User-to-Data-Center Traffic Security Approaches
Table of Contents
10.2
Expand all | Collapse all
-
- What Is a Data Center Best Practice Security Policy?
- Why Do I Need a Data Center Best Practice Security Policy?
- Data Center Best Practice Methodology
- How Do I Deploy a Data Center Best Practice Security Policy?
- How to Assess Your Data Center
-
- Create the Data Center Best Practice Antivirus Profile
- Create the Data Center Best Practice Anti-Spyware Profile
- Create the Data Center Best Practice Vulnerability Protection Profile
- Create the Data Center Best Practice File Blocking Profile
- Create the Data Center Best Practice WildFire Analysis Profile
- Use Cortex XDR Agent to Protect Data Center Endpoints
- Create Data Center Traffic Block Rules
- Order the Data Center Security Policy Rulebase
- Maintain the Data Center Best Practice Rulebase
- Use Palo Alto Networks Assessment and Review Tools
User-to-Data-Center Traffic Security Approaches
Learn the risks of the traditional approach to securing
user traffic to the data center and how the best practice approach
mitigates those risks.
The traditional legacy approach to securing user traffic
flowing to the data center leaves valuable assets exposed to risk,
while the best practice approach protects your valuable assets.
| The Traditional Approach | Risk | The Best Practice Approach |
|---|---|---|
| Port-based rules provide sufficient security because the data center is inside a trusted network. | Malicious applications access the network by spoofing port numbers, tunneling through a port, or using port hopping to avoid detection. | Application allow rules tie together applications,
users, and servers so that only legitimate users using sanctioned applications
can access the right sets of data center servers. When
you transition from port-based to application-based rules, in the
rulebase, place the application-based rule above the port-based
rule it will replace. Reset the policy rule hit counter for both rules.
If traffic hits the port-based rule, its policy rule hit count increases.
Tune the application-based rule until no traffic hits the port-based
rule for a period of time, then remove the port-based rule. |
| Trust internal users and allow the application the user accesses to determine whether access is allowed based on credentials and possibly on IP address rules. | An attacker gains access to a data center endpoint and then moves laterally to any other data center endpoint to exploit stolen credentials or server-side vulnerabilities. Unknown users gain access to data center endpoints. | Enable User-ID, block unknown users, and allow access for sanctioned users. Create separate identity domains for employees, partners, and contractors. Use multi-factor authentication (MFA) for partner, contractor, and sensitive server access. |
| Analyzing unknown files is unnecessary because the data center is inside a trusted network. | Users may inadvertently download malware from file sharing and other cloud applications. | Send all unknown files to WildFire for analysis to identify new and unknown malware and protect against it. |
| A mix of threat prevention profiles from multiple vendors. | A conglomeration of individual tools leaves security holes for attackers and may not work together well. | The Palo Alto Networks suite of coordinated security tools works together to plug security holes and prevent attacks. |