As with the other data center traffic flows, tightly control traffic flowing from the internet to the data center with application allow security policy rules so that no traffic using unknown or unsanctioned applications can enter the data center. In addition, protect the data center web servers from denial-of-service (DoS) attacks by applying DoS Protection policy rules (with DoS Protection profiles) to external traffic destined for the data center web server tier.

Risks to the data center from internet traffic include downloading malware from an infected external server, downloading "call home" command-and-control software that enables an attacker to access and control data center assets, and inadvertently allowing access to the data center from the internet. To reduce the attack surface, allow only applications, users, and services that you require for business purposes in the data center. Decrypt, inspect, and log all the traffic that local regulations, laws, and your business requirements allow. In addition, follow DoS and Zone Protection best practices to prevent attackers from disrupting the data center (especially web servers) with DoS attacks.

The following sections show you the type of traffic to allow and how to control it, how to decrypt the traffic, and how to protect your data center assets from DoS attacks: