Internet-to-Data-Center Traffic Security Approach
Table of Contents
10.2
Expand all | Collapse all
-
- What Is a Data Center Best Practice Security Policy?
- Why Do I Need a Data Center Best Practice Security Policy?
- Data Center Best Practice Methodology
- How Do I Deploy a Data Center Best Practice Security Policy?
- How to Assess Your Data Center
-
- Create the Data Center Best Practice Antivirus Profile
- Create the Data Center Best Practice Anti-Spyware Profile
- Create the Data Center Best Practice Vulnerability Protection Profile
- Create the Data Center Best Practice File Blocking Profile
- Create the Data Center Best Practice WildFire Analysis Profile
- Use Cortex XDR Agent to Protect Data Center Endpoints
- Create Data Center Traffic Block Rules
- Order the Data Center Security Policy Rulebase
- Maintain the Data Center Best Practice Rulebase
- Use Palo Alto Networks Assessment and Review Tools
Internet-to-Data-Center Traffic Security Approach
Learn the risks of the traditional approach to securing
internet traffic entering the data center and how the best practice
approach mitigates those risks.
The traditional legacy approach to securing data center
traffic flowing to the data center from the internet leaves valuable
assets exposed to risk, while the best practice approach protects
your valuable assets. The major risks from traffic entering the
data center are inadvertently downloading malware from an infected
external server or inadvertently placing malware on an external
server from a compromised data center server.
| The Traditional Approach | Risk | The Best Practice Approach |
|---|---|---|
| Create port-based security policy. | Malicious applications access the network by spoofing port numbers, tunneling through a port, or using port hopping to avoid detection. | Application allow rules prevent applications
from running on non-standard ports. Log and monitor allow list violations. When you transition from port-based to application-based rules,
in the rulebase, place the application-based rule above the port-based rule
it will replace. Reset the policy rule hit counter for both rules.
If traffic hits the port-based rule, its policy rule hit count increases.
Tune the application-based rule until no traffic hits the port-based rule
for a period of time, then remove the port-based rule. |
| An Intrusion Prevention System (IPS) is often deployed as an Intrusion Detection System (IDS). | An IPS is an in-band detection and prevention
system, while an IDS is an out-of-band detection system. Deploying
an IPS as an IDS takes intrusion detection out of the direct communication
path between the source and the destination, so real-time prevention
can’t occur and threats can enter the data center. | In-band on the firewall, use Palo Alto Networks
App-ID, User-ID, and Content-ID to create application allow list
security policies that tightly control access. Apply the security
profiles to stop known and new threats. |
| A web application firewall is sufficient to protect the data center. | An attacker places command-and-control (C2) software onto a compromised data center endpoint, opening the network to attack and potentially serving client-side exploits in a watering-hole attack. | Stop attackers from placing C2 software
on data center endpoints simply by assigning the strict Anti-Spyware
security profile to the security policy rule that controls the traffic.
This profile is one of the firewall’s included features, so it costs
you nothing extra to apply this protection. |