Securing Traditional and Cloud-Based Datacenters With Next-generation Firewalls

Transcription

1 Securing Traditional and Cloud-Based Datacenters With Next-generation Firewalls February 2015

2 Table of Contents Executive Summary 3 Changing datacenter characteristics 4 Cloud computing depends on virtualization 4 Cloud computing security considerations and requirements 5 Existing datacenter security solution weaknesses 6 Securing your datacenter with Palo Alto Networks 6 Enabling your datacenter applications using Zero Trust principles 7 Block known and unknown cyber threats inbound and across your datacenter 8 Reducing management overhead 9 Centralized management 9 Streamlining policy deployment and updates 9 Purpose-built hardware form factor 10 -Series virtualized form factor 11 Summary 11 PAGE 2

3 Executive Summary Virtualization is helping organizations like yours utilize datacenter hardware infrastructure more effectively, leading to a reduction in costs, and improvements in operational efficiencies. In many cases, virtualization initiatives begin internally, with your own hardware and networking infrastructure augmented by tools like ware or K and OpenStack to help manage your virtualized environment. Often referred to as private cloud, these projects are fueling significant expansion into what can be referred to as the public cloud which represents the use of a pre-built infrastructure such as Amazon Web Services (AWS) that allows you to subscribe or pay for compute, networking, and storage services as needed. The benefit to this model is that it removes some of the management efforts, helps reduce the overall investment and allows you to expand rapidly as your needs change or grow. A few of the proof points that validate the cloud computing momentum* include: Gartner estimates that almost 50 percent of all x86 server workloads are virtualized today with this number expected to grow to 77 percent in Cloud computing has rapidly accelerated to where 64 percent of CIOs view it as a crucial technology for their business; this is more than double the 30 percent who viewed it as crucial in percent of CIOs IBM interviewed are actively looking into how cloud technologies can better serve and collaborate with customers. By 2017, roughly $217B will be spent on cloud computing technology, an amount that is nearly triple the $75B spent in In most cases, your physical datacenter will not disappear, instead, it will evolve to where it is a hybrid approach, using a combination of physical and private or public cloud computing technology. As this evolution occurs, the same security challenges that you face in protecting your physical datacenter will exist within your cloud computing environments. Recent high profile attacks have shown that cyber threats will use common applications to bypass controls, then, once on your network, move with little resistance while hiding in plain sight. Once their target has been discovered, exfiltration occurs across known applications such as FTP or an application encrypted with SSL. Just as an attack or compromise within your physical datacenter is a significant incident, the impact of a compromise in your virtualized environment is amplified because your workloads, some of which use varied trust levels, and associated data are centralized, without any security barriers between to keep them segmented. If your virtual environment is compromised, the attacker has access to everything. An additional challenge to securing your datacenter workloads, is the fact that security policies and associated updates cannot keep pace with the speed of your workload () changes, resulting in a weakening of your security posture. This white paper describes the challenges of securing your datacenter and cloud computing environments, and how to address those challenges with next-generation firewalls. * Statistics source: PAGE 3

4 Changing datacenter characteristics Datacenters are rapidly evolving from a traditional, closed environment with static, hardware-based computing resources to one where there is a mix of traditional and cloud computing technologies. The benefit of moving towards a cloud computing model private, public or hybrid is that it improves operational efficiencies and lowers capital expenditure for your organization: Optimizes existing hardware resources: Instead of a one server, one application model, multiple virtual applications can be run on a single physical server. This means that organizations can leverage their existing hardware infrastructure by running more applications within the same system. Reduces datacenter costs: Reducing the server hardware box count not only reduces the physical infrastructure real-estate but also reduces datacenter-related costs such as power, cooling and rack space. Increases operational flexibility: Through the dynamic nature of virtual machine provisioning, applications can be delivered more quickly than the traditional method of purchasing them, racking/stacking, cabling, and so on. This helps improve the agility of the IT organization. Maximizes efficiency of datacenter resources: Because applications can experience asynchronous, or bursty demand loads, virtualization provides a more efficient way to address resource contention issues and maximize server utilization. It also provides a better way to deal with server maintenance and backup challenges. For example, IT staff can migrate virtual machines to other virtualized servers while performing hardware or software upgrades. Virtualized Compute, Network and Storage Virtualized Compute, Network and Storage Virtualized Compute, Network and Storage Hypervisor Today s Datacenter (Dedicated Severs + Virtualization) Software Defined Datacenter (Private Cloud) Hybrid (Private + Public Cloud) Image 1: Datacenters are evolving to include a mix of hardware and cloud computing technologies. Cloud computing depends on virtualization Cloud computing, unlike common misconceptions, is not a location but rather a pool of resources that can be rapidly provisioned in an automated, on-demand manner. The U.S. National Institute of Standards and Technology (NIST) defines cloud computing in Special Publication (SP) as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (such as networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. The business value of cloud computing is the ability to pool resources together to achieve economies of scale and agility. This is true for private or public clouds. Instead of many independent, and often under-utilized servers deployed for your business applications, pools of resources are aggregated, consolidated, and designed to be elastic enough to scale with the needs of your business groups. PAGE 4

5 The move towards cloud computing not only brings cost and operational benefits but technology benefits. Data and applications are easily accessed by users no matter where they reside, projects can scale easily, and consumption can be tracked effectively. Virtualization is a critical part of a cloud computing architecture, that when combined with software orchestration and management tools, allow you to stitch together disparate processes in a seamless manner, so that they can be automated, easily replicated and offered on an as-needed basis. Cloud computing security considerations and requirements With cloud computing technologies, your datacenter environment can evolve from a fixed environment where applications run on dedicated servers, towards an environment that is dynamic and automated, where pools of computing resources are available to support application workloads that can be accessed anywhere, anytime, from any device. Security remains a significant challenge when you embrace this new dynamic, cloud-computing environment. Many of the principles that make cloud computing attractive are counter to network security best practices. Cloud computing does not lessen existing network security risks. The security risks that threaten your network today do not change when you move to the cloud. In some ways, the security risks you face when moving to the cloud become more significant. Many datacenter applications use a wide range of ports, rendering traditional security ineffective. Cyber criminals are creating sophisticated port-agnostic attacks that use multiple vectors to compromise their target then hide in plain sight, using common applications to complete their mission. Security wants separation and segmentation; the cloud relies on shared resources. Security bestpractices dictate that mission critical applications and data be separated, in secure segments on the network using Zero Trust principles of never trust, always verify. On a physical network, Zero Trust is relatively straightforward to accomplish using firewalls and policies based on application and user identity. In your cloud computing environment, direct communication between virtual machines within a server occurs constantly, in some cases across varied levels of trust, making segmentation a difficult task. Mixed levels of trust, when combined with a lack of intra-host traffic visibility by virtualized port-based security offerings may introduce a weakened security posture. Security deployments are process oriented; cloud computing environments are dynamic. The creation or modification of your virtual workloads can often be done in minutes, yet the security configuration for this workload may take hours, days or weeks. Security delays are not purposeful, they are the result of a process that is designed to maintain a strong security posture. Policy changes need to be approved, the appropriate firewalls need to be identified, and the relevant policy updates determined. In contrast, virtualization teams operate in a highly dynamic environment, with workloads being added, removed and changed in a dynamic manner. The result is a discrepancy between security policy and virtualized workload deployment and a weakened security posture. As your organization embraces the cloud, your networking, security and virtualization teams have two alternatives when it comes to protecting the resident mission critical applications and data from modern cyber threats. The first alternative is to ignore security all together, not because it is unnecessary, but because security policy deployment cannot keep pace with the rate of change within the cloud, often times lagging weeks behind. The second alternative is to implement traditional security technologies that are port-bound, which means they lack the ability to identify and control applications and they are ineffective at blocking today s modern attacks. Neither of these alternatives address the critical requirements you need to protect your cloud environments. Key requirements for securing the cloud include: Consistent security in physical and virtualized form factors. The same levels of application control and threat prevention should be used to protect both your cloud computing environment and your physical network. First, you need to be able to confirm the identity of your datacenter applications, validating their identity and forcing them to use only their standard ports. You also need to be able to block the use of rogue applications from accessing the datacenter while simultaneously looking for, and blocking misconfigured applications. Finally, application-specific threat prevention policies should be applied to block both known and unknown malware from moving into and across your datacenter. PAGE 5

6 Segment your business applications using Zero Trust principles. In order to fully maximize the use of your computing resources, it is now a relatively common practice to mix application workload trust levels on the same compute resource. While efficient in practice, mixed levels of trust introduces security risks in the event of a compromise. Your cloud security solution needs to be able implement security policies based on the concept of Zero Trust as a means of controlling traffic between workloads while preventing lateral movement of threats. Centrally manage security deployments; streamline policy updates. Physical network security is still deployed in most every organization so it is critical that you have the ability to manage both hardware and virtual form factor deployments from a centralized location using the same management infrastructure and interface. Gartner advocates that organizations favor security vendors that span physical and virtual environments with a consistent policy management and enforcement framework. In order to ensure security keeps pace with the speed of change your workflows may exhibit, your security solution should include features that will allow you to lessen, and in some cases, eliminate the manual processes that security policy updates often require. Existing datacenter security solution weaknesses Existing datacenter security solutions exhibit the same weaknesses found when they are deployed at as a perimeter gateway on the physical network they make their initial positive control network access decisions based on port using stateful inspection, then they make a series of sequential, negative control decisions using bolted-on feature sets. There are several problems with this approach. Ports first limits visibility and control. Their focus on ports first limits their ability to see all traffic on all ports which means that evasive or encrypted applications, and any corresponding threats that may or may not use standard ports can slip through undetected. For example, many datacenter applications such as Microsoft Lync, Active Directory and SharePoint use a wide range of contiguous ports to function properly. This means you need to open all those ports first, exposing those same ports to other applications or cyber threats. They lack any concept of unknown traffic. Unknown traffic epitomizes the 80 percent 20 percent rule it is a small amount of traffic on every network, but it is high risk. Unknown traffic can be a custom application, an unidentified commercial application, or a threat. Blocking it all, a common recommendation, may cripple your business. Allowing it all is high risk. You need to be able to systematically manage unknown traffic down using native policy management tools thereby reducing your security risks. Multiple policies, no policy reconciliation tools. Their sequential traffic analysis (stateful inspection, application control, IPS, AV, etc) requires a corresponding security policy or profile, often times using multiple management tools. The result is your security policies become convoluted as you build and manage a firewall policy with source, destination, user, port and action, an application control policy with similar rules, in addition to other threat prevention rules. This reliance on multiple security policies that mix positive (firewall) and negative (application control, IPS, AV) control models without any policy reconciliation tools introduces potential security holes introduced by missed, or unidentified traffic. Cumbersome security policy update process. Finally, existing security solutions in the datacenter do not address the dynamic nature of your cloud environment, and cannot adequately track policies to virtual machine additions, removals or changes. Many cloud security offerings are merely virtualized versions of port- and protocol-based security appliances, delivering the same inadequacies as their physical counterparts. Securing your datacenter with Palo Alto Networks Palo Alto Networks allows you to secure your datacenter be it physical or cloud-based using a consistent set of next-generation firewall and advanced threat prevention features deployed in either a physical appliance or virtualized form-factor. Native management tools help streamline policy deployment and eliminate the time-gap that occurs between virtual workload deployment and security policy update, allowing you to operate at the speed of the cloud. PAGE 6

7 Enabling your datacenter applications using Zero Trust principles Often times the question of whether or not application control is applicable in the datacenter arises due to the limited number of known applications that are typically in use. The theory being that we know which applications are in use in the datacenter, therefore we can more easily secure them. The reality is that recent high profile breaches have shown that attackers will use applications commonly found on your network (including your datacenters) to implement their attacks and extract your data. Some examples: According to the isight Partners report on the Target breach, FTP, Netbios and Webdav were the applications used by attackers to navigate across the network while stealing credit card and user data. This pattern of usage exemplifies how attackers are hiding in plain sight using common applications. Based on the Palo Alto Networks 2014 Application Usage and Threat Report, these applications were found on every one of the 5,500 networks we analyzed. RDP and other remote access tools are known to be used by attackers to navigate your network, as documented by Verizon in their annual Data Breach Reports. According to the 2014 Application Usage and Threat Report, an average of nine remote access tools are found in use on 90 percent of the networks we analyze. Many business applications such as Microsoft Lync, SharePoint and Active Directory use a wide range of contiguous ports including 80, 443 and a range of high number ports making application control a necessity as a means of allowing only Lync and no other applications to move across commonly used ports. On average, 8-10 percent of your network traffic is unknown it can be an internal application, it can be an unidentified commercial off the shelf application, or it can be a threat. The critical functionality you need is the ability to systematically control unknown traffic by quickly analyzing unknowns, determining what it is, where it is coming from, then managing it through policies, custom applications or threat prevention profiles. In each of the examples above, our firewalls allow you to implement security policies based on Zero Trust principles resulting in an improved security posture. Virtualized Compute, Network and Storage Public Cloud Application Network Security NSX Network Service Insertion - SERIES ware ESXi - Panorama SERIES Virtualized Compute, Network and Storage WEB APP DB - SERIES SDDC/Private Cloud Credit Card Zone Image 2: Protecting traditional datacenter and cloud-based applications and data with Palo Alto Networks HV PAGE 7

8 The concept of Zero Trust extends the practice of network segmentation to the level of granting access based on specific applications, allowing user access based on their credentials and controlling what content can be sent at each segmentation point. All on a never trust, always verify basis. Validate that SharePoint is in use, forcing it over its standard ports and implicitly blocking any other applications from being used. Grant web-front end access to SharePoint over a defined set of ports and applying application specific threat prevention policies. Limit access to the Microsoft SQL database to the SharePoint application itself, implicitly blocking the web-front end from connecting to the database. Allow marketing users, based on their user group membership, to access only SharePoint Docs and no other features. Enable only the IT group to use SharePoint Admin while inspecting the traffic using application-specific threat prevention policies. Identify and block misconfigured or rogue applications like RDP or TeamViewer, leveraging the deny all else premise a firewall follows, or blocking them explicitly with policy. Systematically manage unknown traffic by policy. Create a custom App-ID for internal applications, allowing you to control access based on user, inspect them for known and unknown malware; unidentified, commercial applications can be blocked by policy, and submitted for App-ID development; finally, forensics tools and reporting can help you eliminate unknown traffic that may be threat related. The practice of securing your datacenter applications using Zero Trust principles applies to both traditional datacenters and cloud computing environments, allowing you to control access based on the application or compute workload, and user identity while blocking potentially rogue or misconfigured applications and preventing any threats from compromising your datacenter and moving laterally. Block known and unknown cyber threats inbound and across your datacenter Today s cyber threats will commonly compromise the network through an unsuspecting employee s actions such as a malicious link, a drive by download or any one of many other vectors. Once on the network, they will move across the network, looking for a target. Within your datacenter, cyber threats can potentially move laterally across your physical or virtual workloads, placing your mission critical applications and data at risk. The key to protecting your datacenter is to implement prevention techniques that address each of the phases of the attack lifecycle as shown in image 3. PREVENTING ATTACKS AT EVERY STAGE OF THE KILL-CHAIN 1 Breach the perimeter 2 Deliver the malware 3 Lateral movement 4 Exfiltrate data Next-generation firewall Visibility into all traffic, including SSL Enable business-critical applications Block high-risk applications Block commonly exploited file types Threat Prevention Block known exploits malware and inbound command-and-control communications WildFire Block known and unknown vulnerability exploits Block known and unknown malware Provide detailed forensics on attacks Next-generation firewall Establish secure zones with strictly enforced access control Provide ongoing monitoring and inspection of all traffic between zones WildFire Detecting unknown threats pervasively throughout the network Threat Prevention Block outbound commmandand-control communications Block file and data platform uploads DNS monitoring and sinkholing URL Filtering Block outbound communication to known malicious URLs and IP addresses URL Filtering Prevent use of social engineering Block know malicious URLs and IP addresses WildFire Send specific incoming files and links from the internet to public or private cloud for inspection Detect unknown threats Automatically deliver protections globally Image 3: Preventing threats attacks across the entire attack lifecycle. PAGE 8

9 Within the datacenter, exerting application level control between your workloads reduces your threat footprint while simultaneously segmenting datacenter traffic based on Zero Trust principles. Application specific threat prevention policies can prevent known and unknown threats from compromising your datacenter. Reducing management overhead The need to continue to secure the physical network combined with the need to secure the cloud, means that it will be rare to find deployment scenarios where a only a few firewalls are deployed. In order to minimize management overhead and accelerate deployments, a combination of centralized management and native features that can help streamline policy updates becomes a necessity. Centralized management Panorama allows you to centrally manage all of your Palo Alto Networks next-generation firewalls both physical and virtual form factor thereby ensuring policy consistency and cohesiveness. Using the same look and feel that the individual device management interface carries, Panorama eliminates any learning curve associated with switching from one user interface to another. Panorama allows you to manage all aspects of a Palo Alto Networks firewall including: Policy deployment including security, NAT, QoS, policy based forwarding, decryption, application override, captive portal, and DoS protection. Shared policies that leverage pre- and post-rules deployed by the Panorama administrators to enforce shared policies while allowing local policy editing. Rules in between the pre- and post-rules can be edited locally or by a Panorama administrator. Software and content updates (Applications, Threats, Antivirus, WildFire ), and licenses can be managed across all deployed instances from a central location. Aggregate logging and reporting across dynamic or locally queried data aggregated from all managed firewalls. Panorama can be deployed as either a virtual appliances or as a dedicated appliance. The dedicated appliance, known as the M-100, can be used to build a distributed management architecture using individual M-100 appliances for management and logging functions respectively. Panorama - SERIES Web FE SharePoint MS SQL Credit Card / Intellectual Property / Pll Image 4: Panorama centrally manages your Palo Alto Networks firewalls both physical and virtualized form factors. Streamlining policy deployment and updates In both physical and virtualized network environments, you are challenged with managing the changes that may occur between compute workload additions, removals or modifications and how quickly a security policy can be deployed. To help minimize these delays, our next-generation firewalls provide a rich set of native management features that streamlines policy deployment so that security keeps pace with the changes in your compute workloads. PAGE 9

10 The workflow for automating policy updates as shown in image 5 is as follows: 1. Our next-generation firewall will tie into your workload resource management tool. 2. Workload attributes (i.e., operating system, location, application), physical or virtualized, are collected and converted into Tags by the firewall. 3. Tags are used to create Dynamic Address Groups and to monitor ongoing workload changes, continually resolving the IP addresses. 4. Workload additions, removals, or changes are monitored, IP addresses are learned, Dynamic Address Groups, and corresponding policies are updated in a dynamic manner. Resource Management Security Management COMPUTE RESOURCES OBJECTS & POLICIES SharePoint Miami New York Web New York Web Linux New York Web Dynamic Address Group Definition All SharePoint Admin Servers MySQL Servers New York Web Servers New York Web Linux Learned Group Membership Windows Linux Linux PAN-OS SECURITY POLICY Policy Source Destination Application Action Profile To MS SQL New York Web Servers MySQL Servers MSSQL Management Admin Servers New York Web Servers Mgmt Traffic Image 5: Native management features monitor workload changes to help streamline policy updates. The result is a dramatic reduction in the delay that may occur between workload changes and security policy updates. As a means of further automating and streamlining policy updates, a fully documented REST-based API, allows you to integrate with 3 rd party cloud orchestration solutions such as OpenStack and CloudStack. Purpose-built hardware form factor Palo Alto Networks offers a full line of purpose-built appliances that range from the PA-200, designed for enterprise remote offices to the PA-7050, a chassis-based high-speed datacenter appliance. The underlying architecture is based on a single pass software engine that first identifies the application, regardless of port, while simultaneously determining if the content is malicious or not and who the user is. These three business relevant elements, the application, content and user, become the basis of your security policies. The single pass architecture not only improves your security posture, it eliminates redundant policy decisions, thereby minimizing latency and improving throughput when married to function specific processing for networking, security, threat prevention and management. PAGE 10

11 The same next-generation firewall and advanced threat prevention functionality that is delivered in the hardware platforms is also available in the -Series virtual firewall, allowing you to secure your virtualized and cloud-based computing environments using the same policies applied to your perimeter or remote office firewalls. PA-7050: The PA-7050 protects datacenters and high-speed networks with firewall throughput of up to 120 Gbps and, full threat prevention at speeds of up to 100 Gbps. To address the computationally intensive nature of full-stack classification and analysis at speeds of 120 Gbps, more than 400 processors are distributed across networking, security, switch management and logging functions. The result is that the PA-7050 allows you to deploy next-generation security in your datacenters without compromising performance. PA-5000 Series: The PA-5000 Series of next-generation firewalls is designed to secure datacenter environments where traffic demands dictate predictable firewall and threat prevention throughput. These high performance appliances are tailor-made to provide enterprise firewall protection at throughput speeds of up to 20 Gbps. The PA-5000 Series is powered by more than 40 processors distributed across four functional areas: networking, security, content inspection and management. The PA-5000 Series is comprised of three models the PA-5020, the PA-5050 and PA-5060 at 5 Gbps, 10 Gbps and 20 Gbps firewall throughput respectively, with App-ID enabled. -Series virtualized form factor The -Series of virtualized next-generation firewalls allows you to deploy the same security capabilities you might use on your physical network to your cloud computing environment. The -Series supports a range of hypervisor and orchestration environments. -Series for ware ESXi (standalone): The -Series on ESXi servers is ideal for networks where the virtual form factor may simplify deployment and provide more flexibility. Common deployment scenarios include: o Private or public cloud computing environments where virtualization is a dependency o Environments where physical space is at a premium o Remote locations where shipping hardware is not practical The -Series for ESXi supports a range of interface types including L2, L3 and virtual wire, allowing you to deploy the -Series in a different interface mode for each virtualized server depending on your needs. -Series for ware NSX: The -Series for NSX automates the provisioning and deployment of next-generation firewalls and advanced threat prevention by tightly integrating the -Series, Panorama for centralized management and ware NSX network virtualization. Application traffic and associated content is automatically directed to the -Series for analysis and inspection by ware NSX. Panorama constantly talks to NSX, collecting contextual changes that are then fed to the firewalls in the form of dynamic policy updates. -Series for Amazon Web Services: The -Series for Amazon Web Services (AWS) enables you to protect public cloud deployments with our next-generation firewall and advanced threat prevention capabilities. Available as an Amazon Machine Interface (AMI), the -Series can be deployed as an EC2 instance to protect traffic flowing into and across your VPC. Native policy management features and a REST-based API enable your security policies to keep pace with changes in your VPC while Panorama allows you to centrally manage all of your firewalls. -Series for K: The -Series for Kernel Virtual Machine (K) will allow service provides and enterprises alike to add next-generation firewall and advanced threat prevention capabilities to their Linux-based virtualization and cloud-based initiatives. K is a popular open-source hypervisor that will enable service provides and enterprises to deploy and manage the -Series across a range of Linux operating systems including CentOS/RHEL and Ubuntu. In addition to the rich set of policy management features and APIs within the -Series, the -Series for K can be managed using Panorama and OpenStack. PAGE 11

12 -Series for Citrix SDX: The -Series on Citrix NetScaler SDX enables security and application delivery controller (ADC) capabilities to be consolidated on a single platform, delivering a comprehensive set of cloud-based services to enhance the availability, security and performance of applications. This integrated solution addresses the independent application needs for business units, owners and Service provider customers in a multi-tenant deployment. In addition, this combined offering provides a complete, validated, security and ADC solution for Citrix XenApp and XenDesktop deployments. Summary Palo Alto Networks next-generation firewalls provide a security architecture that protects, scales and evolves with datacenter needs for physical and cloud computing environments. The next-generation firewalls are designed to safely enable applications by user, application and content without compromising performance. In addition, the next-generation firewalls are designed to address key virtualization and cloud challenges from the inspection of intra-host communications, and tracking security policies to virtual machine creation and movement, to integration with orchestration software Great America Parkway Santa Clara, CA Main: Sales: Support: Copyright 2015, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Palo Alto Networks, Inc. All specifications are subject to change without notice. Palo Alto Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Palo Alto Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. PAN_WP_DCS_021115