SEGMENTATION TO A TRADITIONAL DATA CENTER

Similar documents
PROTECT WORKLOADS IN THE HYBRID CLOUD

VM-SERIES FOR VMWARE VM VM

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

DECRYPT SSL AND SSH TRAFFIC TO DISRUPT ATTACKER COMMUNICATIONS AND THEFT

Comprehensive Database Security

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Cybersecurity Fortification Initiative (CFI) infrastructure whitepaper

Operationalizing NSX Micro segmentation in the Software Defined Data Center

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

SECURITY PLATFORM FOR HEALTHCARE PROVIDERS

BUILDING SECURITY INTO YOUR DATA CENTER MODERNIZATION STRATEGY

Securing Your Most Sensitive Data

A Modern Framework for Network Security in Government

The threat landscape is constantly

ONBOARDING GUIDE GLOBALPROTECT CLOUD SERVICE FOR REMOTE NETWORKS

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

SYMANTEC DATA CENTER SECURITY

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

PANORAMA. Figure 1: Panorama deployment

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

Securing Your Microsoft Azure Virtual Networks

Building a Smart Segmentation Strategy

FIREWALL OVERVIEW. Palo Alto Networks Next-Generation Firewall

Securing Your Amazon Web Services Virtual Networks

McAfee Total Protection for Data Loss Prevention

Cisco Application Centric Infrastructure (ACI) - Endpoint Groups (EPG) Usage and Design

VM-SERIES ON GOOGLE CLOUD DEPLOYMENT GUIDELINES

Copyright 2016 EMC Corporation. All rights reserved.

Best Practices in Securing a Multicloud World

CyberArk Privileged Threat Analytics

Securing the Virtualized Environment: Meeting a New Class of Challenges with Check Point Security Gateway Virtual Edition

Transforming Security from Defense in Depth to Comprehensive Security Assurance

VM-SERIES FOR NSX IMPLEMENTATION AND TRAFFIC STEERING GUIDELINES

CloudVision Macro-Segmentation Service

AKAMAI CLOUD SECURITY SOLUTIONS

Achieving Digital Transformation: FOUR MUST-HAVES FOR A MODERN VIRTUALIZATION PLATFORM WHITE PAPER

CASE STUDY INSIGHTS: MICRO-SEGMENTATION TRANSFORMS SECURITY. How Organizations Around the World Are Protecting Critical Data

APP-ID. A foundation for visibility and control in the Palo Alto Networks Security Platform

PANORAMA. Key Security Features

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Datacenter Security: Protection Beyond OS LifeCycle

Security by Default: Enabling Transformation Through Cyber Resilience

Network Visibility and Segmentation

AUTOMATE THE DEPLOYMENT OF SECURE DEVELOPER VPCs

ACTIONABLE SECURITY INTELLIGENCE

Control-M and Payment Card Industry Data Security Standard (PCI DSS)

Securing the Software-Defined Data Center

VMware vcloud Networking and Security Overview

SIMPLIFY PCI COMPLIANCE

CABLE MSO AND TELCO USE CASE HANDBOOK

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Teradata and Protegrity High-Value Protection for High-Value Data

AND FINANCIAL CYBER FRAUD INSTITUTIONS FROM. Solution Brief PROTECTING BANKING

Office 365 Buyers Guide: Best Practices for Securing Office 365

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

Information Security Controls Policy

Data Center Micro-Segmentation

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Secure Access & SWIFT Customer Security Controls Framework

Network Security Protection Alternatives for the Cloud

Building Resilience in a Digital Enterprise

Simplifying WAN Architecture

External Supplier Control Obligations. Cyber Security

McAfee epolicy Orchestrator

SECURING THE NEXT GENERATION DATA CENTER. Leslie K. Lambert Juniper Networks VP & Chief Information Security Officer July 18, 2011

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

TRAPS ADVANCED ENDPOINT PROTECTION

Nuage Networks Product Architecture. White Paper

Are we breached? Deloitte's Cyber Threat Hunting

Automating the Top 20 CIS Critical Security Controls

SIEMLESS THREAT DETECTION FOR AWS

Ensuring a Consistent Security Perimeter with CloudGenix AppFabric

SECURITY SERVICES SECURITY

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Clearing the Path to Micro-Segmentation. A Strategy Guide for Implementing Micro- Segmentation in Hybrid Clouds

Protecting Your Digital Business: The Case for Next-Generation Intrusion Prevention

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Medigate and Palo Alto Networks Integration

CROWDSTRIKE FALCON FOR THE PUBLIC SECTOR

RSA NetWitness Suite Respond in Minutes, Not Months

Protect Your End-of-Life Windows Server 2003 Operating System

WHITE PAPER. Vericlave The Kemuri Water Company Hack

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

CSP 2017 Network Virtualisation and Security Scott McKinnon

WHITE PAPER. Applying Software-Defined Security to the Branch Office

PROTECTION FOR WORKSTATIONS, SERVERS, AND TERMINAL DEVICES ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Five Essential Capabilities for Airtight Cloud Security

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

Data Sheet: Endpoint Security Symantec Network Access Control Starter Edition Simplified endpoint enforcement

Securing Office 365 with SecureCloud

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

with Advanced Protection

Rethinking Security CLOUDSEC2016. Ian Farquhar Distinguished Sales Engineer Field Lead for the Gigamon Security Virtual Team

Accelerate Your Enterprise Private Cloud Initiative

Micro-Segmentation: What It Is and What It Isn t. Explore Essential Security Controls for Fighting New Threats to Your Data Center

Transcription:

APPLY NETWORK SEGMENTATION TO A TRADITIONAL DATA CENTER SUMMARY Industry Financial Services Use Case Apply network segmentation for effective protection of mission-critical applications and data in a traditional data center. Increase security within the legacy data center network and for access from end-user environments. Business Benefits Support the capital investment and lifespan of the traditional data center while inherently protecting business-sensitive data, such as intellectual property, regulated data (PII and PCI) and other critical data, in financial services environments. Operational Benefits Continue to run legacy applications in the data center, but with an added degree of data security; minimize business disruption during the implementation of network segmentation; maintain consistent security and management across legacy computing and network perimeter environments. Security Benefits Reduce the ability of attackers to move freely to more valuable data center resources; reduce the risk of accidental or intentional insider access to data center resources based on user visibility and privileges; minimize risk of data exfiltration from traditional data center resources. Business Problem Despite the cloud computing trend, financial institutions still have significant capital investments in traditional IT infrastructure components within their existing data centers. These facilities typically contain essentially flat, open networks, as network segmentation for cybersecurity was not a consideration many years ago. However, malicious actors have recently found success in such open environments, where much of the lucrative data and systems are readily accessible after compromising a device elsewhere in the network. As examples, across the multiple SWIFT member attacks and in ATM malware attacks (Ripper and Cobalt gang), the malicious actors moved laterally in search of items of value after gaining initial footholds within those targeted organizations. A move to public or private cloud computing offers an opportunity to include network segmentation or a complete Zero Trust philosophy in inaugural designs. However, not all business applications are virtualization- or cloud-friendly. Certain legacy and mainframe applications may be unsuitable for migration to the cloud, and will continue to run in private data centers with traditional architectures. Moreover, capital investments already made in classic data center networks would not be discarded on a whim, but would typically need to serve out their life expectancy and depreciation accordingly. Consequently, this legacy infrastructure, its indigenous legacy applications and their associated data also need the protection afforded by network segmentation for that duration. However, as these environments are home to mission-critical resources, they cannot tolerate business disruptions even during such a transition. Business Drivers To maximize return on investment in traditional data center infrastructure while ensuring the full protection of business-sensitive data, such as intellectual property, regulated data e.g., personally identifiable information (PII) and payment card industry (PCI) data and other non-public information, a financial institution needs segmentation of the data center network. In years past, the design philosophy of a hardened, protected perimeter and a secure, trusted interior was sufficient. Today s landscape, with more sophisticated adversaries, multiple attack vectors and insider threats, warrants the compartmentalization of the internal network to limit exposure of sensitive data and resources, as well as to minimize financial and reputational damage in the event of a data breach. Proper segmentation of the internal network can also reduce the scope of PCI audits by demonstrating clear separation of cardholder data environments from the rest of the IT infrastructure. Palo Alto Networks Apply Network Segmentation to a Traditional Data Center Use Case 1

PA-5260 PA-5260 USE CASE: Apply Network Segmentation to a Traditional Data Center Traditional Approach Networking and security teams have historically relied on protections at the network perimeter to secure the entire enterprise. The internal network was deemed trusted and secure, while everything outside was considered dirty. Consequently, there was no reason to deploy segmentation gateways internally for security purposes. Everything on the internal network was considered clean and application traffic would flow unrestricted. Back then, applications were simpler and typically had single functions. Today, applications are multifaceted and handle several functions, such as messaging, file sharing, screen sharing, etc. Moreover, malicious actors have become experts at finding ways to break into enterprise networks. This has made the open internal network a cybersecurity liability. From purely a network perspective, separating the data center from end-user environments is a reasonably clean approach. However, introducing network segmentation to an existing data center network is not to be taken lightly. Inserting any new device into live traffic flows always carries some risk of business disruption. For mission-critical and/or mainframe applications in a traditional data center, this is a daunting proposition despite the anticipated benefits of network segmentation. The use of traditional firewalls for this purpose further exacerbates the risk, as they cannot distinguish between multiple applications that use the same port numbers. Palo Alto Networks Approach An alternative model for IT security, Zero Trust is intended to remedy the deficiencies of perimeter-centric strategies and the legacy devices and technologies used to implement them. It does this by promoting never trust, always verify as its guiding principle. With Zero Trust, there is no default trust for any entity including users, devices, applications and packets regardless of what it is or where it resides on the corporate network. In addition, verifying that authorized entities are always doing only what they re allowed to do is now mandatory. In terms of moving toward a Zero Trust model, it is not necessary to wait for the next comprehensive overhaul of the organization s entire network and security infrastructure. A Zero Trust architecture is conducive to progressive implementation. To that end, segmenting the traditional data center from the various end user environments can be viewed as a step toward Zero Trust. The use of Palo Alto Networks Next-Generation Firewall as a segmentation gateway leverages its inherent networking capabilities for seamless deployment into an existing environment and allows for controlled introduction of security controls over traffic traversing the data center. The concept of Zero Trust extends the practice of network segmentation to granting access based on specific applications, allowing user access based on credentials and controlling the content that can be sent across each segmentation point. Visibility into applications, users and content allows you to confirm the identity of your data center applications and block unexpected or rogue users or applications from accessing the data center. Network segmentation can be applied at numerous points in a network, but for the remainder of this paper, we will focus on the architectural considerations for, and highlight a customer deployment of, data center network segmentation to separate the traditional computing resources from end-user environments. Architectural Vision To segment the traditional data center infrastructure from the branch and campus networks, a high availability pair of next-generation firewalls would serve to control all ingress and egress traffic. These appliances would be incorporated into the network architecture at the point where the traditional data center resources are aggregated, and have visibility into all data flowing to and from legacy data center applications and services. This vantage point allows the next-generation firewalls to function as the segmentation gateway for the traditional data center. Corporate Network WEB APP DB NSX vswitch VMware ESXi VM-1000-HV Figure 1: Network segmentation of data center from end-user environments Palo Alto Networks Apply Network Segmentation to a Traditional Data Center Use Case 2

To minimize any potential disruptions to the environment, the security appliance is not deployed in line with the existing network devices, as shown in Figure 2. Placed alongside the 2 aggregation point, the next-generation firewall can inspect and control inbound and outbound traffic without the need for physical re-cabling, changes to IP addresses of the original devices (servers) or the addition of new switches. Use of the VLAN tag rewriting capability of Palo Alto Networks Next-Generation Firewall allows it to be logically in the flow of traffic, acting as both a 2 bridge and an enforcement point. The advantages of this approach are that existing physical connections are untouched and desired traffic flows can be placed under firewall control one device at a time, if desired. This granularity allows for a controlled migration of traffic through the firewall, which is critical for the phased introduction of network segmentation to a live, traditional data center. Figure 2: Transparent firewalls in a classic three-tier data center network design Actual Financial Services Customer Deployment In this real-world example, one of the world s largest financial institutions had a traditional three-tier data center network design for a portion of its environment. The organization was not yet ready to re-architect its entire data center, adopt an overall leaf-spine design or migrate entirely to a private cloud model. Like many of its peers, this financial institution had an open internal network. This left its traditional data center network exposed to undesirable internal traffic, which the organization viewed as a significant security gap. Although there is no specific regulatory requirement for network segmentation, the institution saw the inherent value in it and committed to the concept to get ahead of the game. Ultimately, the institution chose Palo Alto Networks Next-Generation Firewall to segment its traditional data center network from its end user population. This project was undertaken to improve the security of the IT environment by installing a mechanism to control end-user access to critical data center resources as well as between those sensitive resources. Success was defined as the isolation of targeted applications and systems from one another, and from the internal network, while providing the connectivity required for business functions. As this effort was carried out against running environments, minimal changes to the existing data center architecture and IP address space were critical requirements to minimize risk. In short, the firewall deployment could not be in-line, no server IP addresses could be changed, and traffic from specific servers had to be steered through the firewalls in a tightly controlled, phased migration. A 2 firewall on a stick design enabled the financial institution to control traffic flowing through the next-generation firewalls by manipulating the VLAN assignment of the servers. As servers were moved to a new set of VLANs (one per application), traffic would be safely enabled by passing through the next-generation firewalls. This allowed for precise, controlled migration of traffic to the firewalls for a phased implementation of network segmentation on the live data center. Implementation Overview Products Deployed: Next-generation firewalls (PA-7000 Series) Panorama network security management How Customer Implemented Network Segmentation (High Level): Installed redundant Palo Alto Networks Next-Generation Firewall appliances at the data center aggregation layer, in a 2, out-of-band configuration, to minimize physical disruptions to the live production environment. Palo Alto Networks Apply Network Segmentation to a Traditional Data Center Use Case 3

Secured north-south traffic to selected critical applications and systems in the classic three-tier data center architecture. The set of applications to be protected was defined by the institution s Risk and Audit organization. Secured east-west traffic within the traditional data center network using the same set of firewalls. Implemented firewall security policies based on application awareness through App-ID technology for granular control over traffic flows. Centrally managed all next-generation firewall instances with Panorama for consistent security policies across the entire three-tier data center network estate. How Customer s Network Segmentation Works (High Level): As selected traffic enters or leaves the traditional data center network, it passes through the out-of-band firewalls at the aggregation layer by virtue of VLAN tag rewriting. Traffic is then subjected to granular control policies based on App-ID and Content-ID technologies. Next-generation firewalls with application-based rules offer more specific and precise control over traffic than port/protocol-based firewalls can provide. Traffic is also inspected for known threats through a Threat Prevention subscription, which includes intrusion prevention services. To place traffic under the control of the next-generation firewalls, servers are selectively reassigned to new (protected) VLANs. This is done to logically bundle servers belonging to a particular application into a common VLAN and steer that traffic through the firewalls. No IP addresses need to be changed on the servers, which reduces risk to the production environment. (See Figure 3.) This allows for a tightly controlled migration of traffic to the firewall even as granular as one server at a time. Due to concerns over business disruptions, the customer ruled out a mass migration cutover for network segmentation. This level of control for a phased migration was a key requirement. Within the traditional data center environment, traffic to/from servers on any of the protected VLANs would also flow through the firewalls. This facilitated safe enablement of server-to-server (east-west) traffic within the three-tier data center network. Backbone Network Core 3 2 Aggregation Next-Gen Firewall Next-Gen Firewall Access s VLAN Unprotected VLAN Trunk Unprotected VLAN: 100 IP: 10.0.0.5/24 VLAN: 1001 IP: 10.0.0.6/24 VLAN: 1002 IP: 10.0.0.7/24 VLAN: 1003 IP: 10.0.0.8/24 Figure 3: Unprotected and protected VLANs on one subnet Benefits of Using Palo Alto Networks for Network Segmentation in the Traditional Data Center Business Benefits: Support the capital investments already made in the legacy data center while inherently protecting business-sensitive data, such as intellectual property, regulated data and other critical data, in these environments. Operational Benefits: Continue to run legacy applications in the traditional data center for the lifespan of that infrastructure, but with an added degree of data security. Palo Alto Networks Apply Network Segmentation to a Traditional Data Center Use Case 4

Minimize potential for business disruption during the implementation of data center network segmentation. Targeted traffic can be placed under next-generation firewall control by modifying the VLAN associated with the server or group of servers. No physical re-cabling of the servers or access layer switches is required. IP addresses are untouched as well. Maintain consistent security and management across both traditional data center and network perimeter environments. Use of Palo Alto Networks Next-Generation Firewall appliances in both locations, along with Panorama, allows for a common management tool and consistency of security policies through the data center and network edge. Reduce time and resources required for PCI compliance audits, as the scope is minimized through effective network segmentation. Cardholder data is held in a separate environment (e.g., VLAN) protected by the next-generation firewalls from the rest of the network. Security Benefits: Reduce the ability of an attacker to roam freely into and throughout the traditional data center. Minimize exposure by compartmentalizing systems and data belonging to specific applications and/or business units. Limit unauthorized lateral movement into and across the data center. Prevent exfiltration of data from the data center. Use better security controls based on App-ID, User-ID and Content-ID technology than firewall rules based on ports, protocols and IP addresses can provide. Prevent previously seen and brand-new malware on the data center network. Reduce the risk of unauthorized insider access to data center resources. USE CASE: Apply Network Segmentation in the Private Cloud Additional Resources The following links offer additional information on 2 firewall designs and how to segment your network: https://www.paloaltonetworks.com/solutions/initiatives/network-segmentation https://www.paloaltonetworks.com/resources/whitepapers/network-segmentation-business-enabler-financial-services https://live.paloaltonetworks.com/t5/tech-note-articles/securing-inter-vlan-traffic/ta-p/54749 https://live.paloaltonetworks.com/t5/integration-articles/designing-networks-with-palo-alto-networks-firewalls/ta-p/60868 Services to Help You Support Palo Alto Networks Customer Support automates the discovery of related cases to increase productivity and get you to a resolution more quickly. We offer multiple support packages: Standard, Premium and Premium Plus. You can also opt for your own technical account manager as a subscription-based extension of Premium Support. Premium Plus provides both a designated technical support engineer and technical account manager who will learn and understand your deployment at technical and business levels, accelerating incident resolution. Consulting Palo Alto Networks Consulting Services provide access to specialized talent knowledgeable in the safe enablement of applications. By matching talent to task, we deliver the right expertise at the right time, dedicated to your success. Resident engineers, for instance, provide on-site product expertise and are uniquely qualified to advise you on getting the most out of your Next-Generation Security Platform deployment. Education Training from a Palo Alto Networks Authorized Training Center delivers the knowledge and expertise to prepare you to protect our way of life in the digital age. Our trusted security certifications provide the necessary Next-Generation Security Platform knowledge to prevent successful cyberattacks and safely enable applications. 3000 Tannery Way Santa Clara, CA 95054 Main: +1.408.753.4000 Sales: +1.866.320.4788 Support: +1.866.898.9087 www.paloaltonetworks.com 2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www. paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. apply-networksegmentation-to-a-traditional-data-center-uc-082817

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback