Internet-to-Data-Center Traffic Security Approach

Learn the risks of the traditional approach to securing internet traffic entering the data center and how the best practice approach mitigates those risks.
The traditional legacy approach to securing data center traffic flowing to the data center from the internet leaves valuable assets exposed to risk, while the best practice approach protects your valuable assets. The major risks from traffic entering the data center are inadvertently downloading malware from an infected external server or inadvertently placing malware on an external server from a compromised data center server.
The Traditional Approach
Risk
The Best Practice Approach
Create port-based security policy.
Malicious applications access the network by spoofing port numbers, tunneling through a port, or using port hopping to avoid detection.
Application whitelist rules prevent applications from running on non-standard ports. Log and monitor whitelist violations.
When you transition from port-based to application-based rules, in the rulebase, place the application-based rule above the port-based rule it will replace. Reset the policy rule hit counter for both rules. If traffic hits the port-based rule, its policy rule hit count increases. Tune the application-based rule until no traffic hits the port-based rule for a period of time, then remove the port-based rule.
An Intrusion Prevention System (IPS) is often deployed as an Intrusion Detection System (IDS).
An IPS is an in-band detection and prevention system, while an IDS is an out-of-band detection system. Deploying an IPS as an IDS takes intrusion detection out of the direct communication path between the source and the destination, so real-time prevention can’t occur and threats can enter the data center.
In-band on the firewall, use Palo Alto Networks App-ID, User-ID, and Content-ID to create application whitelist security policies that tightly control access. Apply the security profiles to stop known and new threats.
A web application firewall is sufficient to protect the data center.
An attacker places command-and-control (C2) software onto a compromised data center endpoint, opening the network to attack and potentially serving client-side exploits in a watering-hole attack.
Stop attackers from placing C2 software on data center endpoints simply by assigning the strict Anti-Spyware security profile to the security policy rule that controls the traffic. This profile is one of the firewall’s included features, so it costs you nothing extra to apply this protection.

Related Documentation