Define the Initial Internet-to-Data-Center Traffic Security Policy
Define the external application traffic from vendors,
customers, partners, etc., that can access your data center from
the internet.
As with the other data center traffic flows, tightly control traffic flowing from the internet
to the data center with application allow security policy rules so that no traffic using
unknown or unsanctioned applications can enter the data center. In addition, protect the
data center web servers from denial-of-service (DoS) attacks by applying
DoS Protection policy rules (with
DoS Protection profiles) to external traffic
destined for the data center web server tier.
Risks to the data center from internet traffic include downloading malware from an
infected external server, downloading "call home" command-and-control software that
enables an attacker to access and control data center assets, and inadvertently allowing
access to the data center from the internet. To reduce the attack surface, allow only
applications, users, and services that you require for business purposes in the data
center. Decrypt, inspect, and log all the traffic that local regulations, laws, and your
business requirements allow. In addition, follow DoS and Zone Protection best practices
to prevent attackers from disrupting the data center (especially web servers) with DoS
attacks.
The following sections show you the type of traffic to allow and how to control it, how
to decrypt the traffic, and how to protect your data center assets from DoS attacks: