1

This  module  presents  a  more  detailed  inves2ga2on  of  the  growing  role  of  data  centers  in  
modern  technology  infrastructure  and  how  data  center  firewall  design  and  configura2on  
may  provide  network  security  while  maintaining  balance  among  organiza2onal  resources  
and  opera2ng  requirements.  
 2  

This  module  will  include  discussion  on  the  following  topics:  

 
Ø  Characteris2cs  of  Data  Center  Firewalls,  including  customiza2on  and  the  three  
primary  founda2ons  for  Data  Center  Security.  
Ø  Connec2vity  requirements,  including  high  speed/high  capacity,  cloud,  and  virtual.  
Ø  Data  Center  network  security  func2ons,  including  mul2-­‐layers  network  and  content  
processing  security.  
Ø  Data  Center  Services,  including  infrastructure,  plaGorm,  and  soHware  as  services  and  
how  they  relate  to  industry  use.  
 
The  module  will  end  with  a  summary  and  an  opportunity  for  ques2ons  and  answers.  
 
 
 3  

At  the  conclusion  of  this  module,  you  will  understand:  

 
Ø  How  customiza2on  of  data  center  firewalls  may  affect  performance  and  throughput.  
Ø  The  three  essen2al  founda2ons  for  data  center  security.  
Ø  Connec2vity  capabili2es  of  data  center  firewalls  for  different  appliances  and  program  
op2ons,  including  hardware,  cloud,  and  virtual.  
Ø  How  Data  Center  Firewalls  provide  a  number  of  network  security  func2ons.  
Ø  How  the  three  standard  applica2on  service  components  differ  based  on  the  needs  
and  capabili2es  of  network  users  and  administrators.  

 
 4  

A  common  phrase  heard  in  today’s  business  market  is  “No  maQer  what  business  you  are  
in,  you  are  a  technology  business.”  In  the  21st  Century,  this  is  true  of  large  businesses  
and  the  most  successful  small  and  medium  businesses  (SMB).    
Along  with  growing  use  of  technology  came  a  need  to  not  only  develop  more  specialized  
applica2ons  but  also  develop  innova2ve  ways  to  store  ever-­‐increasing  volumes  of  digital  
data.  This  growing  storage  requirement  spurred  a  new  sector  in  the  technology  
opera2ons—the  Data  Center.  
As  new  technologies  for  end  users  of  compu2ng  plaGorms  evolve,  so  must  security  
measures  for  the  data  centers  they  will  access  for  opera2ons  such  as  email,  social  media,  
banking,  shopping,  educa2on,  and  myriad  other  purposes.    
Developing  strategies  to  keep  pace  with  the  accelera2ng  integrated  and  distributed  
nature  of  technology  has  become  a  cri2cal  industry  in  protec2ng  personal,  business,  and  
organiza2onal  data  and  communica2ons  from  legacy,  advanced,  and  emerging  threats.  
 
 
 5  

As  previously  men2oned,  consumer  trends  influenced  data  center  development;  

however,  this  development  was  also  spurred  on  by  changes  in  business  prac2ces  that  
include:  
Ø  Virtualiza)on.  Crea2ng  a  virtual  version  of  a  device  or  resource,  such  as  a  server,  
storage  device,  network  or  even  an  opera2ng  system  where  the  framework  divides  
the  resource  into  one  or  more  execu2on  environments.  
Ø  Cloud  Compu)ng.  Compu2ng  in  which  large  groups  of  remote  servers  are  networked  
to  allow  the  centralized  data  storage,  and  online  access  to  computer  services  or  
resources.  Clouds  can  be  classified  as  public,  private  or  hybrid.  
Ø  So5ware-­‐Defined  Networks  (SDN).  An  approach  to  networking  in  which  control  is  
decoupled  from  hardware  and  given  to  a  soHware  applica2on  called  a  controller.  
Dynamic,  manageable,  cost-­‐effec2ve,  and  adaptable,  making  it  ideal  for  the  high-­‐
bandwidth,  dynamic  nature  of  today's  applica2ons.  

Ø  BYOD.  Refers  to  employees  taking  their  own  personal  device  to  work,  whether  
laptop,  smartphone  or  tablet,  in  order  to  interface  to  the  corporate  network.  
According  to  a  Unisys  study  conducted  by  IDC  in  2011,  nearly  41%  of  the  devices  used  
to  obtain  corporate  data  were  owned  by  the  employee.    
Ø  Big  Data.  A  massive  volume  of  both  structured  and  unstructured  data  that  is  so  large  
it  is  difficult  to  process  using  tradi2onal  databases  and  soHware  techniques.  In  many  
enterprise  scenarios,  the  data  is  too  big,  moves  too  fast,  or  exceeds  current  
processing  capacity.  
Ø  The  Internet  of  Things  (IoT).  The  [once  future]  concept  that  everyday  objects  have  
the  ability  to  connect  to  the  Internet  &  iden2fy  themselves  to  other  devices.  IoT  is  
significant  because  an  object  that  can  represent  itself  digitally  becomes  something  
greater  that  the  object  by  itself.  When  many  objects  act  in  unison,  they  are  known  as  
having  “ambient  intelligence.”  
 
 6  

Mee2ng  the  challenge  of  data  center  growth  while  maintaining  throughput  capability  
requires  the  use  of  technology  integra2on  to  reduce  poten2al  for  signal  loss  and  speed  
reduc2on  because  of  bridging  and  security  barriers  between  ad  hoc  arrangements  of  
independent  appliances.  
Designing  the  data  center  firewall  with  a  hybrid  design  merging  Applica1on  Specific  
Integrated  Circuits  (ASIC)  with  a  Central  Processing  Unit  (CPU)  may  provide  the  necessary  
infrastructure  to  meet  the  demand  for  throughput,  growth,  and  security.  
Ø  Two  primary  op2ons  for  hybrid  design:  
v  CPU  +  OTS  ASIC:  General  purpose  CPU  +  Off  the  Shelf  (OTS)  processor  
ü  Simplest,  but  suffers  performance  degrada2on.  
v  CPU  +  Custom  ASIC:  General  purpose  CPU  +  Custom-­‐built  ASIC  designed  for  
intended  device  func2on(s)  
ü  More  difficult,  but  most  efficient  design.  
 7  

Edge  Firewalls  are  implemented  at  the  edge  of  a  network  in  order  to  protect  the  network  
against  poten2al  aQacks  from  external  traffic.  This  is  the  best  understood,  or  tradi2onal,  
role  of  a  firewall—the  gatekeeper.  
 
In  addi2on  to  being  a  gatekeeper,  Data  Center  Firewalls  serve  a  number  of  func2ons.  
Depending  on  network  size  and  configura2on,  the  data  center  firewall  may  also  provide  
addi2onal  security  func2ons.    
These  func2ons  are  referred  to  as  Mul1-­‐Layered  Security,  and  may  include:  
Ø  IP  Security  (IPSec)  
Ø  Firewall  
Ø  IDS/IPS  (Intrusion  Detec2on  System/Intrusion  Preven2on  System)  
Ø  An2virus/An2spyware  
Ø  Web  Filtering  
Ø  An2spam  
Ø  Traffic  Shaping  

These  func2ons  work  together,  providing  

integrated  security  for  the  data  center,  
concurrently  providing  consolidated,  clear  
control  for  administrators  while  presen2ng  
complex  barriers  to  poten2al  threats.  
 8  

The  ability  of  a  data  center  network  core  firewall  configura2on  with  high-­‐speed,  high-­‐
throughput,  low-­‐latency  is  the  ability  to  evolve  as  technology  develops.  
Ø  Throughput  speeds  have  poten2al  to  double  every  18  months  
Ø  High-­‐speed  40/100  GbE  ports  are  already  going  into  exis2ng  systems  
Ø  External  users  moving  from  Internet  Protocol  version  4  (IPv4)  to  IPv6  

Size  DOES  MaQer.  Historically,  factors  considered  in  firewall  selec2on  included  the  
number  of  users—internal  and  external—accessing  the  network  or  its  components  
Ø  Data  center  firewalls  make  sense  for  SMB  because  of  higher  throughput,  port  
capacity,  and  concurrent  sessions.  
Ø  Large  or  highly  distributed  organiza2ons  should  consider  using  an  enterprise  campus  
firewall:  
v  Capacity  to  handle  thousands  of  users  and  mul2ple  loca2ons  
v  Tradeoff:  Required  redundancy  increases  costs  and  system  complexity  
v  Self-­‐managing  enterprise  campus  firewalls  requires  extensive  training  
Ø  Managed  Security  Service  Providers  (MSSP)  are  third-­‐party,  outsources  companies  
that  manage  data  center  security.  
v  High  availability:  24/7  service  necessary  for  large  enterprise  campus  
networks  
v  Redundancy:  To  ensure  coverage  of  your  organiza2on’s  network  security  
infrastructure  
v  Serviceability:  Detailed  service  level  agreements  (SLA)  &  confiden2ality  
ü  Current  high  failure  rate  of  MSSP  companies  
 9  

By  designing  and  implemen2ng  infrastructures  integra2ng  high  throughput  with  a  

dynamic  soHware-­‐defined  network  (SDN),  the  data  center  firewall  provides  capability  to  
evolve  with  changing  needs  and  threats.  
Three  founda2ons  form  the  basis  for  data  center  firewall  security:  
Ø  Performance.  Higher  performance  through  high-­‐speed,  high-­‐capacity,  low-­‐latency  
firewalls.  
v  Minimum  required  throughput  for  data  center  firewall  is  10  Gbps  
v  Large  data  centers  may  increase  to  an  aggregate  100+  Gbps  
v  Minimum  port  size  connec2vity  of  10  GbE  
v  Some  capabili2es  already  in  the  40-­‐100  GbE  range  
Ø  Segmenta)on.  Organiza2ons  using  data  centers  have  adopted  network  segmenta2on  
as  a  “best  prac2ce”  to  isolate  cri2cal  data  against  poten2al  threats.  
v  Applica2ons,  user  groups,  regulatory  requirements  
v  Business  func2ons,  trust  levels,  loca2ons  
v  High  density  and  logical  abstrac2on  to  support  both  physical  and  virtual  
segmenta2on  clouds  
Ø  Simplifica)on.  Because  data  centers  extend  to  externals  users  from  various  
plaGorms,  input  sources,  and  trust  levels,  a  “Zero-­‐Trust”  model  should  be  adopted  
from  the  edge  throughout  segmenta2on  and  the  network  core.  
v  Requires  consolidated,  simplified  security  plaGorm  for  high-­‐speed  
opera2ons  
v  Integra2on  of  network  rou2ng  and  switching  into  firewall  controls  
v  Centralized  visibility  and  control  to  func2ons  and  security  monitoring  
 
 
 10  

Tradi2onal  firewalls  protect  physical  computer  networks  running  on  physical  hardware  
and  cabling.  This  is  also  referred  to  as  “North-­‐South”  traffic.    
Virtual  traffic  is  referred  to  as  “East-­‐West”  traffic.  Virtual  machines—or  virtual  drives  and  
networks—residing  on  physical  equipment  may  also  be  subject  to  intrusion  from  
external  threats.    
Ø  Today,  60-­‐70%  of  traffic  is  E-­‐W  –  which  is  why  virtual  networks  are  of  vital  importance  
and,  as  a  result,  the  emergence  of  data  centers  and  data  center  security  in  modern  
networks.  
A  virtual  firewall  is  simply  a  firewall  running  in  the  virtual  environment,  providing  packet  
filtering  and  monitoring  much  like  the  physical  firewall  does  for  the  physical  network.  
The  virtual  firewall  may  take  a  number  of  forms:  
Ø  Loaded  as  tradi2onal  soHware  on  the  virtual  host  machine  
Ø  Built  into  the  virtual  environment  
Ø  A  virtual  switch  with  addi2onal  capabili2es  
Ø  A  managed  kernel  process  within  the  host  hypervisor  for  all  virtual  machine  ac2vity  

Virtual  firewalls  deploy  and  operate  in  two  modes:  

Ø  Bridge  Mode.  Acts  like  a  physical  firewall,  installed  at  inter-­‐network  switch  or  bridge  
to  intercept  traffic  
v  Decides  to  allow  passage,  drop,  reject,  forward,  or  mirror  the  packets  
v  Standard  for  early  networks  &  some  current  SMB  networks  
Ø  Hypervisor  Mode.  Resides  in  the  host  virtual  machine—or  hypervisor—to  capture  and  
analyze  packets  heading  for  the  virtual  network  from  outside  the  network.  
Ø  Runs  faster  than  Bridge  Mode,  within  the  kernel  at  na2ve  hardware  speeds  
Ø  Popular  hypervisors  include  VMware,  vSphere,  Citrix  Xen,  MicrosoH  HyperV  
 11  

Applica2on  systems  typically  consist  of  three  basic  components:  

Ø  Interfaces.  The  control  or  method  by  which  the  user  interacts  with  the  computer,  
system,  or  network,  oHen  consis2ng  of  screens,  web  pages,  or  input  devices.  
Ø  Programming  (Logic).  Scripts  or  computer  instruc2ons  used  to  validate  data,  perform  
calcula2ons,  or  navigate  users  through  applica2on  systems.  Large  computers  may  use  
more  than  one  computer  language  to  drive  the  system  and  connect  with  networks.  
Ø  Databases.  Electronic  repositories  of  data  used  to  store  informa2on  for  an  
organiza2on  in  a  structured,  searchable,  and  retrievable  format.  Most  are  structured  
to  facilitate  downloading,  upda2ng  and—when  applicable—sharing  with  other  
network  users.  
Computer  Systems  are  simply  sets  of  components  assembled  into  an  integrated  package.  
Ø  CPU  (Central  Processor  Unit).  The  heart  of  the  machine,  around  which  various  other  
components  and  peripherals  are  built.  
Ø  Components:   Ø  Peripherals:  
Ø  Data  Storage   Ø  Input  Devices  
Ø  Memory   Ø  Displays  
Ø  Drives   Ø  Printers  
Ø  Motherboards   Ø  Scanners  
Ø  Interfaces   Ø  Etc…  
Computer  system  components  vary  in  size  and  complexity  and  may  be  designed  for  
single  or  mul2ple  purposes.  
 12  

With  increasing  use  of  “cloud”  services  to  enable  mobile—even  global—access  to  
applica2ons  and  data,  technology  developed  to  fulfill  the  needs  of  industries  from  SMB  to  
large  interna2onal  organiza2ons.  Three  primary  methods  are  integral  to  this  service,  each  
having  benefits  and  tradeoffs  between  the  developer  (user)  and  vendor  (provider).  
Infrastructure  as  a  Service  (IaaS).  The  most  basic  of  the  three  cloud  models.  
Ø  Service  provider  creates  the  infrastructure,  which  becomes  self-­‐service  plaGorm  
Ø  Benefit:  No  large  infrastructure  investment,  upgrades  &  service;  opera2onal  flexibility  
Ø  Tradeoff:  Requires  user  to  have  high  degree  of  technical  knowledge  or  employ  tech  
PlaPorm  as  a  Service  (PaaS).  Provides  an  addi2onal  level  of  service  to  the  user  beyond  the  
IaaS  model.  
Ø  Provider  builds  infrastructure  AND  provides  monitoring  &  maintenance  service  
Ø  User  has  access  to  “Middleware”  to  assist  with  applica2on  development  
Ø  Benefit:  Reduces  amount  of  coding  necessary  to  automate  business  policy  
Ø  Tradeoff:  Increased  cost  
So5ware  as  a  Service  (SaaS).  Largest  cloud  market  and  con2nues  to  grow.  
Ø  In  addi2on  to  the  PaaS  services,  applica2ons  are  managed  by  the  provider  
Ø  Businesses  develop  soHware  and  requirements,  third  party  manages  them  
Ø  Benefit:  No  need  for  resident  soHware  installa2on  on  physical  systems  (web-­‐based)  
Ø  Tradeoff:  Lack  of  flexibility  in  applica2on  configura2on  (“Brand-­‐X”  vs.  Custom)  
 
Shared  Security  Model.  In  the  Do-­‐It-­‐Yourself  (DIY)  model,  you  are  responsible  for  end-­‐to-­‐
end  security  of  data  and  processes.  When  using  cloud  services,  the  vendor  (provider)  
assumes  some  or  all  of  the  responsibility  for  security  management…with  the  excep2on  of  
data  you  add  to  the  applica2on  or  database  as  the  developer  (user).  
 13  

Infrastructure  as  a  Service  (IaaS).    

Ø  Amazon  
Ø  Rackspace  Cloud  
Ø  Joyent  

PlaPorm  as  a  Service  (PaaS).    

Ø  Google  App  Engine  
Ø  Force.com  
Ø  Windows  Azure  

So5ware  as  a  Service  (SaaS).  

Ø  Google  Apps  
Ø  Salesforce.com  
Ø  ZOHO  
 14  

Now  that  we  have  discussed  some  of  the  Data  Center  Firewalls,  their  components,  
methods  of  deployment,  and  resul2ng  benefits  &  tradeoffs,  are  there  any  ques2ons  
before  moving  into  the  next  module?  
 
From  an  introduc2on  to  the  current  status  of  computer  network  op2ons  and  
configura2ons,  to  the  challenges  posed  by  evolving  technologies  and  advanced  threats,  
this  module  has  prepared  a  founda2on  for  more  focused  discussion  on  emerging  threats  
and  the  development  of  network  security  technologies  and  processes  designed  to  
provide  organiza2ons  with  the  tools  necessary  to  defend  best  against  those  threats  and  
con2nue  uninterrupted,  secure  opera2ons.  The  next  module  will  focus  on  the  Next  
Genera2on  Firewall  (NGFW),  an  evolving  technology  in  network  security.