Whether you are in control of an enterprise data center that keeps your employees connected and productive, or you run an Internet-facing data center that supplies remote functionality to hosted users, one thing is consistently true: your business is at constant risk. The movement of traffic into, out of, and throughout your network poses the immediate threats of misuse and malicious attack; therefore, monitoring and controlling your network data with the best firewall protection available should be at the forefront of your network design priorities.
With network technology advancing at such an astonishing rate, keeping your business protected against the latest dangers can feel like an overwhelming, time-consuming, and often confusing process. In the past ten or so years, the number of counterproductive ways for employees to spend their time online has dramatically increased, with the dawn of social media and browser-based entertainment marking a downturn in workplace productivity. Online trends have also had a significant impact on Internet-facing data centers, where hosted accounts have more sophisticated ways to breach acceptable usage policies.
In this article, we discuss how the more traditional port protocol firewall device is no longer able to keep up with the recent trends in Internet use, and how – for dependable protection – the Palo Alto Networks (PAN) next-generation firewall provides the robust security your network requires. We also explore how the advanced technology within a next-generation perimeter protection device can help keep your business connected, available, and productive at all times.
Why port-blocking firewall devices fail to meet the demands of modern security
Whenever data is sent through a network, either internally or externally via the Internet, a connection is formed across a specific port. The easiest way to think of a port is as a door through which people can enter or exit a device, such as the computer you are using. For continuity in the development community and to eliminate the risk of data becoming corrupted and unusable, every application should, theoretically, use a unique port number – for example, a web browser using HTTP protocol would send traffic through port number 80, while a POP email inbox would operate over port number 110.
With this in mind, it is no surprise that a traditional perimeter security system such as a firewall works by restricting access to specific ports across your network. Let us imagine that we want to stop our employees from browsing the Internet. To achieve this with a traditional firewall, we can block all activity on port number 80, rendering web browsers inoperable, or block access to specific IP addresses through port 80, stopping users from accessing specific websites.
However, as the Internet becomes an increasingly integral part of day-to-day business, the strict filtering associated with port-blocking firewalls can restrict the ways in which the Internet can enhance productivity. Fundamentally, a traditional firewall protection device lacks the rich, granular control that is necessary for balancing effective security against flexible use.
Advanced granular protection with a Palo Alto Networks next-generation firewall
Founded with the goal of developing a solution that matches robust perimeter protection with user-specific, application-specific, and content-specific controls, Palo Alto Networks has grown to become a leading force in the development and manufacturing of next-generation firewall devices. By implementing a wide range of policy options built around detailed analysis of all incoming and outgoing traffic, Palo Alto Networks firewall protection makes network security more powerful, available, and easy-to-use than ever before.
Let’s look at how a Palo Alto Networks firewall can make your data center more secure.
1. Powerful multi-gigabit firewalls with no service degradation
Above all else, a perimeter protection device should feature powerful mitigation technology to analyze data and implement your preferred policies at speed. Palo Alto Networks uses three distinctive proprietary technologies – App-ID to identify the specific application that is being used on a client machine, User-ID to determine the individual who is using it, and Content-ID to look at the specific data that is being transmitted. As a result, data centers can enjoy incredibly accurate control over which applications are allowed, who is allowed to use them, and the ways that they can be used within your network.
All of this is achieved on a multi-gigabit device that when deployed in-line into your network, causes no degradation in performance or functionality. A Palo Alto Networks firewall provides invisible network protection that never gets in the way of approved use and expected system performance.
2. Flexible platform to enable network segmentation
While any firewall can do network segmentation, port- and IP address-based segmentation is as meaningless in the data center as it is in the perimeter – which is to say, practically worthless in the face of an application and threat mix that can, for the most part, use any open port. Furthermore, controlling access by IP address or IP address pool is an equally poor approximation for users. To better meet zone-based compliance requirements, an organization needs network segmentation by user and application. So, for example, an organization can segment off the servers containing cardholder data, and only permit access to that segment to finance users employing the payments application – thus containing and limiting access, and maintaining for individual accountability. Having that level of control, and perhaps most importantly, auditability, has proven to be indispensible for many large enterprises.
3. Diversity of architectures
Another key attribute of enterprise data centers is diversity of architectures. Part of this is due to the fact that in some organizations, internal “data centers” aren’t necessarily a single place. This means that the usual stack of routers, core switches, access switches, and other network resources can look a little different in the face of extensive use of VLANs and distributed application components. This is another strong suit of Palo Alto Networks next-generation firewalls.
Additionally, the ability of these firewalls to integrate at L1 (virtual wire), L2, and L3, even operating in mixed mode across a port-dense appliance. Furthermore, the ability to trunk VLANs, aggregate ports, and perform role-based administration across security zones and virtual firewalls enables organizations to integrate next-generation firewalls into any architecture and operational model.
4. Data center control of rogue applications
One of the other key uses of Palo Alto Networks next-generation firewalls in the enterprise data center is control of rogue applications. Rogue, misconfigured SharePoint deployments, unauthorized use of SSH on non-standard ports, and even P2P filesharing have been discovered and controlled in customer deployments. Another example is more operationally focused – application developers are known to implement databases and other application components on any port that is convenient. Rather than attempt to control application developers, control the applications – meaning if MySQL is an approved application between security zones, it’s allowed, regardless of which port it’s on. This greatly simplifies keeping up with developers, and safely enables key applications without increasing the attack surface.
5. Redundant firewall devices for high-availability networks
Given the integral role that a firewall plays in-line as part of your overall network, it is important that any data center take steps to eliminate their firewall as a single point of failure. This is particularly vital in the world of web hosting data centers, where network availability exists as a major selling point of the service that you might offer. As well as being easily paired in active/passive and active/active combinations for redundancy in case of hardware failure, Palo Alto Networks next-generation firewalls can be placed into asymmetric environments as necessary. In the event that one of your firewalls becomes overloaded with traffic or is misconfigured, a heartbeat connection allows your second device to step into action and keep your network secure.
6. Dependable administration for ease-of-use, regardless of traffic
As well as featuring redundancy options to facilitate high-availability networking, Palo Alto Networks firewalls include some built-in functionality to keep administration panels available, even at times of high usage. The Palo Alto Networks web-based control panel, offering at-a-glance, color-coded risk assessments alongside detailed usage logs by username, runs with its own dedicated processing and memory. As a result, data centers can be confident that they are in full control of their network and are able to alter settings and configuration, even during the most dramatic traffic spikes.
Together, the power, availability, and absolute control of a Palo Alto Networks firewall makes this next-generation solution the most dependable form of perimeter protection on the market. With the right implementation and integration with your existing network, a Palo Alto Networks firewall offers bulletproof security, convenient administration, and – most importantly – complete peace of mind that your network is safe.
Find out more about Palo Alto Networks firewalls from Digital Scepter today
There is little doubt that using a next-generation firewall is an excellent solution for any data center that depends on availability of data alongside control-of-use. However, for the best results, you will also need to call on the expertise of an experienced network security specialist who can advise you on the best solution, configuration, and implementation for your unique security needs.
With years of experience in network security, Digital Scepter is a boutique protection specialist that can provide you with invaluable insight into the threats that your network faces and the defense necessary to combat these threats effectively. Digital Scepter works with businesses and organizations of all sizes to diagnose risk, design solutions, and implement them in the best ways possible.
Demonstrating advanced expertise in Palo Alto Networks devices specifically, Digital Scepter is also a Palo Alto Networks Platinum Level Partner, guaranteeing consistently best practice implementations of all Palo Alto Networks firewall devices.