: Data Center Best Practice Methodology
Focus
Focus

Data Center Best Practice Methodology

Table of Contents

Data Center Best Practice Methodology

Inspect all traffic, reduce the data center attack surface, and prevent known and unknown threats. Phase in protection starting with your most valuable assets.
The following best practice methodologies ensure detection and prevention at multiple stages of the attack life cycle.
Best Practice MethodologyWhy Is This Important?
Inspect All Traffic to Gain Complete VisibilitySeeing network traffic enables you to identify the presence of attackers. Inspect traffic to see the users, applications, and content that flow into, through, and out of the data center:
  • Deploy next-generation firewalls in positions where they can inspect all of the network traffic. Don’t allow traffic to flow into the data center or between network segments without positioning a firewall to examine the traffic.
  • Enable SSL decryption on all traffic entering or exiting the data center, unless regulations or compliance rules require you to except categories such as health, finance, government, or military. You must see threats to protect your network against them. Because more than 50 percent of a typical network’s traffic is encrypted and that percentage is rising, if you don’t decrypt traffic, you can’t completely protect your network.
  • Use App-ID to identify applications, and create custom applications for proprietary applications, so that the firewall can identify and categorize those applications appropriately and apply the correct security policy rule. This is especially important for older legacy applications that are otherwise categorized as “web-browsing” or “unknown-tcp” instead of being correctly categorized.
    If you have existing Application Override policies that you created solely to define custom session timeouts for a set a of ports, convert the existing Application Override policies to application-based policies by configuring service-based session timeouts to maintain the custom timeout for each application and then migrating the rule the an application-based rule. Application Override policies are port-based. When you use Application Override policies to maintain custom session timeouts for a set of ports, you lose application visibility into those flows, so you neither know nor control which applications use the ports. Service-based session timeouts achieve custom timeouts while also maintaining application visibility.
  • Enable User-ID on all traffic entering or exiting the data center to map application traffic and associated threats in its content to users and services. You enable User-ID on network segments (zones), so you must segment the network to enable User-ID. Segmenting the network is a best practice for gaining visibility and reducing the attack surface.
  • Deploy GlobalProtect in internal mode as a gateway to control access to the data center. GlobalProtect checks user information to verify users, and host information to verify that host security is up-to-date, by comparing the host information to HIP objects and profiles that you define. This ensures that hosts connecting to your network maintain your level of security standards.
  • Enable Log At Session End on all security policy rules.
    Log At Session Start consumes more resources than logging only at the session end. In most cases, you only Log At Session End. Enable both Log At Session Start and Log At Session End only for troubleshooting, for long-lived tunnel sessions such as GRE tunnels (you can't see these sessions in the ACC unless you log at the start of the session), and to gain visibility into Operational Technology/Industrial Control Systems (OT/ICS) sessions, which are also long-lived sessions.
Visibility into traffic enables the firewall to use its native App-ID, Content-ID, User-ID, and Device-ID technologies to tie the applications, threats, and content to users, regardless of user location or device type, port, encryption, or evasive technique.
Reduce the Attack SurfaceThe attack surface is all of the points of network interaction, both hardware and software, including applications, content, and users, along with servers, switches, routers, and other physical and virtual equipment. Reducing the attack surface leaves fewer vulnerabilities for attackers to target. The more you reduce the attack surface, the harder it is to breach the network.
  • Assess your data center so that you know the applications, content, and users on the network.
  • Use positive security enforcement by creating application-based security policy rules that allow only applications with a legitimate business use on the network and rules to block all high-risk applications that have no legitimate use case.
  • Use the information from assessing the environment to create a strategy that segments the network into zones based on business requirements, common functionality, and global policy requirements, so that the resources in each zone need the same security level. Inside the data center, segment applications tiers such as databases, web servers, application servers, development servers, and production servers into zones. Segmentation enables you to see traffic between different application tiers because the traffic must traverse a firewall when it flows between zones.
    Granular segmentation enables you to construct security policy rules that focus on the business requirements of each zone and provide the appropriate protection to each segment. Segmentation also helps stop lateral movement of malware into and within the data center because the combination of App-ID, Content-ID (threat prevention), and User-ID enable you to identify the traffic that should be allowed access and deny the rest.
  • Deploy GlobalProtect in internal mode as a gateway to control access to the data center.
  • To further reduce the attack surface, on security policy rules that allow application traffic, apply File Blocking profiles to block malicious and risky file types. Prevent credential theft breaches by using the firewall’s authentication policy to enable Multi-Factor Authentication, so that even if attackers succeed in stealing credentials, they won’t succeed in accessing the data center network.
Prevent Known ThreatsSecurity profiles attached to security policy allow rules scan traffic for known threats such as viruses, spyware, application-layer vulnerability exploits, malicious files, and more. The firewall applies an action such as allow, alert, drop, block IP, or a connection reset to those threats based on the security profile configuration.
Follow content update best practices and install content updates as soon as possible after downloading them to update the security profiles and apply the latest protections to your data center. Security profiles are fundamental protections that are easy to apply to security policy rules.
External Dynamic Lists (EDLs) also protect against known threats. EDLs import lists of malicious and risky IP addresses, URLs, or domains into the firewall to prevent known threats. EDLs come from trusted third parties, from predefined EDLs on the firewall, and from custom EDLs that you create. EDLs are updated dynamically on the firewall without requiring a commit.
Preventing known threats is another reason that enabling decryption is important. If you can’t see the threat, it doesn’t matter if you know about it, you may still be victimized because you can’t see it.
Prevent Unknown ThreatsHow do you detect a threat nobody has seen before? The answer is to forward all unknown files to WildFire for analysis.
WildFire identifies unknown or targeted malware. The first time a firewall detects an unknown file, the firewall forwards the file to its internal destination and also to the WildFire cloud for analysis. WildFire analyzes the file (or a link in an email) and returns a verdict to the firewall in as little as five minutes. WildFire also includes a signature that identifies the file, transforming the unknown file to a known file. If the file contained a threat, the threat is now known. If the file is malicious, the next time the file arrives at the firewall, the firewall blocks it.
You can check verdicts in the WildFire submission logs (MonitorLogsWildFire Submissions). Set up WildFire appliance content updates to download and install automatically every minute so that you always have the most recent support. For example, support for Linux and SMB files were first delivered in WildFire appliance content updates.
In addition:
  • Manage firewalls centrally with Panorama to consistently enforce policy across physical and virtual environments and for centralized visibility.
  • Use positive security enforcement to allow traffic you want on your data center network and deny the rest.
  • Create a standardized, scalable design that you can replicate and apply consistently across data centers.
  • Get buy-in from executives, IT and data center administrators, users, and other affected parties.
Phase in next-generation security by focusing on the most likely threats to your particular business and network, and then determine the most important assets to protect and protect them first. Ask the following questions to help prioritize the assets to protect first:
  1. What makes our company what it is? What properties define and differentiate your company, and what assets map to those properties? Assets that relate to your company’s proprietary competitive advantages should be high on the protection priority ladder. For example, a software development company would prioritize its source code, or a pharmaceutical company would prioritize its drug formulas.
  2. What keeps the enterprise in business? Which systems and applications do you need to support the daily operation of the company? For example, your active directory (AD) service provides employee access to applications and workstations. Compromising your AD service gives an attacker access to all accounts within your enterprise, which gives the attacker full access your network. Other examples include critical IT infrastructure such as management tools and authentication servers, and servers that house the most critical data for business operations.
  3. If I lost this asset, what would happen? The worse the consequences of losing an asset, the higher the priority to protect that asset. For example, the user experience may differentiate a service company, so protecting that experience is high priority. Proprietary processes and equipment may differentiate a manufacturing company, so protecting the intellectual property and proprietary designs is high priority. Create a priority list to define what to protect first.
Define the ideal future state of your data center network and work in phases to achieve it. Periodically revisit your definition to account for changes in your business, new regulatory and legal requirements, and new security requirements.