Data-Center-to-Internet Traffic Security Approaches
Learn the risks of the traditional approach to securing
data center server traffic to internet servers (for updates, certificate
revocation checks, etc.) and how the best practice approach mitigates
those risks.
The traditional legacy approach to securing data center
traffic flowing to the internet leaves valuable assets exposed to
risk, while the best practice approach protects your valuable assets.
| The Traditional Approach | Risk | The Best Practice Approach |
|---|---|---|
| Create port-based rules and/or IP-based rules, which provide sufficient security in the trusted network. | Port-based and IP-based rules can’t control which applications to allow to connect to the internet. If a port is open, any application can use the port. | Create strict application-based whitelist
rules that allow only data center servers that retrieve updates to
use only legitimate applications to communicate only with legitimate
update servers. Log and monitor whitelist rule violations. When you transition from port-based to application-based
rules, in the rulebase, place the application-based rule above the
port-based rule it will replace. Reset the policy rule hit counter for both rules.
If traffic hits the port-based rule, its policy rule hit count increases.
Tune the application-based rule until no traffic hits the port-based
rule for a period of time, then remove the port-based rule. |
| Data center servers only reach out to trusted servers such as update servers, so decrypting that traffic isn’t necessary. | Malware or command-and-control software that is already in the data center may attempt to communicate with external servers to download more malware or exfiltrate data. | Decrypt all traffic from the data center to the internet. Create a custom URL categories that defines the URLs data center servers are allowed to contact and use it in Security policy to limit internet access to external servers. Use the same custom URL in Decryption policy to decrypt traffic to those external servers. |
| Mix blocking and alerting threat prevention profiles from multiple vendors. | A conglomeration of individual tools leaves security holes for attackers and may not work together well. | The Palo Alto Networks suite of coordinated security tools works together to plug security holes and prevent attacks. |
Related Documentation
User-to-Data-Center Traffic Security Approaches
Learn the risks of the traditional approach to securing user traffic to the data center and how the best practice approach mitigates those risks. ...
Intra-Data-Center Traffic Security Approach
Learn the risks of the traditional approach to securing traffic flowing between data center servers (east-west traffic) and how the best practice approach mitigates those ...
Internet-to-Data-Center Traffic Security Approach
Learn the risks of the traditional approach to securing internet traffic entering the data center and how the best practice approach mitigates those risks. ...
Migrate Port-Based to App-ID Based Security Policy Rules
Policy Optimizer converts port-based Security policy rules to app-based rules without compromising app availability to safely enable applications. ...
Define the Initial Data-Center-to-Internet Traffic Security...
Define which data center servers can access which update servers, certificate revocation servers, etc., on the internet. ...
Define the Initial Intra-Data-Center Traffic Security Polic...
Define the traffic that can flow between data center server tiers to provide application services. ...
How to Segment Data Center Applications
Prevent malware from moving between applications, between application tiers, and between server tiers. ...
Rule Cloning Migration Use Case: Web Browsing and SSL Traffic
Example of migrating port-based Security policy rules for web browsing and SSL traffic to app-based rules without affecting application availability. ...