-
This module presents a more detailed inves2ga2on of the growing
role of data centers in modern technology infrastructure and how
data center rewall design and congura2on may provide network
security while maintaining balance among organiza2onal resources
and opera2ng requirements.
1
-
This module will include discussion on the following topics:
Characteris2cs of Data Center Firewalls, including customiza2on
and the three primary founda2ons for Data Center Security.
Connec2vity requirements, including high speed/high capacity,
cloud, and virtual. Data Center network security func2ons,
including mul2-layers network and content
processing security.
Data Center Services, including infrastructure, plaGorm, and
soHware as services and how they relate to industry use.
The module will end with a summary and an opportunity for
ques2ons and answers.
2
-
At the conclusion of this module, you will understand:
How customiza2on of data center rewalls may aect performance and
throughput. The three essen2al founda2ons for data center security.
Connec2vity capabili2es of data center rewalls for dierent
appliances and program
op2ons, including hardware, cloud, and virtual.
How Data Center Firewalls provide a number of network security
func2ons. How the three standard applica2on service components dier
based on the needs
and capabili2es of network users and administrators.
3
-
A common phrase heard in todays business market is No maQer what
business you are in, you are a technology business. In the 21st
Century, this is true of large businesses and the most successful
small and medium businesses (SMB).
Along with growing use of technology came a need to not only
develop more specialized applica2ons but also develop innova2ve
ways to store ever-increasing volumes of digital data. This growing
storage requirement spurred a new sector in the technology
opera2onsthe Data Center.
As new technologies for end users of compu2ng plaGorms evolve,
so must security measures for the data centers they will access for
opera2ons such as email, social media, banking, shopping, educa2on,
and myriad other purposes.
Developing strategies to keep pace with the accelera2ng
integrated and distributed nature of technology has become a
cri2cal industry in protec2ng personal, business, and organiza2onal
data and communica2ons from legacy, advanced, and emerging
threats.
4
-
As previously men2oned, consumer trends inuenced data center
development; however, this development was also spurred on by
changes in business prac2ces that include:
Virtualiza)on. Crea2ng a virtual version of a device or
resource, such as a server, storage device, network or even an
opera2ng system where the framework divides the resource into one
or more execu2on environments.
Cloud Compu)ng. Compu2ng in which large groups of remote servers
are networked to allow the centralized data storage, and online
access to computer services or resources. Clouds can be classied as
public, private or hybrid.
So5ware-Dened Networks (SDN). An approach to networking in which
control is decoupled from hardware and given to a soHware
applica2on called a controller. Dynamic, manageable, cost-eec2ve,
and adaptable, making it ideal for the high-bandwidth, dynamic
nature of today's applica2ons.
BYOD. Refers to employees taking their own personal device to
work, whether laptop, smartphone or tablet, in order to interface
to the corporate network. According to a Unisys study conducted by
IDC in 2011, nearly 41% of the devices used to obtain corporate
data were owned by the employee.
Big Data. A massive volume of both structured and unstructured
data that is so large it is dicult to process using tradi2onal
databases and soHware techniques. In many enterprise scenarios, the
data is too big, moves too fast, or exceeds current processing
capacity.
The Internet of Things (IoT). The [once future] concept that
everyday objects have the ability to connect to the Internet &
iden2fy themselves to other devices. IoT is signicant because an
object that can represent itself digitally becomes something
greater that the object by itself. When many objects act in unison,
they are known as having ambient intelligence.
5
-
Mee2ng the challenge of data center growth while maintaining
throughput capability requires the use of technology integra2on to
reduce poten2al for signal loss and speed reduc2on because of
bridging and security barriers between ad hoc arrangements of
independent appliances.
Designing the data center rewall with a hybrid design merging
Applica1on Specic Integrated Circuits (ASIC) with a Central
Processing Unit (CPU) may provide the necessary infrastructure to
meet the demand for throughput, growth, and security.
Two primary op2ons for hybrid design: v CPU + OTS ASIC: General
purpose CPU + O the Shelf (OTS) processor
Simplest, but suers performance degrada2on. v CPU + Custom ASIC:
General purpose CPU + Custom-built ASIC designed for
intended device func2on(s)
More dicult, but most ecient design.
6
-
Edge Firewalls are implemented at the edge of a network in order
to protect the network against poten2al aQacks from external trac.
This is the best understood, or tradi2onal, role of a rewallthe
gatekeeper.
In addi2on to being a gatekeeper, Data Center Firewalls serve a
number of func2ons. Depending on network size and congura2on, the
data center rewall may also provide addi2onal security
func2ons.
These func2ons are referred to as Mul1-Layered Security, and may
include:
IP Security (IPSec) Firewall IDS/IPS (Intrusion Detec2on
System/Intrusion Preven2on System) An2virus/An2spyware Web
Filtering An2spam Trac Shaping
7
These func2ons work together, providing integrated security for
the data center, concurrently providing consolidated, clear control
for administrators while presen2ng complex barriers to poten2al
threats.
-
The ability of a data center network core rewall congura2on with
high-speed, high-throughput, low-latency is the ability to evolve
as technology develops.
Throughput speeds have poten2al to double every 18 months
High-speed 40/100 GbE ports are already going into exis2ng systems
External users moving from Internet Protocol version 4 (IPv4) to
IPv6
Size DOES MaQer. Historically, factors considered in rewall
selec2on included the number of usersinternal and externalaccessing
the network or its components
Data center rewalls make sense for SMB because of higher
throughput, port capacity, and concurrent sessions.
Large or highly distributed organiza2ons should consider using
an enterprise campus rewall:
v Capacity to handle thousands of users and mul2ple loca2ons v
Tradeo: Required redundancy increases costs and system complexity v
Self-managing enterprise campus rewalls requires extensive
training
Managed Security Service Providers (MSSP) are third-party,
outsources companies that manage data center security.
v High availability: 24/7 service necessary for large enterprise
campus networks
v Redundancy: To ensure coverage of your organiza2ons network
security infrastructure
v Serviceability: Detailed service level agreements (SLA) &
conden2ality Current high failure rate of MSSP companies
8
-
By designing and implemen2ng infrastructures integra2ng high
throughput with a dynamic soHware-dened network (SDN), the data
center rewall provides capability to evolve with changing needs and
threats.
Three founda2ons form the basis for data center rewall
security:
Performance. Higher performance through high-speed,
high-capacity, low-latency rewalls.
v Minimum required throughput for data center rewall is 10 Gbps
v Large data centers may increase to an aggregate 100+ Gbps v
Minimum port size connec2vity of 10 GbE v Some capabili2es already
in the 40-100 GbE range
Segmenta)on. Organiza2ons using data centers have adopted
network segmenta2on as a best prac2ce to isolate cri2cal data
against poten2al threats.
v Applica2ons, user groups, regulatory requirements v Business
func2ons, trust levels, loca2ons v High density and logical
abstrac2on to support both physical and virtual
segmenta2on clouds
Simplica)on. Because data centers extend to externals users from
various plaGorms, input sources, and trust levels, a Zero-Trust
model should be adopted from the edge throughout segmenta2on and
the network core.
v Requires consolidated, simplied security plaGorm for
high-speed opera2ons
v Integra2on of network rou2ng and switching into rewall
controls v Centralized visibility and control to func2ons and
security monitoring
9
-
Tradi2onal rewalls protect physical computer networks running on
physical hardware and cabling. This is also referred to as
North-South trac.
Virtual trac is referred to as East-West trac. Virtual
machinesor virtual drives and networksresiding on physical
equipment may also be subject to intrusion from external
threats.
Today, 60-70% of trac is E-W which is why virtual networks are
of vital importance and, as a result, the emergence of data centers
and data center security in modern networks.
A virtual rewall is simply a rewall running in the virtual
environment, providing packet ltering and monitoring much like the
physical rewall does for the physical network. The virtual rewall
may take a number of forms:
Loaded as tradi2onal soHware on the virtual host machine Built
into the virtual environment A virtual switch with addi2onal
capabili2es A managed kernel process within the host hypervisor for
all virtual machine ac2vity
Virtual rewalls deploy and operate in two modes:
Bridge Mode. Acts like a physical rewall, installed at
inter-network switch or bridge to intercept trac
v Decides to allow passage, drop, reject, forward, or mirror the
packets v Standard for early networks & some current SMB
networks
Hypervisor Mode. Resides in the host virtual machineor
hypervisorto capture and analyze packets heading for the virtual
network from outside the network.
Runs faster than Bridge Mode, within the kernel at na2ve
hardware speeds Popular hypervisors include VMware, vSphere, Citrix
Xen, MicrosoH HyperV
10
-
Applica2on systems typically consist of three basic
components:
Interfaces. The control or method by which the user interacts
with the computer, system, or network, oHen consis2ng of screens,
web pages, or input devices.
Programming (Logic). Scripts or computer instruc2ons used to
validate data, perform calcula2ons, or navigate users through
applica2on systems. Large computers may use more than one computer
language to drive the system and connect with networks.
Databases. Electronic repositories of data used to store
informa2on for an organiza2on in a structured, searchable, and
retrievable format. Most are structured to facilitate downloading,
upda2ng andwhen applicablesharing with other network users.
Computer Systems are simply sets of components assembled into an
integrated package.
CPU (Central Processor Unit). The heart of the machine, around
which various other components and peripherals are built.
Components: Data Storage Memory Drives Motherboards
Interfaces
Computer system components vary in size and complexity and may
be designed for single or mul2ple purposes.
11
Peripherals: Input Devices Displays Printers Scanners Etc
-
With increasing use of cloud services to enable mobileeven
globalaccess to applica2ons and data, technology developed to fulll
the needs of industries from SMB to large interna2onal
organiza2ons. Three primary methods are integral to this service,
each having benets and tradeos between the developer (user) and
vendor (provider).
Infrastructure as a Service (IaaS). The most basic of the three
cloud models. Service provider creates the infrastructure, which
becomes self-service plaGorm Benet: No large infrastructure
investment, upgrades & service; opera2onal exibility Tradeo:
Requires user to have high degree of technical knowledge or employ
tech PlaPorm as a Service (PaaS). Provides an addi2onal level of
service to the user beyond the IaaS model. Provider builds
infrastructure AND provides monitoring & maintenance service
User has access to Middleware to assist with applica2on development
Benet: Reduces amount of coding necessary to automate business
policy Tradeo: Increased cost So5ware as a Service (SaaS). Largest
cloud market and con2nues to grow. In addi2on to the PaaS services,
applica2ons are managed by the provider Businesses develop soHware
and requirements, third party manages them Benet: No need for
resident soHware installa2on on physical systems (web-based)
Tradeo: Lack of exibility in applica2on congura2on (Brand-X vs.
Custom) Shared Security Model. In the Do-It-Yourself (DIY) model,
you are responsible for end-to-end security of data and processes.
When using cloud services, the vendor (provider) assumes some or
all of the responsibility for security managementwith the excep2on
of data you add to the applica2on or database as the developer
(user).
12
-
Infrastructure as a Service (IaaS).
Amazon Rackspace Cloud Joyent
PlaPorm as a Service (PaaS).
Google App Engine Force.com Windows Azure
So5ware as a Service (SaaS).
Google Apps Salesforce.com ZOHO
13
-
Now that we have discussed some of the Data Center Firewalls,
their components, methods of deployment, and resul2ng benets &
tradeos, are there any ques2ons before moving into the next
module?
From an introduc2on to the current status of computer network
op2ons and congura2ons, to the challenges posed by evolving
technologies and advanced threats, this module has prepared a
founda2on for more focused discussion on emerging threats and the
development of network security technologies and processes designed
to provide organiza2ons with the tools necessary to defend best
against those threats and con2nue uninterrupted, secure opera2ons.
The next module will focus on the Next Genera2on Firewall (NGFW),
an evolving technology in network security.
14