Datacenter Network Segmentation

Shifting a Palo Alto Networks firewall into the role of controlling East-West traffic in your datacenter is a process unique to every organization. It typically involves the process of moving the routing decisions for your datacenter networks to the Palo Alto. In this way you can force traffic to go through the firewall where it must be matched against security policies and be inspected for threats.


EVALUATION


The initial phase of this process is to learn all components of the network that will be involved in the transition of your data center networks to the firewall. Listed below are the evaluation requirements

Network Diagram:

An up-to-date network diagram is critical before beginning this process to ensure proper steps are taken throughout the migration process.

  1. Current, physical network design at datacenter and PAN firewall location
  2. The diagram should include the following:

    a. All cabled connections between devices

    b. Vlans

    c. Logical interfaces

    d. Port-channel information

  3. Digital Scepter can assist in creating this diagram in a Visio format

  4. Digital Scepter will also create an “after” Visio that reflects the post-migration state of the network

Access to Network Devices:

While not needed, providing Digital Scepter with access to network devices can expedite the migration process and ensure migration accuracy.

  1. Need lowest privilege level that allows displaying of interface configurations, vlan information, routing tables, and routing configuration.
  2. In lieu of providing Digital Scepter with access, customer can provide required command outputs or work with directly with DS during scheduled meetings.

PLANNING


The planning phase is used to design a migration strategy that best fits the customer network and build a detailed change plan.

Things to Consider:

  1. New firewall zones will need to be defined for different datacenter subnets

    a) For example: Web, Application, and Database

  2. Need to update or create new security policies

    a) Allow “Inside” network to “Datacenter”

    b) Allow “Datacenter” to “Outside”

    c) Allow “Outside” to “Datacenter”

  3. Need to update or create new NAT/PAT policies

    a) Destination NAT’s for public servers need to be updated

    b) PAT rule(s) needs to take into account new source zone for outbound traffic from servers

  4. Firewall service routes

    a) Will these need to be updated for different services?

    b) Will security policies need to be updated to allow service route traffic?


Migration Strategy:

There are two common approaches to migrating data center networks behind the Palo Alto Networks firewall—each with their pros and cons. Digital Scepter can help with selecting a strategy or design one that more appropriately meets the organizational needs

1) Migrate existing datacenter network gateways from current switch or router to Palo Alto Networks firewall

See diagram for example:

BEFORE:

alt text

AFTER:

alt text

Pros:

A) Servers do not need to be readdressed

B) Once gateways are migrated, all servers should be instantly behind the firewall

Cons:

A) If issues are experienced, all of your servers will be affected until troubleshooting is completed

B) If network throughput was unknown, moving all servers at once could overwhelm the firewall if not sized correctly

Recommend this option when organization has a strong grasp of network throughput demands and solid understanding of overall network design


2) Build new server networks that will exist on the Palo Alto Networks firewall and extend into your datacenter via layer

See diagram for example:

BEFORE:

alt text

AFTER:

alt text

Pros:

A) Allows phased migration of servers to new networks

B) Chunk of down-time not required as you can individually migrate servers to new networks

Cons:

A) Servers that are migrated will need new IP addresses which may require changes to applications and processes

B) New IP subnets needed may impose on current IP subnet design

Recommend this option when network has more unknowns, control over migration is of the utmost importance, and there is an existing need or desire to re-subnet the datacenter.


Change Plan

The change plan should be a detailed document that includes step-by-step directions to complete the datacenter network segmenation.

  1. Includes all steps, including commands for network changes in chronological order of execution

  2. Includes the responsible party for each change

  3. Includes a complete rollback plan in the event the migration is not successful


IMPLEMENTATION


The implementation phase is the execution of the migration strategy that was determined through the planning phase.

  1. Each person involved should have a copy of the change plan and be aware their role in the change.

  2. All issues encountered during migration, including steps taken to correct them should be documented for change control purposes

  3. Once migration is complete, policies can be reviewed for accuracy and to ensure proper level of access is in place.