Learn the risks of the traditional approach to securing
internet traffic entering the data center and how the best practice
approach mitigates those risks.
The traditional legacy approach to securing data center
traffic flowing to the data center from the internet leaves valuable
assets exposed to risk, while the best practice approach protects
your valuable assets. The major risks from traffic entering the
data center are inadvertently downloading malware from an infected
external server or inadvertently placing malware on an external
server from a compromised data center server.
The Traditional Approach
The Best Practice Approach
Create port-based security policy.
Malicious applications access the network by
spoofing port numbers, tunneling through a port, or using port hopping
to avoid detection.
Application whitelist rules prevent applications
from running on non-standard ports. Log and monitor whitelist violations.
When you transition from port-based to application-based
rules, in the rulebase, place the application-based rule above the port-based
rule it will replace. Reset the policy rule hit counter for both rules.
If traffic hits the port-based rule, its policy rule hit count increases.
Tune the application-based rule until no traffic hits the port-based
rule for a period of time, then remove the port-based rule.
An Intrusion Prevention System (IPS) is often
deployed as an Intrusion Detection System (IDS).
An IPS is an in-band detection and prevention system,
while an IDS is an out-of-band detection system. Deploying an IPS
as an IDS takes intrusion detection out of the direct communication
path between the source and the destination, so real-time prevention
can’t occur and threats can enter the data center.
In-band on the firewall, use Palo Alto Networks
App-ID, User-ID, and Content-ID to create application whitelist
security policies that tightly control access. Apply the security profiles
to stop known and new threats.
A web application firewall is sufficient to protect
the data center.
An attacker places command-and-control (C2) software
onto a compromised data center endpoint, opening the network to
attack and potentially serving client-side exploits in a watering-hole attack.
Stop attackers from placing C2 software
on data center endpoints simply by assigning the strict Anti-Spyware
security profile to the security policy rule that controls the traffic.
This profile is one of the firewall’s included features, so it costs you
nothing extra to apply this protection.