The Traditional Approach
The Best Practice Approach
You don’t need to segment traffic that doesn’t cross the data center perimeter so traffic between application tiers doesn’t need to pass through the security infrastructure.
An attacker who compromises any data center server can move laterally to critical data center servers and repurpose them. Attackers inside the data center can move at will without fear of being discovered.
Segment traffic between application tiers using tight whitelist rules to prevent unnecessary communication, reduce the attack surface, and help prevent an attacker from moving laterally within the data center. Log and monitor whitelist violations.
The data center is safe inside the trusted network, so it’s not urgent to patch data center servers quickly.
Vulnerabilities remain open longer and present attack vectors to attackers.
Install patches on data center servers in a timely manner to close down vulnerabilities. Creating whitelist security policy rules helps you understand what is running in your data center and where unpatched services are running.
Mix blocking and alerting threat prevention profiles from multiple vendors.
A conglomeration of individual tools leaves security holes for attackers and may not work together well.
The Palo Alto Networks suite of coordinated security tools works together to plug security holes, prevent attacks, and to identify unknown malware attempting to spread among data center servers.