Author: Elliott Long
We all grew up with the same set of data center networking toys: the core switch, the top-of-rack switch, the fastest LAN connection we could afford, the expensive fiber connections, load balancers, firewalled zones, and ubiquitous VLANs. These were the building blocks we used to construct our enterprise networks. So, when data centers became a necessary thing, we just kept using these same IT tools and toys, even though we knew that the data center was different, this was all we had. We simply beefed up an enterprise LANs, calling it a data center network. It seemed to work, and the network-centric data center paradigm stuck. Afterall, there weren’t really many choices in the market at the time. We placed everything important on the data center LAN, firewalled it off from the enterprise, and assumed all was well. Of course, we had to immediately change it to include internal firewalled zones (aka DMZs) for PROD, DEV, and QA. This updated high-performance, multi-interface firewall was justifiable, because the servers it was protecting were “the most important assets of the entire company.” Whatever it takes to securely lock it up, that’s what we were going to do. We didn’t need to know what was going on in our secured data center – as long as it was safe and locked up, all was well. But when it became necessary to split off Web, App, DB, HR, Accounting, and other departmental segments, we had to implement another round of internal firewalling, manage greater data network granularity, and justify more budgets.
We kept these same toys in operation, right up to the today’s age of Cybersecurity. We now have newer devices and requirements in today’s data centers, including VMs, containers, hybrid clouds, zero trust, network segmentation, as well as numerous rows of servers and bigger pipes for data traffic. This new reality required us to stretch the old “network-centric data center” paradigm to greater degrees of complexity, ultimately taking data center management to a place where simpler days of data center administration can no longer continue. The old techniques became too complex, very rigid, and downright scary, even for simple modifications. No one would ever consider making a data center change during production hours. The wording in firewall rules alone: “… port range ingress, traversing to interface 5, with port range translations egress, uni-directional,” can STUN an experienced cybersecurity expert into a catatonic state. We build it, but we don’t know what it is any more, and we are no longer getting what we need. The requirements going forward are not too clear, but clear enough to assume there will just be a whole lot more of the same: more servers, more traffic, greater business dependency, and now, cyber threats galore. We painted ourselves into a corner. If the raw connectivity wasn’t burdensome enough, we now contend with clever, persistent, and aggressive attackers coming at us from every angle, on every port, staying dormant for months before they spawn, spread, then surprise us. So, you can’t just defend your points of access from intruders anymore; you need to monitor the whole data center. The only safe assumption you can make is you’ve been compromised, but was any damage done? How are we going to deal with this? Surely NOT with the same tech that got us here. It’s time for a new approach to data center security.
Guardicore’s Software-Defined Label-Based Firewalling answers the call for a new paradigm. Amazingly it doesn’t require that we remove or even modify any networking or security devices from your network, letting you keep everything the same. With Label-Based Firewalling you aren’t as dependent on the network-based approach to secure your data center. Leave the legacy infrastructure intact and enjoy the benefits of Label-Based Firewalling, or leverage Guardicore to simplify your existing networking by jettisoning some of the clutter that traditional firewalls, routers and switches have accumulated. Software-Defined Firewalling lowers your dependence on those traditional firewall zones, network subnets, or switched VLANs. Either way, you freeze the complexity and start enjoying simpler, flatter, bigger networks. How about returning to the old convention of /24 IP addressing in your data center, or knocking every subnet down to four, three or even just one VLAN. Either way doesn’t matter- with Guardicore, all of your Data Center traffic can now be arranged by software-defined labels. These labels define every organization, business group, function, application, and protocol in your business, and can easily define permitted traffic flows in accordance with business functions and departmental relationships. A small client on every server acts as the entry point for the centralized “label firewall”. In effect, every connection between every server is a unique firewall session that is defined by multi-level labeling. That is a textbook definition of micro-segmentation; it’s a newer and simpler paradigm. Every cybersecurity practitioner knows about perimeter security at the core and endpoint security on your clients, but what’s missing is securing the micro-segmented middle. With label-based firewalling, business rules become firewall rules.
Guardicore’s offering provides granular firewall segmentation based on meaningful business distinctions, complete visibility of every protocol path in your data center, dynamic deception technology to keep probing hacks occupied, and real-time threat detection and response that doesn’t require changes to the existing data center network. The centralized software-defined firewall is either in the cloud or on-prem, where all traffic is subjected to Guardicore’s Threat Assessment Service and detected events get a rapid response. With this capability, Guardicore can be deployed in an MSSP and provide Managed Detection and Response (MDR) to multi-tenanted customers.
Since Guardicore is 100% network agnostic, it doesn’t matter what network you are on. As long as you have good connectivity, your security rules will stay intact, even if you moved a server to another network or migrated its services to the cloud. No matter where the server is moved, these new security policies stick to it. Guardicore forgoes the older location-dependent paradigm where networking and security are done on the behalf of servers connected within a particular area. Label-Based Firewalling will easily survive a cloud transformation project. If a label-based firewalling security policy meets compliance when implemented on-prem, then you can count on the same security compliance after the server is migrated to the cloud. With Guardicore, you know for sure where your data sets are, or where they moved to. If there is a breach of policy, that failed attempt will create an alert and be referenced with known threats to determine appropriate responses while vetted with accuracy to prevent false positives. We just got a new tool and it offers us a new way to think about organizing our networks, while providing an easier way to implement and protect our most important IT assets: our data center servers and services.