By Timothy Liu, CTO and Co-Founder, Hillstone Networks
Most organizations recognize the data center as the most essential and critical element of the network. After all, it serves as the repository for sensitive data that allows business functions to operate. However, maintaining the overall security of data centers is a complex problem with no one-size-fits-all solution. Compounding the issue is the distributed architecture of most data centers today – facilities might be in-house, in the cloud, at a rented colo site, in a company-owned remote data center or any combination thereof.
Unfortunately, hackers have long since learned that data center contents can be sold or otherwise leveraged for far more profit than other attacks. Ransomware as in the Colonial Pipeline attack is but one example; personal information, network credentials and credit card numbers can be resold or used to file false claims – and intellectual property can be marketed to nation-states or competitors.
Given the stakes at risk, data center security is of utmost importance. And yet, the size and complexity of data center architectures requires different strategies and solutions than traditional networking environments.
The Data Center Difference
For standard network security architectures, perimeter security devices like Hillstone Networks’ next-gen firewalls (NGFWs) do most of the heavy lifting by defending against malware, intrusion attempts and other hacker tactics. This remains true even in light of the recent trends toward remote workers and Software-as-a-Service usage – in both cases, similar perimeter security tactics are employed.
Data centers, however, usually handle a much bigger traffic volumes and utilize virtualization via VMs, servers and containers that interact in order to accomplish tasks and share data. The data center structure might be just one in-house array or span multiple cloud architectures, the latter of which can lead to a more loosely defined perimeter.
Managed services providers (MSPs), typically telcos and other companies, operate on a shared, multi-tenant design where the environments of multiple customers are housed in one massive data center. Also, governments and similar groups may co-locate the data center assets of several departments, agencies or other subsets in one shared facility. In either case, rigorous separation is required to safeguard individual entities’ resources and data.
Because data center environments are every bit as distinct as the institutions and enterprises that utilize them, there is no single panacea for data center security. Luckily, over the years best practices and overall standards have evolved to lay the foundation for data center cybersecurity.
Special Considerations for the Perimeter
As in standard networking architectures, next-gen firewalls (NGFWs) are typically the first line of protection for data centers, defending against malware, intrusion attempts and other malevolent actions. The data center’s traffic volumes, service level agreements and other factors, however, may require a NGFW that’s customized for data center environments. Data center NGFWs, like Hillstone Networks’ X-Series, typically support throughput in the terabit range – rather than the multiple-gigabit throughput supported by enterprise-class NGFWs – as well as millions of simultaneous user connections.
Specialized data center NGFWs also support partitioning into multiple virtual firewalls to provide defensive services in shared or multi-tenant environments. Depending on the service provider, customers might be permitted to control the virtual NGFWs directly, which allows customization of features for individual client requirements.
Failover and redundancy are also vital mandates in data center infrastructures to help assure uninterrupted operations during failure, natural or man-made catastrophe or other business-disrupting incident. Failover methods in standard networking environments might be active/active or active/passive arrangements, but for data center ecosystems the active/active mode is considered a best practice because it can preserve continuity of operation in these circumstances.
If a failover condition should occur, particularly in cases of a physically remote redundant data center, safeguards should be in place to help assure the continuity of end-user connections as well as that of the applications and data. Proper configurations will allow failover to transpire without affecting the sessions in progress, making the process essentially unnoticeable to users.
The Pressing Need for Micro-Segmentation
Today, nearly every data center includes at least some elements of cloud design – including virtualization, containerized workloads, and the usage of multiple clouds. These factors contribute to elasticity and scalability; however, they can also bring new security dangers that must be addressed. For instance, if a threat actor gains access to the data center, the interconnected workloads present there may offer a passageway to other data center resources that are then subjected to exploit.
Micro-segmentation solutions such as Hillstone’s CloudHive permit individual sections of the data center to be defined and then security policies assigned to defend them. These areas might be as small as a VM, a container or a workload, or larger segments. The internal data center east-west traffic flows are then monitored for potential threats like malware or similar indicators of compromise, which are mitigated or eradicated before they propagate across the data center.
Micro-segmentation for multi-tenant environments also helps defend against unauthorized end-user accesses between customer assets, as well as inter-client threats and attacks like the recent Kaseya incident. Micro-segmentation also provides deep visibility into data center traffic flows as well as standard defense methods such as anti-virus, IPS, others.
Rounding Out Defenses: CWPP
Given the distributed virtualized architecture and fluidity of modern data centers, visibility into workloads and traffic can be a major obstacle to achieving a strong security posture. It therefore becomes imperative to shine a light on the location and status of cloud workloads as well as the interactions and interconnectivity between them in normal situations. This analysis and modeling of ordinary behaviors can then, in turn, be used to spot anomalies that could be an indicator of compromise or threat, and take the appropriate defensive actions to counteract it.
Cloud workload protection platforms (CWPPs), like Hillstone’s CloudArmour, are designed to provide this visibility and security within local and cloud data center facilities. CWPPs will normally offer a comprehensive dashboard that allows easy visualization and monitoring of data center assets and traffic flows for fast responses to potential issues.
In addition, CWPPs typically use machine learning or artificial intelligence for accurate learning of normal and usual behaviors. This is critical in reducing false positives and increasing threat detection accuracy. And finally, these solutions usually include micro-segmentation capabilities that can span multiple clouds for increased security.
However, while the previous capabilities are of vital importance in defending the data center, another capability of most CWPPS may be even more important – that of identifying vulnerabilities encapsulated within configurations, containers, nodes, hosts and images. CWPPs can compare compliance postures with best-practice templates and other custom compliance checks, and then recommend remediations if needed. Alerts can also be triggered when vulnerabilities are detected.
Just as attackers are constantly modifying their strategies and tactics, data center security is an evolution – not a one-and-done event. It is imperative for security professionals to pay attention to the fundamentals like perimeter security as well as defenses within the data center itself. In so doing, they can build a solid foundation for protecting business-essential data and applications, no matter where they’re physically or virtually located.
About the Author
Timothy Liu is Co-Founder and chief technology officer of Hillstone Networks. In his role, Mr. Liu is responsible for the company’s product strategy and technology direction, as well as global marketing and sales. Mr. Liu is a veteran of the technology and security industry with over 25 years of experience. Prior to founding Hillstone, he managed the development of VPN subsystems for ScreenOS at NetScreen Technologies, and Juniper Networks following its NetScreen acquisition. Mr. Liu is also a co-architect of the patented Juniper Universal Access Control and holds an additional patent on Risk Scoring and Risk-Based Access Control for NGFW. In his career, Mr. Liu has served in key R&D positions at Intel, Silvan Networks, Enfashion and Convex Computer. He Liu holds a Bachelor of Science from the University of Science and Technology of China and a Ph.D. from the University of Texas at Austin.
Tim can be reached online at @thetimliu and at our company website https://www.hillstonenet.com/