Intra-Data-Center Traffic Security Approach
Learn the risks of the traditional approach to securing
traffic flowing between data center servers (east-west traffic)
and how the best practice approach mitigates those risks.
The traditional legacy approach to securing east-west
traffic between data center servers leaves valuable assets exposed
to risk, while the best practice approach protects your valuable
assets.
| The Traditional Approach | Risk | The Best Practice Approach |
|---|---|---|
You don’t need to segment traffic that doesn’t
cross the data center perimeter so traffic between application tiers
doesn’t need to pass through the security infrastructure. | An attacker who compromises any data center server can move laterally to critical data center servers and repurpose them. Attackers inside the data center can move at will without fear of being discovered. | Segment traffic between application tiers
using tight whitelist rules to prevent unnecessary communication,
reduce the attack surface, and help prevent an attacker from moving
laterally within the data center. Log and monitor whitelist violations. |
The data center is safe inside the trusted
network, so it’s not urgent to patch data center servers quickly. | Vulnerabilities remain open longer and present
attack vectors to attackers. | Install patches on data center servers in a timely manner to close down vulnerabilities. Creating whitelist security policy rules helps you understand what is running in your data center and where unpatched services are running. |
Mix blocking and alerting threat prevention
profiles from multiple vendors. | A conglomeration of individual tools leaves
security holes for attackers and may not work together well. | The Palo Alto Networks suite of coordinated security tools works together to plug security holes, prevent attacks, and to identify unknown malware attempting to spread among data center servers. |
In addition:
- Create a unique service account for each function. For example, allow only specific service accounts to replicate exchange mailboxes, and allow only specific service accounts on web servers to query MySQL databases. Don’t use one service account for both functions.
- Monitor service accounts.
- Don’t allow regular user accounts in the data center.
When you transition from port-based to application-based
rules, in the rulebase, place the application-based rule above the
port-based rule it will replace. Reset the policy rule hit counter for both rules.
If traffic hits the port-based rule, its policy rule hit count increases.
Tune the application-based rule until no traffic hits the port-based
rule for a period of time, then remove the port-based rule.
Related Documentation
Data-Center-to-Internet Traffic Security Approaches
Learn the risks of the traditional approach to securing data center server traffic to internet servers (for updates, certificate revocation checks, etc.) and how the ...
User-to-Data-Center Traffic Security Approaches
Learn the risks of the traditional approach to securing user traffic to the data center and how the best practice approach mitigates those risks. ...
Internet-to-Data-Center Traffic Security Approach
Learn the risks of the traditional approach to securing internet traffic entering the data center and how the best practice approach mitigates those risks. ...
Define the Initial Intra-Data-Center Traffic Security Polic...
Define the traffic that can flow between data center server tiers to provide application services. ...
How to Segment Data Center Applications
Prevent malware from moving between applications, between application tiers, and between server tiers. ...
Migrate Port-Based to App-ID Based Security Policy Rules
Policy Optimizer converts port-based Security policy rules to app-based rules without compromising app availability to safely enable applications. ...
What Data Center Traffic to Log and Monitor
The types of data center traffic you should log and monitor, the tools you can use to analyze the traffic, and how to best utilize ...
Rule Cloning Migration Use Case: Web Browsing and SSL Traffic
Example of migrating port-based Security policy rules for web browsing and SSL traffic to app-based rules without affecting application availability. ...