Data centers store an organization’s most valuable, confidential assets, from account information and product designs to strategic plans. To protect these resources, organizations more frequently are turning to firewalls inside their data center that provide exceptional throughput and ultra-low latency — allowing data centers to still function at a high level, but with increased security.
As a field solutions architect team lead for CDW, I specialize in network security, which includes securing data centers. More and more, our customers are seeing the benefit of using firewalls inside the data center, where security protocols can be added to east/west traffic and where attackers have traditionally moved around laterally until they get to what they want.
The key to using them effectively lies in planning. With industry-specific compliance laws and best practices such as the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI) and Sarbanes-Oxley (SOX), things can get very tricky, but are manageable with the right game plan.
Proper Planning Prevents Poor Performance
I’m currently working with a healthcare provider that’s upgrading its data center to support a new HIPAA-compliant management system. The provider knew the system had to process requests quickly so physicians and nurses wouldn’t waste time waiting on patient data, but the customer was unable to quantify “fast.”
We started the project with an architecture overview of key placements for data center firewalls. Then we started a traffic analysis to better understand the organization’s applications and measure their current throughput. That information helps not only to right-size the firewall and intrusion prevention system (IPS), but it also helps ensure the new technology doesn’t add unacceptable amounts of latency to important applications.
When comparing security products, I recommend adding a buffer margin to those current-state throughput figures. One reason is because vendors often publish specs based on “perfect” scenarios rather than “working” scenarios. So I add a 20 percent growth margin to these specs. Another reason is that these products have to perform so many tasks – application control, intrusion prevention, malware prevention and SSL decryption – that they typically become bottlenecks if undersized.
A box that, on paper, looks capable of handling the current workload often ends up struggling. In my experience, buying a product the next size up saves money and headaches by eliminating a deluge of help-desk calls about why an application is suddenly so slow, followed by a hasty, expensive redesign to eliminate bottlenecks.
Analyze and Tweak
There are a few more ways to ensure that additional security doesn’t come at the expense of performance and the user experience. Next-gen firewalls provide more granularity than their predecessors when it comes to control. This granularity can be useful for protecting, for example, just a couple of server segments related to HIPAA or PCI instead of policing all traffic flows.
Another useful strategy is to install firewalls and IPS in passive-monitor mode, sometimes called promiscuous mode. During this type of operation, the IPS only focuses on monitoring and alerting. Firewall rules can be created and tweaked based on traffic analysis findings.
This shakedown helps to ferret out problems, such as false positives and performance hits. It’s also an opportunity to tweak policies, such as which servers can talk to one another and which users can access which ports.
If all of this sounds daunting, don’t be shy about calling in the experts. Look for professionals that have experience with multiple vendors and multiple verticals, because those factors are key for developing a custom plan to keep your data center secure and fast.
For more information, check out “The New Tools Needed to Defend Next-Generation Data Centers from Cyberattacks” at BizTech Magazine.
Lastly, don’t forget to sign up for the CDW Solutions Blog e-newsletter to stay on the top of tech trends.