Intra-Data-Center Traffic Policies

Configure Security policy and Decryption policy for traffic between data center servers and application tiers.
  1. Create intra-data center application allow rules to protect data center servers from other data center servers that may be compromised.
    A common application architecture consists of three server tiers: web servers, application servers, and database servers. Apply best practice Security profiles to most traffic between server tiers to prevent threats. Don’t apply Security profiles to low-value, high-volume traffic such as mailbox replication and backup flows—the firewall already inspected the original flows, so spending CPU cycles on them provides no extra value. Do create allow access rules for these applications to prevent misuse. For each rule, configure
    Log at Session End
    on the
    Actions
    tab and set up Log Forwarding to track and analyze rule violations.
    This example configures rules that allow traffic between application server tiers for two proprietary internal finance applications for which we created custom applications:
    Billing-App
    and
    Payment-App
    .
    • Allow finance application traffic between the web server tier and the application server tier.
      web-to-app-server-sec-pol-rule-intra-dc.png
    • Allow finance application traffic between the application server tier and the database server tier.
      app-to-db-server-sec-pol-rule-intra-dc.png
  2. Create intra-data-center Decryption policy rules to decrypt the traffic allowed in the preceding Security policy rules.
    The data center is a perfect place for attackers to hide because many people think the data center is safe and don’t look for intruders. But the same basic tenet that’s true in the rest of the network holds true in the data center: you can’t protect yourself against what you can’t see. Decrypt encrypted data center traffic so that the firewall can inspect traffic, control access, make threats visible, and protect your valuable assets.
    Not all data center traffic is encrypted. Don’t spend resources to decrypt unencrypted (cleartext) traffic.
    • This rule decrypts traffic flowing between the web server tier and the application server tier for the Finance department’s billing servers.
      web-to-app-server-decrypt-pol-rule-intra-dc.png
    • This rule decrypts the traffic flowing between the application server tier and the database server tier for the Finance department’s billing servers.
      app-to-db-server-decrypt-pol-rule-intra-dc.png

Recommended For You