This module presents a more detailed inves2ga2on of the growing role of data centers in modern technology infrastructure and how data center rewall design and congura2on may provide network security while maintaining balance among organiza2onal resources and opera2ng requirements.

1

This module will include discussion on the following topics:

Characteris2cs of Data Center Firewalls, including customiza2on and the three primary founda2ons for Data Center Security.

Connec2vity requirements, including high speed/high capacity, cloud, and virtual. Data Center network security func2ons, including mul2-layers network and content

processing security.

Data Center Services, including infrastructure, plaGorm, and soHware as services and how they relate to industry use.

The module will end with a summary and an opportunity for ques2ons and answers.

2

At the conclusion of this module, you will understand:

How customiza2on of data center rewalls may aect performance and throughput. The three essen2al founda2ons for data center security. Connec2vity capabili2es of data center rewalls for dierent appliances and program

op2ons, including hardware, cloud, and virtual.

How Data Center Firewalls provide a number of network security func2ons. How the three standard applica2on service components dier based on the needs

and capabili2es of network users and administrators.

3

A common phrase heard in todays business market is No maQer what business you are in, you are a technology business. In the 21st Century, this is true of large businesses and the most successful small and medium businesses (SMB).

Along with growing use of technology came a need to not only develop more specialized applica2ons but also develop innova2ve ways to store ever-increasing volumes of digital data. This growing storage requirement spurred a new sector in the technology opera2onsthe Data Center.

As new technologies for end users of compu2ng plaGorms evolve, so must security measures for the data centers they will access for opera2ons such as email, social media, banking, shopping, educa2on, and myriad other purposes.

Developing strategies to keep pace with the accelera2ng integrated and distributed nature of technology has become a cri2cal industry in protec2ng personal, business, and organiza2onal data and communica2ons from legacy, advanced, and emerging threats.

4

As previously men2oned, consumer trends inuenced data center development; however, this development was also spurred on by changes in business prac2ces that include:

Virtualiza)on. Crea2ng a virtual version of a device or resource, such as a server, storage device, network or even an opera2ng system where the framework divides the resource into one or more execu2on environments.

Cloud Compu)ng. Compu2ng in which large groups of remote servers are networked to allow the centralized data storage, and online access to computer services or resources. Clouds can be classied as public, private or hybrid.

So5ware-Dened Networks (SDN). An approach to networking in which control is decoupled from hardware and given to a soHware applica2on called a controller. Dynamic, manageable, cost-eec2ve, and adaptable, making it ideal for the high-bandwidth, dynamic nature of today's applica2ons.

BYOD. Refers to employees taking their own personal device to work, whether laptop, smartphone or tablet, in order to interface to the corporate network. According to a Unisys study conducted by IDC in 2011, nearly 41% of the devices used to obtain corporate data were owned by the employee.

Big Data. A massive volume of both structured and unstructured data that is so large it is dicult to process using tradi2onal databases and soHware techniques. In many enterprise scenarios, the data is too big, moves too fast, or exceeds current processing capacity.

The Internet of Things (IoT). The [once future] concept that everyday objects have the ability to connect to the Internet & iden2fy themselves to other devices. IoT is signicant because an object that can represent itself digitally becomes something greater that the object by itself. When many objects act in unison, they are known as having ambient intelligence.

5

Mee2ng the challenge of data center growth while maintaining throughput capability requires the use of technology integra2on to reduce poten2al for signal loss and speed reduc2on because of bridging and security barriers between ad hoc arrangements of independent appliances.

Designing the data center rewall with a hybrid design merging Applica1on Specic Integrated Circuits (ASIC) with a Central Processing Unit (CPU) may provide the necessary infrastructure to meet the demand for throughput, growth, and security.

Two primary op2ons for hybrid design: v CPU + OTS ASIC: General purpose CPU + O the Shelf (OTS) processor

Simplest, but suers performance degrada2on. v CPU + Custom ASIC: General purpose CPU + Custom-built ASIC designed for

intended device func2on(s)

More dicult, but most ecient design.

6

Edge Firewalls are implemented at the edge of a network in order to protect the network against poten2al aQacks from external trac. This is the best understood, or tradi2onal, role of a rewallthe gatekeeper.

In addi2on to being a gatekeeper, Data Center Firewalls serve a number of func2ons. Depending on network size and congura2on, the data center rewall may also provide addi2onal security func2ons.

These func2ons are referred to as Mul1-Layered Security, and may include:

IP Security (IPSec) Firewall IDS/IPS (Intrusion Detec2on System/Intrusion Preven2on System) An2virus/An2spyware Web Filtering An2spam Trac Shaping

7

These func2ons work together, providing integrated security for the data center, concurrently providing consolidated, clear control for administrators while presen2ng complex barriers to poten2al threats.

The ability of a data center network core rewall congura2on with high-speed, high-throughput, low-latency is the ability to evolve as technology develops.

Throughput speeds have poten2al to double every 18 months High-speed 40/100 GbE ports are already going into exis2ng systems External users moving from Internet Protocol version 4 (IPv4) to IPv6

Size DOES MaQer. Historically, factors considered in rewall selec2on included the number of usersinternal and externalaccessing the network or its components

Data center rewalls make sense for SMB because of higher throughput, port capacity, and concurrent sessions.

Large or highly distributed organiza2ons should consider using an enterprise campus rewall:

v Capacity to handle thousands of users and mul2ple loca2ons v Tradeo: Required redundancy increases costs and system complexity v Self-managing enterprise campus rewalls requires extensive training

Managed Security Service Providers (MSSP) are third-party, outsources companies that manage data center security.

v High availability: 24/7 service necessary for large enterprise campus networks

v Redundancy: To ensure coverage of your organiza2ons network security infrastructure

v Serviceability: Detailed service level agreements (SLA) & conden2ality Current high failure rate of MSSP companies

8

By designing and implemen2ng infrastructures integra2ng high throughput with a dynamic soHware-dened network (SDN), the data center rewall provides capability to evolve with changing needs and threats.

Three founda2ons form the basis for data center rewall security:

Performance. Higher performance through high-speed, high-capacity, low-latency rewalls.

v Minimum required throughput for data center rewall is 10 Gbps v Large data centers may increase to an aggregate 100+ Gbps v Minimum port size connec2vity of 10 GbE v Some capabili2es already in the 40-100 GbE range

Segmenta)on. Organiza2ons using data centers have adopted network segmenta2on as a best prac2ce to isolate cri2cal data against poten2al threats.

v Applica2ons, user groups, regulatory requirements v Business func2ons, trust levels, loca2ons v High density and logical abstrac2on to support both physical and virtual

segmenta2on clouds

Simplica)on. Because data centers extend to externals users from various plaGorms, input sources, and trust levels, a Zero-Trust model should be adopted from the edge throughout segmenta2on and the network core.

v Requires consolidated, simplied security plaGorm for high-speed opera2ons

v Integra2on of network rou2ng and switching into rewall controls v Centralized visibility and control to func2ons and security monitoring

9

Tradi2onal rewalls protect physical computer networks running on physical hardware and cabling. This is also referred to as North-South trac.

Virtual trac is referred to as East-West trac. Virtual machinesor virtual drives and networksresiding on physical equipment may also be subject to intrusion from external threats.

Today, 60-70% of trac is E-W which is why virtual networks are of vital importance and, as a result, the emergence of data centers and data center security in modern networks.

A virtual rewall is simply a rewall running in the virtual environment, providing packet ltering and monitoring much like the physical rewall does for the physical network. The virtual rewall may take a number of forms:

Loaded as tradi2onal soHware on the virtual host machine Built into the virtual environment A virtual switch with addi2onal capabili2es A managed kernel process within the host hypervisor for all virtual machine ac2vity

Virtual rewalls deploy and operate in two modes:

Bridge Mode. Acts like a physical rewall, installed at inter-network switch or bridge to intercept trac

v Decides to allow passage, drop, reject, forward, or mirror the packets v Standard for early networks & some current SMB networks

Hypervisor Mode. Resides in the host virtual machineor hypervisorto capture and analyze packets heading for the virtual network from outside the network.

Runs faster than Bridge Mode, within the kernel at na2ve hardware speeds Popular hypervisors include VMware, vSphere, Citrix Xen, MicrosoH HyperV

10

Applica2on systems typically consist of three basic components:

Interfaces. The control or method by which the user interacts with the computer, system, or network, oHen consis2ng of screens, web pages, or input devices.

Programming (Logic). Scripts or computer instruc2ons used to validate data, perform calcula2ons, or navigate users through applica2on systems. Large computers may use more than one computer language to drive the system and connect with networks.

Databases. Electronic repositories of data used to store informa2on for an organiza2on in a structured, searchable, and retrievable format. Most are structured to facilitate downloading, upda2ng andwhen applicablesharing with other network users.

Computer Systems are simply sets of components assembled into an integrated package.

CPU (Central Processor Unit). The heart of the machine, around which various other components and peripherals are built.

Components: Data Storage Memory Drives Motherboards Interfaces

Computer system components vary in size and complexity and may be designed for single or mul2ple purposes.

11

Peripherals: Input Devices Displays Printers Scanners Etc

With increasing use of cloud services to enable mobileeven globalaccess to applica2ons and data, technology developed to fulll the needs of industries from SMB to large interna2onal organiza2ons. Three primary methods are integral to this service, each having benets and tradeos between the developer (user) and vendor (provider).

Infrastructure as a Service (IaaS). The most basic of the three cloud models. Service provider creates the infrastructure, which becomes self-service plaGorm Benet: No large infrastructure investment, upgrades & service; opera2onal exibility Tradeo: Requires user to have high degree of technical knowledge or employ tech PlaPorm as a Service (PaaS). Provides an addi2onal level of service to the user beyond the IaaS model. Provider builds infrastructure AND provides monitoring & maintenance service User has access to Middleware to assist with applica2on development Benet: Reduces amount of coding necessary to automate business policy Tradeo: Increased cost So5ware as a Service (SaaS). Largest cloud market and con2nues to grow. In addi2on to the PaaS services, applica2ons are managed by the provider Businesses develop soHware and requirements, third party manages them Benet: No need for resident soHware installa2on on physical systems (web-based) Tradeo: Lack of exibility in applica2on congura2on (Brand-X vs. Custom) Shared Security Model. In the Do-It-Yourself (DIY) model, you are responsible for end-to-end security of data and processes. When using cloud services, the vendor (provider) assumes some or all of the responsibility for security managementwith the excep2on of data you add to the applica2on or database as the developer (user).

12

Infrastructure as a Service (IaaS).

Amazon Rackspace Cloud Joyent

PlaPorm as a Service (PaaS).

Google App Engine Force.com Windows Azure

So5ware as a Service (SaaS).

Google Apps Salesforce.com ZOHO

13

Now that we have discussed some of the Data Center Firewalls, their components, methods of deployment, and resul2ng benets & tradeos, are there any ques2ons before moving into the next module?

From an introduc2on to the current status of computer network op2ons and congura2ons, to the challenges posed by evolving technologies and advanced threats, this module has prepared a founda2on for more focused discussion on emerging threats and the development of network security technologies and processes designed to provide organiza2ons with the tools necessary to defend best against those threats and con2nue uninterrupted, secure opera2ons. The next module will focus on the Next Genera2on Firewall (NGFW), an evolving technology in network security.

14