Professional Documents
Culture Documents
NSE L1 M1 - Datacenter Firewall (Rev 1) PDF
NSE L1 M1 - Datacenter Firewall (Rev 1) PDF
This
module
presents
a
more
detailed
inves2ga2on
of
the
growing
role
of
data
centers
in
modern
technology
infrastructure
and
how
data
center
firewall
design
and
configura2on
may
provide
network
security
while
maintaining
balance
among
organiza2onal
resources
and
opera2ng
requirements.
2
4
A
common
phrase
heard
in
today’s
business
market
is
“No
maQer
what
business
you
are
in,
you
are
a
technology
business.”
In
the
21st
Century,
this
is
true
of
large
businesses
and
the
most
successful
small
and
medium
businesses
(SMB).
Along
with
growing
use
of
technology
came
a
need
to
not
only
develop
more
specialized
applica2ons
but
also
develop
innova2ve
ways
to
store
ever-‐increasing
volumes
of
digital
data.
This
growing
storage
requirement
spurred
a
new
sector
in
the
technology
opera2ons—the
Data
Center.
As
new
technologies
for
end
users
of
compu2ng
plaGorms
evolve,
so
must
security
measures
for
the
data
centers
they
will
access
for
opera2ons
such
as
email,
social
media,
banking,
shopping,
educa2on,
and
myriad
other
purposes.
Developing
strategies
to
keep
pace
with
the
accelera2ng
integrated
and
distributed
nature
of
technology
has
become
a
cri2cal
industry
in
protec2ng
personal,
business,
and
organiza2onal
data
and
communica2ons
from
legacy,
advanced,
and
emerging
threats.
5
Ø BYOD.
Refers
to
employees
taking
their
own
personal
device
to
work,
whether
laptop,
smartphone
or
tablet,
in
order
to
interface
to
the
corporate
network.
According
to
a
Unisys
study
conducted
by
IDC
in
2011,
nearly
41%
of
the
devices
used
to
obtain
corporate
data
were
owned
by
the
employee.
Ø Big
Data.
A
massive
volume
of
both
structured
and
unstructured
data
that
is
so
large
it
is
difficult
to
process
using
tradi2onal
databases
and
soHware
techniques.
In
many
enterprise
scenarios,
the
data
is
too
big,
moves
too
fast,
or
exceeds
current
processing
capacity.
Ø The
Internet
of
Things
(IoT).
The
[once
future]
concept
that
everyday
objects
have
the
ability
to
connect
to
the
Internet
&
iden2fy
themselves
to
other
devices.
IoT
is
significant
because
an
object
that
can
represent
itself
digitally
becomes
something
greater
that
the
object
by
itself.
When
many
objects
act
in
unison,
they
are
known
as
having
“ambient
intelligence.”
6
Mee2ng
the
challenge
of
data
center
growth
while
maintaining
throughput
capability
requires
the
use
of
technology
integra2on
to
reduce
poten2al
for
signal
loss
and
speed
reduc2on
because
of
bridging
and
security
barriers
between
ad
hoc
arrangements
of
independent
appliances.
Designing
the
data
center
firewall
with
a
hybrid
design
merging
Applica1on
Specific
Integrated
Circuits
(ASIC)
with
a
Central
Processing
Unit
(CPU)
may
provide
the
necessary
infrastructure
to
meet
the
demand
for
throughput,
growth,
and
security.
Ø Two
primary
op2ons
for
hybrid
design:
v CPU
+
OTS
ASIC:
General
purpose
CPU
+
Off
the
Shelf
(OTS)
processor
ü Simplest,
but
suffers
performance
degrada2on.
v CPU
+
Custom
ASIC:
General
purpose
CPU
+
Custom-‐built
ASIC
designed
for
intended
device
func2on(s)
ü More
difficult,
but
most
efficient
design.
7
Edge
Firewalls
are
implemented
at
the
edge
of
a
network
in
order
to
protect
the
network
against
poten2al
aQacks
from
external
traffic.
This
is
the
best
understood,
or
tradi2onal,
role
of
a
firewall—the
gatekeeper.
In
addi2on
to
being
a
gatekeeper,
Data
Center
Firewalls
serve
a
number
of
func2ons.
Depending
on
network
size
and
configura2on,
the
data
center
firewall
may
also
provide
addi2onal
security
func2ons.
These
func2ons
are
referred
to
as
Mul1-‐Layered
Security,
and
may
include:
Ø IP
Security
(IPSec)
Ø Firewall
Ø IDS/IPS
(Intrusion
Detec2on
System/Intrusion
Preven2on
System)
Ø An2virus/An2spyware
Ø Web
Filtering
Ø An2spam
Ø Traffic
Shaping
The
ability
of
a
data
center
network
core
firewall
configura2on
with
high-‐speed,
high-‐
throughput,
low-‐latency
is
the
ability
to
evolve
as
technology
develops.
Ø Throughput
speeds
have
poten2al
to
double
every
18
months
Ø High-‐speed
40/100
GbE
ports
are
already
going
into
exis2ng
systems
Ø External
users
moving
from
Internet
Protocol
version
4
(IPv4)
to
IPv6
Size
DOES
MaQer.
Historically,
factors
considered
in
firewall
selec2on
included
the
number
of
users—internal
and
external—accessing
the
network
or
its
components
Ø Data
center
firewalls
make
sense
for
SMB
because
of
higher
throughput,
port
capacity,
and
concurrent
sessions.
Ø Large
or
highly
distributed
organiza2ons
should
consider
using
an
enterprise
campus
firewall:
v Capacity
to
handle
thousands
of
users
and
mul2ple
loca2ons
v Tradeoff:
Required
redundancy
increases
costs
and
system
complexity
v Self-‐managing
enterprise
campus
firewalls
requires
extensive
training
Ø Managed
Security
Service
Providers
(MSSP)
are
third-‐party,
outsources
companies
that
manage
data
center
security.
v High
availability:
24/7
service
necessary
for
large
enterprise
campus
networks
v Redundancy:
To
ensure
coverage
of
your
organiza2on’s
network
security
infrastructure
v Serviceability:
Detailed
service
level
agreements
(SLA)
&
confiden2ality
ü Current
high
failure
rate
of
MSSP
companies
9
Tradi2onal
firewalls
protect
physical
computer
networks
running
on
physical
hardware
and
cabling.
This
is
also
referred
to
as
“North-‐South”
traffic.
Virtual
traffic
is
referred
to
as
“East-‐West”
traffic.
Virtual
machines—or
virtual
drives
and
networks—residing
on
physical
equipment
may
also
be
subject
to
intrusion
from
external
threats.
Ø Today,
60-‐70%
of
traffic
is
E-‐W
–
which
is
why
virtual
networks
are
of
vital
importance
and,
as
a
result,
the
emergence
of
data
centers
and
data
center
security
in
modern
networks.
A
virtual
firewall
is
simply
a
firewall
running
in
the
virtual
environment,
providing
packet
filtering
and
monitoring
much
like
the
physical
firewall
does
for
the
physical
network.
The
virtual
firewall
may
take
a
number
of
forms:
Ø Loaded
as
tradi2onal
soHware
on
the
virtual
host
machine
Ø Built
into
the
virtual
environment
Ø A
virtual
switch
with
addi2onal
capabili2es
Ø A
managed
kernel
process
within
the
host
hypervisor
for
all
virtual
machine
ac2vity
With
increasing
use
of
“cloud”
services
to
enable
mobile—even
global—access
to
applica2ons
and
data,
technology
developed
to
fulfill
the
needs
of
industries
from
SMB
to
large
interna2onal
organiza2ons.
Three
primary
methods
are
integral
to
this
service,
each
having
benefits
and
tradeoffs
between
the
developer
(user)
and
vendor
(provider).
Infrastructure
as
a
Service
(IaaS).
The
most
basic
of
the
three
cloud
models.
Ø Service
provider
creates
the
infrastructure,
which
becomes
self-‐service
plaGorm
Ø Benefit:
No
large
infrastructure
investment,
upgrades
&
service;
opera2onal
flexibility
Ø Tradeoff:
Requires
user
to
have
high
degree
of
technical
knowledge
or
employ
tech
PlaPorm
as
a
Service
(PaaS).
Provides
an
addi2onal
level
of
service
to
the
user
beyond
the
IaaS
model.
Ø Provider
builds
infrastructure
AND
provides
monitoring
&
maintenance
service
Ø User
has
access
to
“Middleware”
to
assist
with
applica2on
development
Ø Benefit:
Reduces
amount
of
coding
necessary
to
automate
business
policy
Ø Tradeoff:
Increased
cost
So5ware
as
a
Service
(SaaS).
Largest
cloud
market
and
con2nues
to
grow.
Ø In
addi2on
to
the
PaaS
services,
applica2ons
are
managed
by
the
provider
Ø Businesses
develop
soHware
and
requirements,
third
party
manages
them
Ø Benefit:
No
need
for
resident
soHware
installa2on
on
physical
systems
(web-‐based)
Ø Tradeoff:
Lack
of
flexibility
in
applica2on
configura2on
(“Brand-‐X”
vs.
Custom)
Shared
Security
Model.
In
the
Do-‐It-‐Yourself
(DIY)
model,
you
are
responsible
for
end-‐to-‐
end
security
of
data
and
processes.
When
using
cloud
services,
the
vendor
(provider)
assumes
some
or
all
of
the
responsibility
for
security
management…with
the
excep2on
of
data
you
add
to
the
applica2on
or
database
as
the
developer
(user).
13
Now
that
we
have
discussed
some
of
the
Data
Center
Firewalls,
their
components,
methods
of
deployment,
and
resul2ng
benefits
&
tradeoffs,
are
there
any
ques2ons
before
moving
into
the
next
module?
From
an
introduc2on
to
the
current
status
of
computer
network
op2ons
and
configura2ons,
to
the
challenges
posed
by
evolving
technologies
and
advanced
threats,
this
module
has
prepared
a
founda2on
for
more
focused
discussion
on
emerging
threats
and
the
development
of
network
security
technologies
and
processes
designed
to
provide
organiza2ons
with
the
tools
necessary
to
defend
best
against
those
threats
and
con2nue
uninterrupted,
secure
opera2ons.
The
next
module
will
focus
on
the
Next
Genera2on
Firewall
(NGFW),
an
evolving
technology
in
network
security.