BEST

PRACTICES

SECURING DATA IN THE DATA CENTER

Reducing the Attack Surface and Preventing Threats

Protect Your Digital Treasure

The volume and sophistication of attacks against corporate and government data centers
continues to grow at an alarming pace. Published research shows that these attacks tend
to center on three major categories:
• Cyber criminals attacking retail and commercial enterprises, such as stores,
restaurant chains, banks, etc.
• Hacktivists seeking to deface or cause harm to companies to which they’re opposed.
• State-sponsored attacks targeting government or commercial enterprises.
Traditionally, organizations have responded to these attacks by focusing their attention
on detecting and preventing threats at the network perimeter and traffic entering and
exiting the data center, aka north-south traffic. Many IT administrators assumed that
east-west traffic – traffic between systems and applications within a data center – could
be trusted and do not require security protections. However, in many documented
breaches, once an attacker successfully penetrated the network perimeter, they were able
to move laterally, undetected inside the network, locate other servers, access sensitive
data, and ship it outside the network perimeter because the same level of security that
applied to the perimeter was not applied to internal segments within the data center.
Access to sensitive assets within the data center should be regulated using
uncompromised identity credentials and application-based rules, along with a mix of
threat inspection and prevention tools – AV, IPS, anti-spyware – to provide sufficient
security within the data center. Integrated and extensible security architecture across
the entire organization is necessary to protect sensitive information from unauthorized
access and leakage – not just at the perimeter but also at the data center edge and
internal segments within the data center. This approach is known as the Zero Trust model
of information security.

Palo Alto Networks | Best Practices Guide 1

 The Zero Trust model (originally proposed by Forrester® Research) assumes that all traffic
is threat traffic until proven otherwise. Rather than rely on a perimeter-focused collection
Tip: Identify traffic that is of separate security appliances, Forrester advises building a network architecture with
north-south (traffic between the a centralized “segmentation gateway,” which combines multiple security and encryption
data center and external systems) operations (firewall, IPS, NAC, content filtering, VPN, etc.) in a single, high-speed device
located at the core of the network. This enables administrators to segment the network
and east-west (traffic within into zones, which can isolate traffic to a high-value asset from routine, less-sensitive traffic,
the data center) and heighten making it much more difficult for an attacker to gain access to and maintain persistence
within these assets, or siphon data out of the network.
the focus on hidden east-west
security weaknesses. Palo Alto Networks® Next-Generation Security Platform – including hardware-based
appliances and virtual appliances – enables you to implement an effective Zero Trust
security model by allowing you to segment your network, whitelist or blacklist applications,
user access, and specific content, as well as inspect all traffic for threats.

A Phased Approach to Securing Data in the Data Center

Whether you recently started implementing Palo Alto Networks products or have been
administering them for years, make sure you’re maximizing their full value by reviewing our
best practices for using the Zero Trust approach to securing data in the data center.
As with any technology, there is usually a gradual approach to a complete implementation,
consisting of carefully planned deployment phases meant to make the transition as smooth
as possible with minimal impact to your end users. With this gradual transition in mind, we
recommend following our data center best practices in three phases, each building on the
recommendations before it. The ultimate goal for your data center implementation should
be to end up with granular visibility and full inspection into both north-south and east-west
traffic to prevent threats in the data center.

PHASE 1: PLANNING YOUR DATA CENTER DEPLOYMENT

Replacing a legacy firewall with a new system or implementing a data center firewall for the
first time both require complex planning since both options provide the opportunity to start
from scratch with a new (Zero Trust) network architecture.
As a first step, make an in-depth inventory and assessment of both the physical and logical
data center environments. Identify and document the various systems in the data center,
including servers, routers, switches, and other network and security infrastructure. This
assessment should identify and characterize all data traffic: traffic between the data center
and external systems (including other data centers within your organization), as well as traffic
between systems within the data center.

DB

W De
EB v-D
B
AP
P

Re
so
urc
es
eg
me
nt

Firewall

User segment

Palo Alto Networks | Best Practices Guide 2

 Plan to deploy the following basic technologies within your Palo Alto Networks platform.
These are crucial to helping you understand the traffic flowing through your data center,
Tip: There are four “levers” you what it consists of, which assets it’s targeting, and who is attempting access, all of which are
can pull to protect your data imperative to effectively protecting your high-value assets.
center assets: controlling access, • User-ID™ verifies the user’s identity, as opposed to just IP addresses, using
inspecting data usage patterns enterprise directories, terminal services offerings or Microsoft® Exchange. User-ID
provides detailed context concerning users who are accessing the network.
for abuse, disposing of data
• App-ID™ natively recognizes and categorizes thousands of applications, including
when the organization no longer
web applications. App-ID helps identify applications that are in use, discover if
needs it, or encrypting data to applications are using custom or default ports, and find unknown or unauthorized
devalue it in the event that it applications on the network.
is stolen. • Content-ID™ enables customers to apply policies to inspect and control content
traversing the network. Content-ID combines a real-time threat prevention
(Source: Forrester Research)
engine, comprehensive URL database and elements of application identification
to limit unauthorized data and file transfers and to detect and block a wide
range of exploits, malware and dangerous or unauthorized web (HTTP and DNS)
connections. Content-ID is available as part of the Threat Prevention subscription
and allows you to implement policy control over unapproved traffic content, limit
the unauthorized transfer of files and sensitive data, such as credit card or Social
Security numbers, and defend against known and new malware and exploits.

Policy Type Description

Security Determine whether to block or allow a session based

on traffic attributes, such as the source and destination
security zone, source and destination IP address,
application, user and service.

NAT Instruct the firewall as to which packets need translation

and how to do the translation. The firewall supports
both the source and destination address and/or the port
translation.

QoS Identify traffic requiring QoS treatment (either

preferential treatment or bandwidth-limiting) using a
defined parameter or multiple parameters and assign it
a class.

Policy-Based Forwarding Identify traffic that should use a different egress

interface than the one that would normally be used
based on the routing table.

Decryption Identify encrypted traffic that you want to inspect for

visibility, control and granular security.

Application Override Identify sessions that you do not want processed by the
App-ID engine, which is a Layer 7 inspection.

Captive Portal Identify traffic that requires the user to be known. The
captive portal policy is only triggered if other User-ID
mechanisms did not identify a user to associate with the
source IP address.

DoS Protection Identify potential denial of service (DoS) attacks and take
protective action in response to rule matches.

Zone Protection Provides additional protection between specific network

zones on the same firewall to protect against attacks,
including evasion techniques and adherence to traffic
thresholds.

Palo Alto Networks | Best Practices Guide 3

Tip: Install the platform in The application and user visibility and control delivered by App-ID and User-ID, combined
with the content inspection provided by Content-ID, enables IT departments to make
front of any legacy protection risk-based decisions that protect the organization from threats and safely enable systems
device so that it can examine all and applications needed to keep business running.
network traffic before it passes The table below summarizes the various types of policy supported by the Palo Alto
through the legacy device and Networks Next-Generation Security Platform. Determine which features and policy rules
you are going to implement, and in which order, by prioritizing their purpose within the
provide visibility you may be context of your organization’s data center priorities, such as system uptime, bandwidth
missing. consumption, or data security regulations.
Administrator’s Guide:
• Enable User- and Group-Based Policy
Tip: SSL decryption can be
• App-ID Overview
performed on virtual wire
• VM-Series Deployments
(VWire), Layer 2 or Layer 3
• Configure Interfaces and Zones
interfaces, or while in Tap mode.
For a more well-rounded view PHASE 2: COMPLETE VISIBILITY INTO DATA CENTER TRAFFIC
of your data center traffic, make The objective of this stage is to identify and validate all application communication in and
out of the data center. When installing the Next-Generation Security Platform for the
sure you’re decrypting as much first time, we recommend deploying it first in Tap mode.
as possible.
Tap mode provides the ability to passively monitor network traffic without disruption
but does not prevent or block any connections. This allows north-south and east-west
data center traffic to be monitored and profiled for applications, threats and traffic usage
without disrupting production traffic. Reviewing traffic and threat logs created in Tap
mode also makes it possible to verify applications, users and threats that have been
identified by the earlier review of documents and existing configurations.
Collecting and analyzing network traffic can enable you to quickly profile the
environment and detect threats in real time. This data can be used to quickly create
custom reports and a Security Lifecycle Review (SLR), which includes:
• Application identification
• Number of sessions and consumed bandwidth associated with each application
• Source and destination networks
• Total scope of unknown threats observed
Tip: Palo Alto Networks
• Percent of malware detected by the platform that was undetected by third-party
Next-Generation Security AV solutions
Platform can operate in multiple
• Zero-day malware and advanced persistent threats identified by
deployments simultaneously Palo Alto Networks WildFire
because the deployments occur • Application threat vectors and malicious file types
at the interface level. • Risky user behavior
Once the data center’s network traffic data is collected and analyzed, you can create
alerts for commonly seen threats. This will allow you to further analyze your environment
through historical reporting and trending capabilities for traffic validation so that you can
begin the process of more comprehensive, advanced policy development.
Once sufficient data is collected in Tap mode, reconfigure the platform in either VWire or
Layer 2 (L2) / Layer 3 (L3) mode to begin taking action on unwanted and risky traffic.
VWire provides flexibility in enforcing distinct policies that can be used to manage traffic
from multiple internal networks and separate and classify traffic into different zones. This
configuration logically isolates a high-value asset environment from other, less critical
systems. In VWire mode, the platform is installed transparently on a network segment
by binding two ports together. This simplifies installation and configuration and does
not require any changes to adjacent network devices. Data center distribution and/or
core switches are configured to selectively forward only the relevant high-value asset
traffic to the platform (via VLANs), allowing the environment to maintain its VLAN and IP
addressing. VWire mode reroutes all traffic through the platform to enable initial policy

Palo Alto Networks | Best Practices Guide 4

 development and monitor all traffic into and out of the environment.
Tip: To evaluate your traffic
Use the gathered information to develop an initial security policy that describes
without time-consuming manual
authorized access, such as approved sources, destination networks, applications and
log reviews, develop custom user groups. Then create security rules for inbound and outbound communication from
reports, such as those covering the data center with groupings of similar, known applications, such as database, web,
application, Microsoft, management and infrastructure. This enables you to develop
top applications, top security a broad security policy framework to classify approved applications. Apply threat
rules, and traffic matching the protection profiles to all policies for additional security visibility so that you’re in a good
catchall “allow any any” security position to block exploits, malware, and command-and-control traffic without impacting
business communication.
rule. These types of reports
To make sure you’re not blocking any essential communication while you build and test
provide a historical baseline of
your data center policy, implement a catchall “allow any any” security rule at the end of
data that allow you and your the security policy hierarchy that explicitly allows all communication that isn’t already
team to continuously profile attached to a rule.
the traffic into and out of your Any applications using non-standard ports or protocols, or unknown applications, should
be specially reviewed and only allowed after validation with the system owner. The
data center.
validated application rules should be added above the catchall rule in the hierarchy for
safe enablement and logical policy development.
By the end of this phase, the security policy should include all identified and approved
applications, ports, protocols, source and destination networks, and users and user
groups authorized to access them. The result is that all approved traffic is identified by an
Tip: The ordering of rules is application with a specific security policy. Only unapproved traffic will trigger the catchall
critical to ensuring your best rule, which you can then review, validate, and create another rule to specifically allow it.
match criteria. Because policy
is evaluated from the top down, Prod-DB

more-specific policies must

precede more-general ones. A
rule that is placed lower is not
evaluated if the match criterion
is met by another rule that
precedes it.

SAP-DB

IT

HR

Legal

Contractors

Execs

Finally, to enforce active protection, discontinue simple alerting and shift to active
blocking of known threats by adding security profiles to your rule set. Replace the catchall
rule with a new “deny any any” rule at the end of the policy list that is configured to
block and log all denied traffic. This change from a blacklist to a whitelist approach allows
the system to deny all traffic that was not expressly allowed, while maximizing visibility
and the prevention of threats. At this point you can decommission the legacy security
platform and remove it from service.

Palo Alto Networks | Best Practices Guide 5

Tip: The ordering of rules is Administrator’s Guide:

critical to ensuring your best • Monitoring

match criteria. Because policy • Components of a Security Rule

• How to Configure a Palo Alto Networks Device for Tap Mode Operation
is evaluated from the top down,
• Set Up Security Profiles and Policies
more-specific policies must
• Decryption
precede more-general ones. A
• Virtual Wire Deployments
rule that is placed lower is not
• Generate Custom Reports
evaluated if the match criterion
is met by another rule that PHASE 3: ADVANCED DATA CENTER SECURITY
precedes it. Once you have your basic security platform configured, you can turn your attention
to creating additional special reports, fine-tuning policy rules, and implementing
additional prevention capabilities, such as strict security profiles, WildFire™ cloud-based
malware analysis environment, GlobalProtect™ mobile workforce security service, and
Traps™ advanced endpoint protection.
Tip: Because multiple layers Enable file forwarding to WildFire to ensure that unknown files – particularly those
of encoding can be used as an file types with legitimate business uses, like Microsoft Office and Adobe® Acrobat®
evasion technique, use Multi- files – do not contain any advanced persistent threats (APTs) or zero-day malware.
WildFire analyzes unknown files and then generates malware, command-and-control,
Level-Encoding to ensure that and URL protections when a file is deemed “malicious.” WildFire executes suspicious
unidentified files that have not content in multiple versions of the target application located within virtualized operating
been processed for threats do systems and identifies hundreds of behaviors associated with malicious software,
such as modifications to the host, suspicious network traffic, and anti-analysis evasion
not pass through the firewall to techniques. Along with application protections, these behaviors are also delivered within
your data center. a report that can then be used to positively identify infected systems.
If you have assets that communicate externally in any capacity, configure URL Filtering
profiles to applicable rules for an additional layer of security so that these assets cannot
communicate with malicious and high-risk URLs.
Enable GlobalProtect on users’ company-issued phones and laptops to identify them
beyond their IP address when they attempt to access assets remotely, extend the
security protections on your platform when they’re off network, and ensure that their
connection to your data center is secure. GlobalProtect is a User-ID™ source that
increases the reach of the security platform to your users, wherever they are, and
ensures that access to high-value assets within your data center always comply with the
security policy.
Deploy Traps Advanced Endpoint Protection on all Windows servers and virtual desktop
infrastructure (VDI) running within your data center to provide an additional layer of
exploit protection. Traps is an agent that prevents zero-day vulnerability exploits and
malware-driven attacks without signatures, protecting assets in your data center from
compromise. The Traps agent injects itself into each process as it is started and focuses
on the core techniques that an attacker must link together in order to execute an
attack. If the process attempts to execute any of the core attack techniques, Traps will
immediately block that technique, terminate the process, and notify the admin that an
attack was prevented.

Palo Alto Networks | Best Practices Guide 6

 Administrator’s Guide:
Tip: : Configure your platform • VPN Deployments
to pull protection updates from • URL Filtering
WildFire every five minutes. • Enable Basic WildFire Forwarding
• Use an External Dynamic List in Policy

Our Commitment to Support Our Customers

Tip: Utilize the External Dynamic Palo Alto Networks is committed to ensuring a successful deployment and provides
comprehensive support through our Global Customer Services organization. We
Lists feature to deter attackers
understand fully that failure is not an option. Our support offerings and training
by importing the source IP programs are designed to mitigate any deployment concerns you may have.
addresses of repeat offenders • Palo Alto Networks Solution Assurance Services
who appear within your threat • Palo Alto Networks Customer Support Plans
logs within a given amount of • Palo Alto Networks Consulting Services
time and blocking them for • Palo Alto Networks Educational Services
24 hours or longer. Join Palo Alto Networks LIVE Community for user discussions, tutorials and
knowledge base articles.
• PAN-OS Administrator’s Guide, Version 7.1 – Panorama
• PAN-OS Administrator’s Guide, Version 7.0 – Panorama
• PAN-OS Administrator’s Guide, Version 6.1 – Panorama

Join Palo Alto Networks Fuel User Group community to connect with like-minded
­professionals around the globe who are ready to discuss their hard-won best practices
and trade insights. You can also get exclusive access to subject matter experts to
answer your most challenging, security-related questions through online events, such as
webinars and Q&A sessions, and in-person events, as well.

4401 Great America Parkway © 2016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark
Santa Clara, CA 95054 of Palo Alto Networks. A list of our trademarks can be found at http://www.
Main: +1.408.753.4000 paloaltonetworks.com/company/trademarks.html. All other marks mentioned
Sales: +1.866.320.4788 herein may be trademarks of their respective companies. pan-wp-best-practices-
Support: +1.866.898.9087 chapter7-sddc-052716

www.paloaltonetworks.com