Data Center Best Practice Methodology
Table of Contents
10.2
Expand all | Collapse all
-
- What Is a Data Center Best Practice Security Policy?
- Why Do I Need a Data Center Best Practice Security Policy?
- Data Center Best Practice Methodology
- How Do I Deploy a Data Center Best Practice Security Policy?
- How to Assess Your Data Center
-
- Create the Data Center Best Practice Antivirus Profile
- Create the Data Center Best Practice Anti-Spyware Profile
- Create the Data Center Best Practice Vulnerability Protection Profile
- Create the Data Center Best Practice File Blocking Profile
- Create the Data Center Best Practice WildFire Analysis Profile
- Use Cortex XDR Agent to Protect Data Center Endpoints
- Create Data Center Traffic Block Rules
- Order the Data Center Security Policy Rulebase
- Maintain the Data Center Best Practice Rulebase
- Use Palo Alto Networks Assessment and Review Tools
Data Center Best Practice Methodology
Inspect all traffic, reduce the data center attack surface,
and prevent known and unknown threats. Phase in protection starting
with your most valuable assets.
The following best practice methodologies ensure detection
and prevention at multiple stages of the attack life cycle.
Best Practice Methodology | Why Is This Important? |
---|---|
Inspect All Traffic to Gain Complete Visibility | Seeing network traffic enables you to identify the presence of attackers. Inspect
traffic to see the users, applications, and content that flow into,
through, and out of the data center:
Visibility into traffic enables the firewall to use its native
App-ID, Content-ID, User-ID, and Device-ID technologies to tie the
applications, threats, and content to users, regardless of user
location or device type, port, encryption, or evasive
technique. |
Reduce the Attack Surface | The attack surface is all of the points of
network interaction, both hardware and software, including applications,
content, and users, along with servers, switches, routers, and other
physical and virtual equipment. Reducing the attack surface leaves
fewer vulnerabilities for attackers to target. The more you reduce
the attack surface, the harder it is to breach the network.
|
Prevent Known Threats | Security profiles attached to security policy allow rules scan traffic for known
threats such as viruses, spyware, application-layer vulnerability
exploits, malicious files, and more. The firewall applies an action such
as allow, alert, drop, block IP, or a connection reset to those threats
based on the security profile configuration. Follow content update best
practices and install content updates as soon as possible
after downloading them to update the security profiles and apply the
latest protections to your data center. Security profiles are
fundamental protections that are easy to apply to security policy
rules. External Dynamic Lists
(EDLs) also protect against known threats. EDLs import lists of
malicious and risky IP addresses, URLs, or domains into the firewall
to prevent known threats. EDLs come from trusted third parties, from
predefined EDLs on the firewall, and from custom EDLs that you
create. EDLs are updated dynamically on the firewall without
requiring a commit. Preventing known threats is another reason
that enabling decryption is important. If you can’t see the threat,
it doesn’t matter if you know about it, you may still be victimized
because you can’t see it. |
Prevent Unknown Threats | How do you detect a threat nobody has seen
before? The answer is to forward all unknown files to WildFire for analysis. WildFire identifies
unknown or targeted malware. The first time a firewall detects an
unknown file, the firewall forwards the file to its internal destination and
also to the WildFire cloud for analysis. WildFire analyzes the file
(or a link in an email) and returns a verdict to the firewall in
as little as five minutes. WildFire also includes a signature that
identifies the file, transforming the unknown file to a known file.
If the file contained a threat, the threat is now known. If the
file is malicious, the next time the file arrives at the firewall,
the firewall blocks it. You can check verdicts in the WildFire
submission logs (MonitorLogsWildFire Submissions). Set up WildFire appliance content updates to
download and install automatically every minute so that you always
have the most recent support. For example, support for Linux and
SMB files were first delivered in WildFire appliance content updates. |
In addition:
- Manage firewalls centrally with Panorama to consistently enforce policy across physical and virtual environments and for centralized visibility.
- Use positive security enforcement to allow traffic you want on your data center network and deny the rest.
- Create a standardized, scalable design that you can replicate and apply consistently across data centers.
- Get buy-in from executives, IT and data center administrators, users, and other affected parties.
Phase in next-generation security by focusing on the most likely
threats to your particular business and network, and then determine
the most important assets to protect and protect them first. Ask
the following questions to help prioritize the assets to protect
first:
- What makes our company what it is? What properties define and differentiate your company, and what assets map to those properties? Assets that relate to your company’s proprietary competitive advantages should be high on the protection priority ladder. For example, a software development company would prioritize its source code, or a pharmaceutical company would prioritize its drug formulas.
- What keeps the enterprise in business? Which systems and applications do you need to support the daily operation of the company? For example, your active directory (AD) service provides employee access to applications and workstations. Compromising your AD service gives an attacker access to all accounts within your enterprise, which gives the attacker full access your network. Other examples include critical IT infrastructure such as management tools and authentication servers, and servers that house the most critical data for business operations.
- If I lost this asset, what would happen? The worse the consequences of losing an asset, the higher the priority to protect that asset. For example, the user experience may differentiate a service company, so protecting that experience is high priority. Proprietary processes and equipment may differentiate a manufacturing company, so protecting the intellectual property and proprietary designs is high priority. Create a priority list to define what to protect first.
Define the ideal future state of your data center network and
work in phases to achieve it. Periodically revisit your definition
to account for changes in your business, new regulatory and legal
requirements, and new security requirements.