1

This module presents a more detailed inves2ga2on of the growing role of data centers in
modern technology infrastructure and how data center rewall design and congura2on
may provide network security while maintaining balance among organiza2onal resources
and opera2ng requirements.

This module will include discussion on the following topics:

Characteris2cs of Data Center Firewalls, including customiza2on and the three
primary founda2ons for Data Center Security.
Connec2vity requirements, including high speed/high capacity, cloud, and virtual.
Data Center network security func2ons, including mul2-layers network and content
processing security.
Data Center Services, including infrastructure, plaGorm, and soHware as services and
how they relate to industry use.

The module will end with a summary and an opportunity for ques2ons and answers.

At the conclusion of this module, you will understand:

How customiza2on of data center rewalls may aect performance and throughput.
The three essen2al founda2ons for data center security.
Connec2vity capabili2es of data center rewalls for dierent appliances and program
op2ons, including hardware, cloud, and virtual.
How Data Center Firewalls provide a number of network security func2ons.
How the three standard applica2on service components dier based on the needs
and capabili2es of network users and administrators.

A common phrase heard in todays business market is No maQer what business you are
in, you are a technology business. In the 21st Century, this is true of large businesses
and the most successful small and medium businesses (SMB).
Along with growing use of technology came a need to not only develop more specialized
applica2ons but also develop innova2ve ways to store ever-increasing volumes of digital
data. This growing storage requirement spurred a new sector in the technology
opera2onsthe Data Center.
As new technologies for end users of compu2ng plaGorms evolve, so must security
measures for the data centers they will access for opera2ons such as email, social media,
banking, shopping, educa2on, and myriad other purposes.
Developing strategies to keep pace with the accelera2ng integrated and distributed
nature of technology has become a cri2cal industry in protec2ng personal, business, and
organiza2onal data and communica2ons from legacy, advanced, and emerging threats.

As previously men2oned, consumer trends inuenced data center development;

however, this development was also spurred on by changes in business prac2ces that
include:
Virtualiza)on. Crea2ng a virtual version of a device or resource, such as a server,
storage device, network or even an opera2ng system where the framework divides
the resource into one or more execu2on environments.
Cloud Compu)ng. Compu2ng in which large groups of remote servers are networked
to allow the centralized data storage, and online access to computer services or
resources. Clouds can be classied as public, private or hybrid.
So5ware-Dened Networks (SDN). An approach to networking in which control is
decoupled from hardware and given to a soHware applica2on called a controller.
Dynamic, manageable, cost-eec2ve, and adaptable, making it ideal for the high-
bandwidth, dynamic nature of today's applica2ons.
BYOD. Refers to employees taking their own personal device to work, whether
laptop, smartphone or tablet, in order to interface to the corporate network.
According to a Unisys study conducted by IDC in 2011, nearly 41% of the devices used
to obtain corporate data were owned by the employee.
Big Data. A massive volume of both structured and unstructured data that is so large
it is dicult to process using tradi2onal databases and soHware techniques. In many
enterprise scenarios, the data is too big, moves too fast, or exceeds current
processing capacity.
The Internet of Things (IoT). The [once future] concept that everyday objects have
the ability to connect to the Internet & iden2fy themselves to other devices. IoT is
signicant because an object that can represent itself digitally becomes something
greater that the object by itself. When many objects act in unison, they are known as
having ambient intelligence.

Mee2ng the challenge of data center growth while maintaining throughput capability
requires the use of technology integra2on to reduce poten2al for signal loss and speed
reduc2on because of bridging and security barriers between ad hoc arrangements of
independent appliances.
Designing the data center rewall with a hybrid design merging Applica1on Specic
Integrated Circuits (ASIC) with a Central Processing Unit (CPU) may provide the necessary
infrastructure to meet the demand for throughput, growth, and security.
Two primary op2ons for hybrid design:
v CPU + OTS ASIC: General purpose CPU + O the Shelf (OTS) processor
Simplest, but suers performance degrada2on.
v CPU + Custom ASIC: General purpose CPU + Custom-built ASIC designed for
intended device func2on(s)
More dicult, but most ecient design.

Edge Firewalls are implemented at the edge of a network in order to protect the network
against poten2al aQacks from external trac. This is the best understood, or tradi2onal,
role of a rewallthe gatekeeper.

In addi2on to being a gatekeeper, Data Center Firewalls serve a number of func2ons.
Depending on network size and congura2on, the data center rewall may also provide
addi2onal security func2ons.
These func2ons are referred to as Mul1-Layered Security, and may include:
IP Security (IPSec)
Firewall
IDS/IPS (Intrusion Detec2on System/Intrusion Preven2on System)
An2virus/An2spyware
Web Filtering
An2spam
Trac Shaping
These func2ons work together, providing
integrated security for the data center,
concurrently providing consolidated, clear
control for administrators while presen2ng
complex barriers to poten2al threats.

The ability of a data center network core rewall congura2on with high-speed, high-
throughput, low-latency is the ability to evolve as technology develops.
Throughput speeds have poten2al to double every 18 months
High-speed 40/100 GbE ports are already going into exis2ng systems
External users moving from Internet Protocol version 4 (IPv4) to IPv6
Size DOES MaQer. Historically, factors considered in rewall selec2on included the
number of usersinternal and externalaccessing the network or its components
Data center rewalls make sense for SMB because of higher throughput, port
capacity, and concurrent sessions.
Large or highly distributed organiza2ons should consider using an enterprise campus
rewall:
v Capacity to handle thousands of users and mul2ple loca2ons
v Tradeo: Required redundancy increases costs and system complexity
v Self-managing enterprise campus rewalls requires extensive training
Managed Security Service Providers (MSSP) are third-party, outsources companies
that manage data center security.
v High availability: 24/7 service necessary for large enterprise campus
networks
v Redundancy: To ensure coverage of your organiza2ons network security
infrastructure
v Serviceability: Detailed service level agreements (SLA) & conden2ality
Current high failure rate of MSSP companies

By designing and implemen2ng infrastructures integra2ng high throughput with a

dynamic soHware-dened network (SDN), the data center rewall provides capability to
evolve with changing needs and threats.
Three founda2ons form the basis for data center rewall security:
Performance. Higher performance through high-speed, high-capacity, low-latency
rewalls.
v Minimum required throughput for data center rewall is 10 Gbps
v Large data centers may increase to an aggregate 100+ Gbps
v Minimum port size connec2vity of 10 GbE
v Some capabili2es already in the 40-100 GbE range
Segmenta)on. Organiza2ons using data centers have adopted network segmenta2on
as a best prac2ce to isolate cri2cal data against poten2al threats.
v Applica2ons, user groups, regulatory requirements
v Business func2ons, trust levels, loca2ons
v High density and logical abstrac2on to support both physical and virtual
segmenta2on clouds
Simplica)on. Because data centers extend to externals users from various
plaGorms, input sources, and trust levels, a Zero-Trust model should be adopted
from the edge throughout segmenta2on and the network core.
v Requires consolidated, simplied security plaGorm for high-speed
opera2ons
v Integra2on of network rou2ng and switching into rewall controls
v Centralized visibility and control to func2ons and security monitoring

10

Tradi2onal rewalls protect physical computer networks running on physical hardware

and cabling. This is also referred to as North-South trac.
Virtual trac is referred to as East-West trac. Virtual machinesor virtual drives and
networksresiding on physical equipment may also be subject to intrusion from
external threats.
Today, 60-70% of trac is E-W which is why virtual networks are of vital importance
and, as a result, the emergence of data centers and data center security in modern
networks.
A virtual rewall is simply a rewall running in the virtual environment, providing packet
ltering and monitoring much like the physical rewall does for the physical network.
The virtual rewall may take a number of forms:
Loaded as tradi2onal soHware on the virtual host machine
Built into the virtual environment
A virtual switch with addi2onal capabili2es
A managed kernel process within the host hypervisor for all virtual machine ac2vity
Virtual rewalls deploy and operate in two modes:
Bridge Mode. Acts like a physical rewall, installed at inter-network switch or bridge
to intercept trac
v Decides to allow passage, drop, reject, forward, or mirror the packets
v Standard for early networks & some current SMB networks
Hypervisor Mode. Resides in the host virtual machineor hypervisorto capture and
analyze packets heading for the virtual network from outside the network.
Runs faster than Bridge Mode, within the kernel at na2ve hardware speeds
Popular hypervisors include VMware, vSphere, Citrix Xen, MicrosoH HyperV

11

Applica2on systems typically consist of three basic components:

Interfaces. The control or method by which the user interacts with the computer,
system, or network, oHen consis2ng of screens, web pages, or input devices.
Programming (Logic). Scripts or computer instruc2ons used to validate data, perform
calcula2ons, or navigate users through applica2on systems. Large computers may use
more than one computer language to drive the system and connect with networks.
Databases. Electronic repositories of data used to store informa2on for an
organiza2on in a structured, searchable, and retrievable format. Most are structured
to facilitate downloading, upda2ng andwhen applicablesharing with other
network users.
Computer Systems are simply sets of components assembled into an integrated package.
CPU (Central Processor Unit). The heart of the machine, around which various other
components and peripherals are built.
Components:

Peripherals:

Data Storage

Input Devices

Memory

Displays

Drives

Printers

Motherboards

Scanners

Interfaces

Etc

Computer system components vary in size and complexity and may be designed for
single or mul2ple purposes.

12

With increasing use of cloud services to enable mobileeven globalaccess to

applica2ons and data, technology developed to fulll the needs of industries from SMB to
large interna2onal organiza2ons. Three primary methods are integral to this service, each
having benets and tradeos between the developer (user) and vendor (provider).
Infrastructure as a Service (IaaS). The most basic of the three cloud models.
Service provider creates the infrastructure, which becomes self-service plaGorm
Benet: No large infrastructure investment, upgrades & service; opera2onal exibility
Tradeo: Requires user to have high degree of technical knowledge or employ tech
PlaPorm as a Service (PaaS). Provides an addi2onal level of service to the user beyond the
IaaS model.
Provider builds infrastructure AND provides monitoring & maintenance service
User has access to Middleware to assist with applica2on development
Benet: Reduces amount of coding necessary to automate business policy
Tradeo: Increased cost
So5ware as a Service (SaaS). Largest cloud market and con2nues to grow.
In addi2on to the PaaS services, applica2ons are managed by the provider
Businesses develop soHware and requirements, third party manages them
Benet: No need for resident soHware installa2on on physical systems (web-based)
Tradeo: Lack of exibility in applica2on congura2on (Brand-X vs. Custom)

Shared Security Model. In the Do-It-Yourself (DIY) model, you are responsible for end-to-
end security of data and processes. When using cloud services, the vendor (provider)
assumes some or all of the responsibility for security managementwith the excep2on of
data you add to the applica2on or database as the developer (user).

13

Infrastructure as a Service (IaaS).

Amazon
Rackspace Cloud
Joyent
PlaPorm as a Service (PaaS).
Google App Engine
Force.com
Windows Azure
So5ware as a Service (SaaS).
Google Apps
Salesforce.com
ZOHO

14

Now that we have discussed some of the Data Center Firewalls, their components,
methods of deployment, and resul2ng benets & tradeos, are there any ques2ons
before moving into the next module?

From an introduc2on to the current status of computer network op2ons and
congura2ons, to the challenges posed by evolving technologies and advanced threats,
this module has prepared a founda2on for more focused discussion on emerging threats
and the development of network security technologies and processes designed to
provide organiza2ons with the tools necessary to defend best against those threats and
con2nue uninterrupted, secure opera2ons. The next module will focus on the Next
Genera2on Firewall (NGFW), an evolving technology in network security.