In the fight against relentless cyberattacks, organizations have long relied on traditional perimeter firewalls to protect sensitive workloads and information in the data center. But today, in the era of distributed applications and hybrid cloud environments, we know that perimeter defenses are not enough to stop cybercriminals.
To improve security postures inside corporate networks — which means protecting against both bad actors who penetrate perimeter defenses and malicious insiders — organizations must monitor, detect, and block hostile east-west (internal) traffic using internal firewalls.
To date, network and security professionals have generally viewed securing east-west traffic as too complex, expensive, and time-consuming for their brownfield, and even greenfield, data centers. At VMware, we agree with that perception: it’s certainly true for organizations trying to detect and prevent the lateral movement of attackers by employing traditional, appliance-based perimeter firewalls as internal firewalls.
There’s a Better Way to Secure the Data Center
Instead of awkwardly forcing appliance-based firewalls to serve as internal firewalls, organizations should employ a distributed, scale-out internal firewall specifically designed to monitor and protect east-west traffic. Why? Because a distributed internal firewall like VMware NSX Service-defined Firewall secures the data center and protects today’s workloads without the complexity, expense, and limitations on scalability and flexibility of traditional perimeter firewalls.
Because it’s distributed, application-aware, and simple to operate, VMware Service-defined Firewall streamlines and automates much of the planning, deployment, configuration, and management of internal firewalls — as well as the granular policies and capabilities that support them.
Take a Phased Approach
Although implementing east-west security is easier and faster with a distributed internal firewall, your organization may still prefer to take an iterative, phased approach to improving the security of your data center.
Breaking the deployment of an internal firewall into smaller projects delivers multiple benefits by enabling your team to:
- Prove success early and quickly
- Demonstrate the value of the approach to internal stakeholders
- Choose when and how to build on your internal firewalling experience
- Expand the use of distributed internal firewalling gradually and as needed
To get an idea of how to start small and grow your organizational maturity over time, consider the following four-step approach used by some VMware customers to strengthen their data centers (see Figure 1).
Figure 1: A Four-Step Approach to Securing the Data Center
1. Crawl: Macro-Segment the Network
With the Service-defined Firewall, your security team can start using network segmentation to isolate and secure specific environments — such as development and production — from each other. This immediately prevents attackers and malicious insiders from moving laterally between these environments.
In this step, the goal is to protect segments of your network by creating virtual security zones. Depending on your business structure and use cases, you could begin by segmenting environments that should not be able to directly communicate with each other. Examples include different business units, partner environments, and development and production environments.
2. Walk: Protect Critical Applications
The next step for your team is to start moving from macro-segmentation to micro-segmentation, which enables you to define and enforce more granular controls down to the workload level.
Choose a small number of well-understood applications that are critical to your business and that should be isolated and protected with additional security controls to prevent unauthorized access, data breaches, and other forms of attack.
One critical application that organizations often choose to micro-segment is their virtual desktop infrastructure (VDI) environment — because VDI can expose data center infrastructure to threats coming from end user security violations. Other critical applications include shared services like Active Directory or DNS servers.
For critical applications, you can further enhance the granular security controls within the Service-defined Firewall by enabling its built-in intrusion detection and prevention system (IDS/IPS) capabilities. VMware NSX Distributed IDS/IPS functionality provides additional traffic inspection capabilities to the Service-defined Firewall by adding threat control to access control for a layered security approach.
3. Jog: Gain Visibility and Secure Additional Applications
As your security team gains more experience in operating a distributed internal firewall, you can continue expanding your monitoring and protection of east-west traffic. The goal is to build on the knowledge and skills your team gained in the first two steps. You’ll now use the built-in visibility and automation in the Service-defined Firewall to isolate and secure more workloads, which further reduces the attack surface and strengthens data center security.
For applications that are not well-understood, the Service-defined Firewall gives you data center-wide visibility and applies built-in machine learning to help you understand applications and traffic flows. Automated application discovery gives you a comprehensive map of application topography as well as automatically generated recommendations for security policies based on observed traffic flows.
In this phase, your team would likely focus on securing important applications where disruption or theft would impact business outcomes. This includes applications such as those that drive revenue, handle sensitive customer or company information, deliver important digital customer experiences, and other workloads that are critical to the core business.
4. Run: Secure All Applications
Now your team has achieved organizational maturity with internal firewalling. You have the skills and experience to secure all the remaining applications in the data center to further mitigate security risks.
Your team can now move at the speed of development. The Service-defined Firewall helps you accelerate security operations with its API-driven, object-based policy model. This approach ensures that new workloads automatically inherit relevant security policies, and automates the policy mobility of those workloads.
If you haven’t already deployed advanced threat detection and prevention using IDS/IPS for your sensitive applications, now is the time to do so. This will help you achieve regulatory compliance for HIPAA, PCI DSS, and other mandates.
That’s it – a phased approach to implementing robust east-west security within your data center via the VMware Service-defined Firewall. Enhance your data center security posture at your own pace while gradually building confidence among your stakeholders.
Helpful Resources for Securing the Data Center
Learn more about a phased approach to internal firewalling in our white paper “Securing the Data Center in Just Four Steps.”