Professional Documents
Culture Documents
Fortinet, FortiGate, and FortiGuard are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
2002 - 2016 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
Table of Contents
DATA CENTERS ............................................................................................4
Data Center Evolution.............................................................................................................4
Market Trends Affecting Data Centers .........................................................................................................4
Infrastructure Integration ..............................................................................................................................5
Edge and Core Data Center Firewalls ..........................................................................................................5
Summary .................................................................................................................................15
Data Centers
Data centers are abundant in the technology-based business environment of the 21st Century. Due to this
growth, data centers are providing a new field for trends in computing and networking. Data centers are
also driving revisions to IT infrastructure strategies and, along with new strategies, new methods to
bolster network security. This module presents the characteristics and functions of data center firewalls
that apply to networks and applications.
Virtualization. Creating a virtual version of a device or resource, such as a server, storage device,
network, or even an operating system where the framework divides the resource into one or more
execution environments.
Cloud Computing. Computing in which large groups of remote servers are networked to allow
centralized data storage and online access to computer services or resources. Clouds can be
classified as public, private, or hybrid.
Bring Your Own Device (BYOD). Refers to employees taking their own personal device (laptop,
smartphone or tablet) to work to interface with the corporate network.
Big Data. A massive volume of both structured and unstructured data that is so large it is difficult
to process using traditional databases and software techniques. In many enterprise scenarios, the
data is too big, moves too fast, or exceeds current processing capacity.
The Internet of Things (IoT). The concept that everyday objects have the ability to connect to the
Internet and identify themselves to other devices.
Infrastructure Integration
Effective technology integration is required to manage data center
growth while maintaining throughput capability. Good technology
integration can also reduce the potential for the signal loss and
speed reduction that is often caused by the bridging and security
barriers that exist in ad hoc arrangements of independent
appliances. The following two types of hybrid design are favored in
modern firewalls:
CPU + Custom ASIC. In this more complex design, a general CPU is linked to a number of custombuilt, application-specific integrated circuits (ASICs). By matching ASICs that are designed to handle
the specific tasks for which the processor and device is intended, the ability to process data is
enhanced and system performance is optimized.
ensuring compliance with regulations that protect sensitive user data. These functions are referred to as
Multi-Layered Security, and may include:
IP Security (IPSec)
Firewall
Antivirus/Antispyware
Web Filtering
Antispam
These functions work together to provide security for the data center. They also provide a consolidated,
simplified control for administrators and complex barriers to potential threats. Figure 2 shows an example
data center firewall deployment that provides gatekeeper functionality and integrated security solutions,
with simplified control and complex protection.
High-speed 40/100 GbE ports are already going into existing systems
External users are moving from Internet Protocol version 4 (IPv4) to IPv6
Figure 3 illustrates how the data center firewall is adaptable to evolving technology and user trends.
Size
A determining factor in selecting the network firewall type is the size of the user basewhich includes
both internal and external usersthat is accessing the network or its components. Using data center
firewalls in SMB makes sense, because modern data center firewall systems provide higher
throughput speeds, higher connectivity (port capacity), and a higher capacity for concurrent sessions.
As a business or organization grows, and network access grows to include multiple locations and
thousands of users, it may become necessary to use an enterprise campus firewall. Although enterprise
firewalls can handle a larger user base and multiple locations, the trade-off is the need for redundancy (to
ensure reliability) and, potentially, extensive training. Redundancy can result in high costs for more
complex equipment. If an organization intends to self-manage the enterprise firewall, support staff could
require extensive training. Because of these complexities, enterprise data centers may reside onpremises at a company site, in a dedicated co-location space in a providers data center facility, or as an
outsourced service in a multi-tenant provider cloud environment. Figure 3 shows and example of a data
center in a distributed network configuration.
Does the MSSP align with our basic business and security philosophy?
Will the MSSP sign a non-disclosure agreement, so details about the companys security will
be secure?
Will the MSSP be available to provide 24/7 support and reach a global audience?
Data Center Firewall Characteristics The Foundations of Data Center Firewall Security
Cloud Services
As cloud services and software-defined networks (SDNs) became prevalent, network functions
virtualization (NFV) such as VMware NSX and Cisco ACI also began to take the place of physical
devices, encapsulating appliances such as firewalls, load balancers, and switches as scalable virtual
appliances within the same physical devices. OpenFlow, which was once limited to research labs, has
now emerged as the standard protocol for communications between controllers and network switches in
the SDNor virtualenvironment. The OpenFlow protocol abstracts the network control plane from the
data control plane in order to program network traffic flows to be more dynamic and automated.
As virtualization and SDN deployment expanded, the practice became available for implementation by
private individuals and organizations outside traditional boundaries of those with large amounts of
available capital and resources. With broad availability of open-source software enabling low-cost
network development, cloud computing has reached into the realm of private and personal clouds. One
popular open-source platform for cloud computing is OpenStack, which provides capability to develop and
manage private and public clouds, even providing compatibility with popular enterprise and open-source
technologies for controlling large pools of data center computing, storage, and networking resources.
Data Center Firewall Characteristics The Foundations of Data Center Firewall Security
that deliver over 100 Gbps performance with less than 5 s latency. Figure 5 illustrates the key
requirements of a data center firewall.
Virtual Firewalls
Traditional firewalls protect physical computer networksthose running on physical hardware and
cabling. As such, the most effective means of security was and still is a physical, locked, fire door. The
traffic that runs on physical networks is referred to as North-South traffic.
Unlike physical machines and networks, virtual machines operate in a virtual environment, isolated on a
host but acting as though it were an independent system or network. Even though they operate in a
"virtual reality, virtual networks are still subject to threats and intrusion from external sources. Virtual
trafficthat traffic moving laterally between servers without leaving the data centeris referred to as
East-West traffic. Today, 60-70% of traffic is E-W. Figure 6 illustrates the flow of North-South (Physical)
compared East-West (Virtual) traffic.
10
Data Center Firewall Characteristics The Foundations of Data Center Firewall Security
11
following:
Pay-as-you-use infrastructure
The emergence of SDDCs provides new paths for economical flexibility in data center definition and
operation.
In summary, the flexible deployment capability for data center firewalls means that you can target the
threats that are identified as most important to the network or system. Deploying the firewall at the
network edge is effective to block external intrusions from accessing the network. Deploying the firewall at
the network core provides segmentation in the event that an external threat gains access to the network.
At the virtual layer, the firewall is able to monitor traffic between virtual machines (VM).
Application Systems
Application systems typically consist of user interfaces, programming (logic), and databases.
User Interface. A user interface is the control or method by which the user interacts with the computer,
system, or network, often consisting of screens, web pages, or input devices. Some application systems
have non-visual interfaces that exchange data electronically with other systems in a network.
Programming. Programming consists of the scripts or computer instructions used to validate data,
perform calculations, or navigate users through application systems. Many large computers use more
than one computer language to drive the system and connect with networks. This allows linking of
systems performing specialized functions into a centrally-manageable network.
Databases. Databases are simply electronic repositories of data used to store information for the
organization in a structured, searchable, and retrievable format. Most databases are configured to
facilitate access for downloading, updating, and sharing with other authorized network users.
Computer Systems
Computer systems are simply sets of components that are assembled into an integrated package.
CPU. The central processing unit (CPU) is the heart of a computer system around which various other
components such as data storage, drives, displays, memory, input devices, and other peripherals are
built. Computer system components may vary in size and complexity and can be designed for single
12
or multiple purposes.
Figure 7 shows and example network with application and computer systems.
Application Services
In todays market, cloud services continue to grow quickly. Integral to this broad range of services are
three primary service models: infrastructure as a service (IaaS), platform as a service (PaaS), and
software as a service (SaaS). The primary difference between the service models is in management
responsibilities between developer (user) and vendor (provider). This is illustrated in Figure 8 [2].
13
14
Figure 9. Examples of businesses using IaaS, PaaS, and SaaS cloud models
Summary
From an introduction to the current status of computer network options and configurations, to the
challenges posed by evolving technologies and advanced threats, this module has prepared a foundation
for more focused discussion on emerging threats and the development of network security technologies
and processes designed to provide organizations with the tools necessary to defend best against those
threats and continue uninterrupted, secure operations. An additional module in this program will focus on
the Next Generation Firewall (NGFW), an evolving technology in network security.
15
Key Acronyms
Key Acronyms
AAA
ICMP
Accounting
ICSA
AD
Active Directory
Association
ADC
ID
Identification
ADN
IDC
IDS
AM
Antimalware
IM
Instant Messaging
API
IMAP
APT
ASIC
ASP
IoT
Internet of Things
ATP
IP
Internet Protocol
AV
Antivirus
IPS
Secure
AV/AM Antivirus/Antimalware
IPTV
CPU
IT
Information Technology
J2EE
DLP
LAN
DNS
DoS
Denial of Service
LLB
DPI
LOIC
DSL
MSP
FTP
FW
Firewall
Gb
Gigabyte
NSS
NSS Labs
GbE
Gigabit Ethernet
OSI
Gbps
OTS
PaaS
Platform as a Service
GUI
PC
Personal Computer
Infrastructure as a Service
PHP
16
Key Acronyms
POE
SWG
SYN
QoS
Quality of Service
Message Logging
TCP
RDP
SaaS
Software as a Service
SDN
Software-Defined Network
TLS
SEG
SFP
SFTP
SIEM
SLA
SM
Security Management
SMB
SMS
SQL
SSL
Layer Authentication
UDP
URL
USB
UTM
Virtual Machine
VoIP
VPN
WAF
XSS
Cross-site Scripting
17
Glossary
Glossary
ASIC. Application Specific Integrated Circuits (ASICs) are integrated circuits developed for a particular
use, as opposed to a general-purpose device.
Big Data. A massive volume of both structured and unstructured data that is so large it is difficult to
process using traditional databases and software techniques. In many enterprise scenarios, the data is
too big, moves too fast, or exceeds current processing capacity.
Bridge Mode. A virtual firewall operating in bridge mode acts like a physical firewall, normally situated at
an inter-network switch or bridge to intercept network traffic needing to travel over the bridge.
BYOD. Bring Your Own Device (BYOD) refers to employees taking their own personal device to work,
whether laptop, smartphone or tablet, in order to interface to the corporate network. According to a Unisys
study conducted by IDC in 2011, nearly 41% of the devices used to obtain corporate data were owned by
the employee.
Cloud Computing. Computing in which large groups of remote servers are networked to allow the
centralized data storage, and online access to computer services or resources. Clouds can be classified
as public, private or hybrid.
Computer systems. Computer systems are simply sets of components that are assembled into an
integrated package.
CPU. The heart of a computer system is the central processing unit (CPU), around which various other
components are built. A CPU is the electronic circuitry within a computer that carries out the instructions
of a computer program by performing the basic arithmetic, logical, control, and input/output (I/O)
operations specified by the instructions.
Data Center Firewall. In addition to being a gatekeeper, data center firewalls serve a number of
functions, including:
IP Security (IPSec)
Web Filtering
Firewall
Antispam
Antivirus/Antispyware
Databases. Databases are simply electronic repositories of data used to store information for the
organization in a structured, searchable, and retrievable format.
Edge Firewall. Implemented at the edge of a network in order to protect the network against potential
attacks from external traffic, the edge firewall is the best understood, or traditional, role of a firewall
the gatekeeper.
Hypervisor Mode. In hypervisor mode the virtual firewall is not actually part of the virtual network at
all; rather, it resides in the host virtual machineor hypervisorin order to capture and analyze
packets destined for the virtual network.
Infrastructure as a Service (IaaS). This is the most basic of the three cloud service models. The
service provider creates the infrastructure, which becomes a self-service platform for the user for
accessing, monitoring, and managing remote data center services.
Internet of Things (IoT). The [once future] concept that everyday objects have the ability to connect
to the Internet & identify themselves to other devices. IoT is significant because an object that can
18
Glossary
represent itself digitally becomes something greater that the object by itself.
OpenFlow. OpenFlow enables network controllers to determine the path of network packets across a
network of switches. The controllers are distinct from the switches. This separation of the control from the
forwarding allows for more sophisticated traffic management than is feasible using access control
lists (ACLs) and routing protocols. OpenFlow allows switches from different vendors often each with
their own proprietary interfaces and scripting languages to be managed remotely using a single, open
protocol.
NGFW. Next Generation Firewall (NGFW) provides multi-layered capabilities in a single firewall appliance
instead of a basic firewall and numerous add-on appliances. NGFW integrates the capabilities of a
traditional firewall with advanced features including:
Access Enforcement
Distributed Enterprise
Capability
VPN
Application Awareness
Platform as a Service (PaaS). The PaaS model provides an additional level of service to the user
beyond the IaaS model. In this model, the provider not only builds the infrastructure, but also provides
monitoring and maintenance services for the user.
Programming. Programming consists of the scripts or computer instructions used to validate data,
perform calculations, or navigate users through application systems.
SDDC. The software-defined data center (SDDC) presents a paradigm that infrastructure such as
servers, network, and storage can be logically and dynamically orchestrated without the need for adding
or configuring new physical appliances or expanding into new facilities.
Shared Security Responsibility (SSR) Model. When using application servicesthe cloudfor
applications and access to databases, these services come with a shared responsibility for security and
operations split between the cloud provider and the cloud tenant.
Software as a Service (SaaS). The SaaS model takes the final step of bringing the actual software
application into the set of functions managed by the provider, with the user having a client interface.
Software-Defined Networks (SDN). An approach to networking in which control is decoupled from
hardware and given to a software application called a controller. Dynamic, manageable, cost-effective,
and adaptable, making it ideal for the high-bandwidth, dynamic nature of today's applications.
Virtual Firewall. A virtual firewall is simply a firewall service running entirely within the virtual
environment, providing the typical packet filtering and monitoring that would be expected when using a
physical device in a physical network.
Virtualization. Creating a virtual version of a device or resource, such as a server, storage device,
network or even an operating system where the framework divides the resource into one or more
execution environments.
VLAN. Virtual networks (VLANs) may be used to segment multiple subnets logically on the same
physical switch.
19
References
References
1.
2.
Frampton, K., The Differences Between IaaS, Saas, and PaaS. 2013, SmartFile.
3.
20