Danelle AuDanelle Au


Let's get real: there’s a lot of confusion and FUD (fear, uncertainty and doubt) on the topic of whether next-generation firewall technology ‘belongs’ in the data centre. Of course it belongs there, but it’s necessary to clarify the types of data centre being referred to.

In Internet-facing data centres such as those used in online banking, auction or dating sites, there are typically relatively few applications, and they’re usually Web (ie, browser-based) applications. Often, these applications will use one of the common Web infrastructure stacks (eg, , Lamp, , Oracle). Users are many, and often unknown/untrusted. For Internet-facing data centres, next-generation firewalls are more likely to be deployed for IPS or IDS capabilities. Enterprise data centres (or internal data centres), on the other hand, host more applications, but have fewer users. Applications come from a variety of origins – they might be packaged, home-grown, or customised. This environment is one that is known to be a source of constant attacks; it’s where the ‘crown jewels’ of the enterprise, like intellectual property, reside.

Legacy access controls and fi rewall policies, and the many holes they provide, are well understood by attackers. If unauthorised access is attempted, it will target the most common applications in the data centre and the expected open ports. We know this not through mere speculation; we’ve documented these patterns.

Since most exploits target open ports, the right approach is to minimise the reliance on ports and protocol, which is exactly where next-generation firewalls excel, not just because they can log and alert when a non-sanctioned user attempts access to a particular segment or application in the data centre, as this may in fact be an indicator of a compromise.

What it all comes down to is the ability to understand and address threats based on apps, users and content – capabilities provided by true next-generation fi rewalls at the perimeter and in the data centre.

About the author: Danelle Au is the director of Solutions at Palo Alto Networks. Palo Alto Networks is a sponsor of the upcoming ITWeb , taking place at the Sandton Convention Centre from 27-29 May. Book your seat at www.summit.co.za. Follow #itwebsec