Data Center Best Practice Security Policy
    : Intra-Data-Center Traffic Policies
    Focus
    Download PDF
    Focus
    1. Home
    2. Best Practices
    3. Data Center Best Practice Security Policy
    4. Data Center Security Policy Best Practices Checklist
    5. Deploy Data Center Best Practices
    6. Intra-Data-Center Traffic Policies
    Download PDF

    Data Center Best Practice Security Policy

    Intra-Data-Center Traffic Policies

    Table of Contents
    End-of-Life (EoL)

    Intra-Data-Center Traffic Policies

    Configure Security policy and Decryption policy for traffic between data center servers and application tiers.
    1. Create intra-data-center application allow rules to protect data center servers from other data center servers that may be compromised.
      A common application architecture consists of three server tiers: web servers, application servers, and database servers. Apply best practice Security profiles to most traffic between server tiers to prevent threats. Don’t apply Security profiles to low-value, high-volume traffic such as mailbox replication and backup flows—the firewall already inspected the original flows, so spending CPU cycles on them provides no extra value. Do create allow rules for these applications to prevent misuse. For each rule, configure Log at Session End on the Actions tab and set up Log Forwarding to track and analyze rule violations.
      This example configures rules that allow traffic between application server tiers for two proprietary internal finance applications for which we created custom applications: Billing-App and Payment-App.
      • Allow finance application traffic between the web server tier and the application server tier.
      • Allow finance application traffic between the application server tier and the database server tier.
    2. Create intra-data-center Decryption policy rules to decrypt the traffic allowed in the preceding Security policy rules.
      The data center is a perfect place for attackers to hide because many people think the data center is safe and don’t look for intruders. But the same basic tenet that’s true in the rest of the network holds true in the data center: you can’t protect yourself against what you can’t see. Decrypt encrypted data center traffic so that the firewall can inspect traffic, control access, make threats visible, and protect your valuable assets.
      Not all data center traffic is encrypted. Don’t spend resources to decrypt unencrypted (cleartext) traffic.
      • This rule decrypts traffic flowing between the web server tier and the application server tier for the Finance department’s billing servers.
      • This rule decrypts the traffic flowing between the application server tier and the database server tier for the Finance department’s billing servers.

    © 2024 Palo Alto Networks, Inc. All rights reserved.