arrives at the firewall, the firewall blocks it.
You can check verdicts in the WildFire submission logs (
). Set up WildFire appliance content updates to download and install automatically every minute so that you always have the most recent support. For example, support for Linux and SMB files were first delivered in WildFire appliance content updates.
- Manage firewalls centrally with Panorama to consistently enforce policy across physical and virtual environments and for centralized visibility.
- Use positive security enforcement to allow traffic you want on your data center network and deny the rest.
- Create a standardized, scalable design that you can replicate and apply consistently across data centers.
- Get buy-in from executives, IT and data center administrators, users, and other affected parties.
Phase in next-generation security by focusing on the most likely threats to your particular business and network, and then determine the most important assets to protect and protect them first. Ask the following questions to help prioritize the assets to protect first:
- What makes our company what it is?What properties define and differentiate your company, and what assets map to those properties? Assets that relate to your company’s proprietary competitive advantages should be high on the protection priority ladder. For example, a software development company would prioritize its source code, or a pharmaceutical company would prioritize its drug formulas.
- What keeps the enterprise in business?Which systems and applications do you need to support the daily operation of the company? For example, your active directory (AD) service provides employee access to applications and workstations. Compromising your AD service gives an attacker access to all accounts within your enterprise, which gives the attacker full access your network. Other examples include critical IT infrastructure such as management tools and authentication servers, and servers that house the most critical data for business operations.
- If I lost this asset, what would happen?The worse the consequences of losing an asset, the higher the priority to protect that asset. For example, the user experience may differentiate a service company, so protecting that experience is high priority. Proprietary processes and equipment may differentiate a manufacturing company, so protecting the intellectual property and proprietary designs is high priority. Create a priority list to define what to protect first.
Define the ideal future state of your data center network and work in phases to achieve it. Periodically revisit your definition to account for changes in your business, new regulatory and legal requirements, and new security requirements.