Enhancing Micro-Segmentation with Layer-7 Visibility & Threat Protection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L3 Networker

Enhancing-Micro-Segmentation_palo-alto-networks.jpg

 

New technologies such as software-defined networking (SDN), virtualization, and hyperconvergence are increasingly being adopted in the data center. Additionally, organizations are running their applications on VMs and containers across multiple data centers as well as in private, public and hybrid clouds. At the same time, the DevOps team is using CI/CD tools, Helm Charts, Terraform templates and APIs to roll out new applications as fast as they can. 

 

To ensure data centers are secure and applications remain safe irrespective of where they are running, you need to:

 

  1. Gain deep visibility to see everything across networks, users and applications. 
  2. Adopt multi-layered segmentation to allow only allowed/permitted traffic between applications and hence, reduce the attack surface.
  3. Automate threat response to quickly find the threats and stop the breach.

 

While micro-segmentation products such as VMware NSX prevent attackers from moving around an organization’s network, it is only part of the bigger picture. To ensure threats don’t move laterally between applications that are allowed to talk to each other, a deeper level of threat inspection is needed that protects against Data Loss caused by DNS tunneling and Data Exfiltration. This is the role that Next-Generation Firewalls play in internal network security. 

 

Let’s illustrate this with a simple example of the 3-tier application as shown below:

 

Fig 1_Enhancing-Micro-Segmentation_palo-alto-networks.png

 

In this example, we have segmented the traffic based on server type, or “application tier”: Web servers, App servers, and DB servers. Micro-segmentation ensures that workloads from different application tiers can’t communicate with each other. That way, even if an attacker gains access to a web server tier, they can’t move laterally to workloads running in the App tier.  

 

However, to ensure the applications are working properly, we need to allow some traffic to flow between applications in different tiers. For instance, the web server of the CRM application has to communicate with the app server of the CRM application. Additionally, shared services such as DNS and DHCP have to be able to communicate to all my zones. So it’s necessary to punch the holes in the micro-segmentation and allow traffic to flow between trust zones/tiers. Now, attackers can take advantage of this “allowed” traffic between workloads running in different tiers to move between trust zones and penetrate deeper into the environment.

 

While VMWare NSX is the market leader in Virtualization and Micro-segmentation, Palo Alto Networks VM-Series Firewall is needed to ensure Layer7 visibility and protection for the workloads running on VMWare NSX as well as other platforms. VM-Series virtual firewalls integrate deeply with NSX and allow you to intelligently steer specific traffic from NSX to VM-Series virtual firewalls for further inspection when necessary. Without VM-Series virtual firewalls, traffic would have to be steered all the way to a hardware firewall, which has serious network performance impacts. By using our integration and steering only the necessary traffic to the VM-Series virtual firewalls, customers can get much better performance from their network without compromising on security. The integration also makes it incredibly easy to provision the firewalls, and manage all of the security policies from a single interface using Panorama.

 

In summary, while NSX provides micro-segmentation capabilities minimize the threats by stopping them from moving laterally, you need L7 visibility and protection powered by a 11-Time Leader in the Gartner® Magic Quadrant™ for Network Firewalls. VM-Series virtual firewalls by Palo Alto Networks to protect against data exfiltration, DNS tunneling and ensure Zero Trust model. 


You can now use VM-Series virtual firewalls to protect your applications running on the latest versions of NSX including NSX 4.1. To check out the latest update on compatibility between VM-Series and NSX, please visit VMWare NSX Compatibility Matrix and VM-Series Hypervisor support.

  • 4829 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels
Top Liked Authors