Data Centers Data Center Evolution

NSE 1: Data Center Firewalls

Study Guide

NSE 1: Data Center Firewalls Study Guide

Last Updated: 8 April 2016

Fortinet, FortiGate, and FortiGuard are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
2002 - 2016 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.

Table of Contents
DATA CENTERS ............................................................................................4
Data Center Evolution.............................................................................................................4
Market Trends Affecting Data Centers .........................................................................................................4
Infrastructure Integration ..............................................................................................................................5
Edge and Core Data Center Firewalls ..........................................................................................................5

DATA CENTER FIREWALL CHARACTERISTICS ................................................7

Size .........................................................................................................................................7
Managed Security Service Provider (MSS) ..................................................................................................8
Cloud Services .............................................................................................................................................9

The Foundations of Data Center Firewall Security.................................................................9

Virtual Firewalls ............................................................................................................................................10

Data Center Network Services ...............................................................................................12

Application Systems .....................................................................................................................................12
Computer Systems.......................................................................................................................................12
Application Services .....................................................................................................................................13
Shared Security Responsibility (SSR) Model ...............................................................................................15

Summary .................................................................................................................................15

KEY ACRONYMS ...........................................................................................16

GLOSSARY...................................................................................................18
REFERENCES ...............................................................................................20

 Data Centers Data Center Evolution

Data Centers
Data centers are abundant in the technology-based business environment of the 21st Century. Due to this
growth, data centers are providing a new field for trends in computing and networking. Data centers are
also driving revisions to IT infrastructure strategies and, along with new strategies, new methods to
bolster network security. This module presents the characteristics and functions of data center firewalls
that apply to networks and applications.

Data Center Evolution

Technology is an integral part of modern-day businesses: large
businesses as well as small and medium businesses (SMB). Modern
data centers typically contain servers with a variety of purposes,
including web servers, application servers, and database servers.
Along with growing use of technology came a need to develop more
specialized applications and innovative ways to store ever-increasing
volumes of digital data. This growing storage requirement resulted in
the development of a new sector in technology operationsthe data center. As new technologies for end
users of computing platforms evolve, so must the security measures applied the data centers that end
users access for operations such as email, social media, banking, shopping, education, and many others.
Developing strategies to keep pace with the accelerating integrated and distributed nature of technology
has become a critical industry in protecting personal, business, and organizational data and
communications from legacy, advanced, and emerging threats.

Market Trends Affecting Data Centers

Both consumer and business trends influence data center development. As technology evolved, so did
business practices. Some of the evolving business practices that influenced data center development
include:

Virtualization. Creating a virtual version of a device or resource, such as a server, storage device,
network, or even an operating system where the framework divides the resource into one or more
execution environments.

Cloud Computing. Computing in which large groups of remote servers are networked to allow
centralized data storage and online access to computer services or resources. Clouds can be
classified as public, private, or hybrid.

Software-Defined Networks (SDN). An approach to networking in which control is decoupled

from hardware and given to a software application called a controller. Dynamic, manageable, costeffective, and adaptable, it is ideal for the high-bandwidth, dynamic nature of today's applications.

Bring Your Own Device (BYOD). Refers to employees taking their own personal device (laptop,
smartphone or tablet) to work to interface with the corporate network.

Big Data. A massive volume of both structured and unstructured data that is so large it is difficult
to process using traditional databases and software techniques. In many enterprise scenarios, the
data is too big, moves too fast, or exceeds current processing capacity.

NSE 1: Data Center Firewalls Study Guide

 Data Centers Data Center Evolution

The Internet of Things (IoT). The concept that everyday objects have the ability to connect to the
Internet and identify themselves to other devices.

Infrastructure Integration
Effective technology integration is required to manage data center
growth while maintaining throughput capability. Good technology
integration can also reduce the potential for the signal loss and
speed reduction that is often caused by the bridging and security
barriers that exist in ad hoc arrangements of independent
appliances. The following two types of hybrid design are favored in
modern firewalls:

CPU + OTS ASIC. In this design, a general purpose central

processing unit (CPU) is augmented by an off the shelf (OTS) processor. This is the simplest design,
but it can suffer from performance degradation.

CPU + Custom ASIC. In this more complex design, a general CPU is linked to a number of custombuilt, application-specific integrated circuits (ASICs). By matching ASICs that are designed to handle
the specific tasks for which the processor and device is intended, the ability to process data is
enhanced and system performance is optimized.

Edge and Core Data Center Firewalls

Edge Firewall. Edge firewalls are implemented at the edge of a network to protect the network against
potential attacks from external traffic. This is the best understood and most traditional role of a firewall
the gatekeeper. Other capabilities, in addition to gatekeeper duties, may be added to the edge firewall as
other security appliances are linked to it. However, his method of expansion leads to a complex
architecture that results in complex networkand securitycontrols. Figure 1 shows a typical edge
firewall configuration.

Figure 1. Typical edge firewall configuration

Data Center Firewall. In addition to being a gatekeeper, data center firewalls serve a number of
functions. Depending on network size and configuration, the data center firewall may also provide
security functions, such as protecting internal resources from access by malicious insiders, and

NSE 1: Data Center Firewalls Study Guide

 Data Centers Data Center Evolution

ensuring compliance with regulations that protect sensitive user data. These functions are referred to as
Multi-Layered Security, and may include:

IP Security (IPSec)

Firewall

Intrusion Detection System/Intrusion Prevention System (IDS/IPS)

Antivirus/Antispyware

Web Filtering

Antispam

Traffic Shaping [1]

These functions work together to provide security for the data center. They also provide a consolidated,
simplified control for administrators and complex barriers to potential threats. Figure 2 shows an example
data center firewall deployment that provides gatekeeper functionality and integrated security solutions,
with simplified control and complex protection.

Figure 2. Example data center firewall deployment

NSE 1: Data Center Firewalls Study Guide

 Data Center Firewall Characteristics Size

Data Center Firewall Characteristics

As end-user devices and activities evolve, data centers must also evolve to ensure adequate service and
security. Some market trends affecting data centers include increasing use of mobile devices, employee
device portability (BYOD) data center consolidation through server virtualization, cloud computing, and
software-defined networking. Some of the ways in which we see technology evolving include:

Throughput speeds have the potential to double every 18 months

High-speed 40/100 GbE ports are already going into existing systems

External users are moving from Internet Protocol version 4 (IPv4) to IPv6

Figure 3 illustrates how the data center firewall is adaptable to evolving technology and user trends.

Figure 3. Data center firewall adaptability to evolving capabilities

Size
A determining factor in selecting the network firewall type is the size of the user basewhich includes
both internal and external usersthat is accessing the network or its components. Using data center
firewalls in SMB makes sense, because modern data center firewall systems provide higher
throughput speeds, higher connectivity (port capacity), and a higher capacity for concurrent sessions.
As a business or organization grows, and network access grows to include multiple locations and

NSE 1: Data Center Firewalls Study Guide

 Data Center Firewall Characteristics Size

thousands of users, it may become necessary to use an enterprise campus firewall. Although enterprise
firewalls can handle a larger user base and multiple locations, the trade-off is the need for redundancy (to
ensure reliability) and, potentially, extensive training. Redundancy can result in high costs for more
complex equipment. If an organization intends to self-manage the enterprise firewall, support staff could
require extensive training. Because of these complexities, enterprise data centers may reside onpremises at a company site, in a dedicated co-location space in a providers data center facility, or as an
outsourced service in a multi-tenant provider cloud environment. Figure 3 shows and example of a data
center in a distributed network configuration.

Figure 4. Data center in a distributed enterprise network configuration

Managed Security Service Provider (MSS)

Some companies may decide to outsource data center security operations to a third party, or Managed
Security Service Provider (MSSP). MSSPs provide a wide range of network security services, from onetime services, such as configuring routers, to ongoing services, such as network monitoring, upgrade, and
configuration. MSSPs can provide SMB with enhanced capabilities, without having to increase technical
staff. For large and high-visibility businesses, MSSPs can provide supplemental protection beyond their
technical staff.
When deciding on whether to engage an MSSP for network security operations, several factors must
be taken into account. There are a number of questions that a business might ask when deciding
whether or not to use an MSSP for their security operation. These might include, but not be limited to,
the following:

Does the MSSP align with our basic business and security philosophy?

Will the MSSP sign a non-disclosure agreement, so details about the companys security will
be secure?

Will the MSSP be available to provide 24/7 support and reach a global audience?

NSE 1: Data Center Firewalls Study Guide

 Data Center Firewall Characteristics The Foundations of Data Center Firewall Security

Cloud Services
As cloud services and software-defined networks (SDNs) became prevalent, network functions
virtualization (NFV) such as VMware NSX and Cisco ACI also began to take the place of physical
devices, encapsulating appliances such as firewalls, load balancers, and switches as scalable virtual
appliances within the same physical devices. OpenFlow, which was once limited to research labs, has
now emerged as the standard protocol for communications between controllers and network switches in
the SDNor virtualenvironment. The OpenFlow protocol abstracts the network control plane from the
data control plane in order to program network traffic flows to be more dynamic and automated.
As virtualization and SDN deployment expanded, the practice became available for implementation by
private individuals and organizations outside traditional boundaries of those with large amounts of
available capital and resources. With broad availability of open-source software enabling low-cost
network development, cloud computing has reached into the realm of private and personal clouds. One
popular open-source platform for cloud computing is OpenStack, which provides capability to develop and
manage private and public clouds, even providing compatibility with popular enterprise and open-source
technologies for controlling large pools of data center computing, storage, and networking resources.

The Foundations of Data Center Firewall Security

By designing and implementing network infrastructures combining high throughput with a dynamic
software-defined network (SDN), the data center firewall provides the capability to evolve with consumer
and industry trends. To accomplish this, data center firewalls must focus on three primary areas as
foundations for security: performance, segmentation, and simplification.
Performance. As the need for network speeds to accelerate continues, the data center will be at the
forefront of network design enabling higher performance through high-speed, high-capacity, and low
latency firewalls. Currently, the minimum required throughput of a data center firewall is 10 Gbps, with an
expectation by large company data center users that throughput may be increased up to an aggregate
100+ Gbps. Similarly, enabling high throughput requires a minimum port size connectivity of 10 Gigabits
for Ethernet ports on the data center firewall, with some capabilities already expanding in the 40-100
Gigabit range.
Segmentation. With the evolution of IT devices and evolving network threats, organizations using data
centers have adopted network segmentation as a best practice to isolate critical data against potential
threats. Common data isolation criteria include applications, user groups, regulatory requirements,
business functions, trust levels, and locations. To support the use of network segmentation in network
security schema, data center firewalls must provide high density and logical abstraction supporting both
physical and virtual segmentation clouds. Benefits include keeping sensitive data partitioned from
unauthorized access for security and compliance purposes, limiting lateral movement of advanced threats
that gain initial footholds in the network, and ensure employees and users have access to only the
services and applications for which they are authorized.
Simplification. Because data centers extend to external users of varying trust levels, the need to
extend a Zero-Trust model for data access beyond the traditional data center edge and into the
segmentation throughout the networks core. This requires a consolidatedsimplifiedsecurity
platform that can manage multiple functions while supporting high speed network operations. In order
to further simply data center firewall operations, integration of network routing and switching functions
into firewall controls provides added centralized visibility and control to network functions and security
monitoring. Consolidation may also be accomplished by putting multiple physical server workloads
onto a shared physical host by using virtual machines on a hypervisor.
A good example of a data center core firewall that incorporates all the requirements of low-latency,
high throughput, and high performance is the FortiGate platform line. These firewalls include models

NSE 1: Data Center Firewalls Study Guide

 Data Center Firewall Characteristics The Foundations of Data Center Firewall Security

that deliver over 100 Gbps performance with less than 5 s latency. Figure 5 illustrates the key
requirements of a data center firewall.

Figure 5. Data center firewall requirements

Virtual Firewalls
Traditional firewalls protect physical computer networksthose running on physical hardware and
cabling. As such, the most effective means of security was and still is a physical, locked, fire door. The
traffic that runs on physical networks is referred to as North-South traffic.
Unlike physical machines and networks, virtual machines operate in a virtual environment, isolated on a
host but acting as though it were an independent system or network. Even though they operate in a
"virtual reality, virtual networks are still subject to threats and intrusion from external sources. Virtual
trafficthat traffic moving laterally between servers without leaving the data centeris referred to as
East-West traffic. Today, 60-70% of traffic is E-W. Figure 6 illustrates the flow of North-South (Physical)
compared East-West (Virtual) traffic.

NSE 1: Data Center Firewalls Study Guide

10

 Data Center Firewall Characteristics The Foundations of Data Center Firewall Security

Figure 6. North-South (Physical) vs. East-West (Virtual) traffic

Virtual networks (VLANs) may be used to segment multiple subnets logically on the same physical switch.
To secure data being transmitted between virtual machines in a virtual network, the virtual firewall was
developed. A virtual firewall is simply a firewall service running entirely within the virtual environment. A
virtual firewall provides the same packet filtering and monitoring that would be expected when using a
physical device in a physical network. The virtual firewall may take a number of forms: it may be loaded
as a traditional software firewall on the virtual host machine, it can be built into the virtual environment, it
can be a virtual switch with additional capabilities, or it can be a managed kernel process within the host
hypervisor for all virtual machine activity.
Virtual firewalls may operate in one of two modes, depending how they are deployed, either bridge mode
or hypervisor mode.
Bridge mode. A virtual firewall operating in bridge mode acts like a physical firewall and is normally
situated at an inter-network switch or bridge where it intercepts network traffic. The virtual firewall can
allow, drop, reject, forward, or mirror the traffic (packet) it intercepts. This was the standard for early
virtual networks and some current networks still retain this model.
Hypervisor mode. In hypervisor mode, the virtual firewall is not part of the virtual network. It resides in
the host virtual machineor hypervisorin order to capture and analyze packets destined for the
virtual network. Since virtual firewalls operating in hypervisor mode are not part of the virtual network
in a virtual machine, they are able to run faster within the kernel at native hardware speeds. Examples
of popular hypervisors on the market include VMware vSphere, Citrix Xen, and Microsoft HyperV.
As virtual capabilities evolved, the definition of the data center evolved as well. Instead of the need for
a traditional physical infrastructure, a data center can now reside a software-defined space. In a
software-defined data center (SDDC) infrastructure such as servers, network, and storage are logically
and dynamically orchestrated, without the need for adding or configuring new physical appliances or
expanding into new facilities. Due to the virtual nature of SDDCs, on-demand data centers emerged.
On-demand data centers provide several benefits to small consumers and SMBs, including the

NSE 1: Data Center Firewalls Study Guide

11

 Data Center Firewall Characteristics Data Center Network Services

following:

Pay-as-you-use infrastructure

Delivery on demand without extended provisioning times

No requirement for long-term obligations or contracts

The emergence of SDDCs provides new paths for economical flexibility in data center definition and
operation.
In summary, the flexible deployment capability for data center firewalls means that you can target the
threats that are identified as most important to the network or system. Deploying the firewall at the
network edge is effective to block external intrusions from accessing the network. Deploying the firewall at
the network core provides segmentation in the event that an external threat gains access to the network.
At the virtual layer, the firewall is able to monitor traffic between virtual machines (VM).

Data Center Network Services

As technology evolved, more and more services moved from running as physically resident to virtual or
cloud-based applications to reduce bottlenecks, increase throughput, and optimize data sharing, among
other benefits. Data center traffic has increased due to the increased number of users depending on
mobile applications to access data, businesses aggregating and storing increasing amounts of data to
enable analytics, and increased use of SaaS cloud storage over local physical drive storage appliances.
Because of these shifts, networks from distributed enterprises, down to SMB and home businesses
began to depend on virtual and cloud applications for remote and mobile capability. This led to a focus on
the development of threats to the application layers of the Open Systems Infrastructure (OSI).

Application Systems
Application systems typically consist of user interfaces, programming (logic), and databases.
User Interface. A user interface is the control or method by which the user interacts with the computer,
system, or network, often consisting of screens, web pages, or input devices. Some application systems
have non-visual interfaces that exchange data electronically with other systems in a network.
Programming. Programming consists of the scripts or computer instructions used to validate data,
perform calculations, or navigate users through application systems. Many large computers use more
than one computer language to drive the system and connect with networks. This allows linking of
systems performing specialized functions into a centrally-manageable network.
Databases. Databases are simply electronic repositories of data used to store information for the
organization in a structured, searchable, and retrievable format. Most databases are configured to
facilitate access for downloading, updating, and sharing with other authorized network users.

Computer Systems
Computer systems are simply sets of components that are assembled into an integrated package.
CPU. The central processing unit (CPU) is the heart of a computer system around which various other
components such as data storage, drives, displays, memory, input devices, and other peripherals are
built. Computer system components may vary in size and complexity and can be designed for single

NSE 1: Data Center Firewalls Study Guide

12

 Data Center Firewall Characteristics Data Center Network Services

or multiple purposes.
Figure 7 shows and example network with application and computer systems.

Figure 7. Example network

Control of firewalls is provided through user interfaces. The level of application control found in Next
Generation Firewalls (NGFWs) is not generally necessary in a data center core firewall. This is primarily
because of the lack of end-users running in the data center itself. Typically, data center applications are
accessed and used as cloud services or database information, rather than platforms for writing and
execution of programming by external users.

Application Services
In todays market, cloud services continue to grow quickly. Integral to this broad range of services are
three primary service models: infrastructure as a service (IaaS), platform as a service (PaaS), and
software as a service (SaaS). The primary difference between the service models is in management
responsibilities between developer (user) and vendor (provider). This is illustrated in Figure 8 [2].

NSE 1: Data Center Firewalls Study Guide

13

 Data Center Firewall Characteristics Data Center Network Services

Figure 8. Differences between IaaS, PaaS, and SaaS

Infrastructure as a Service (IaaS). This is the most basic of the three cloud service models. The service
provider creates the infrastructure, which becomes a self-service platform for the user for accessing,
monitoring, and managing remote data center services. The benefit to IaaS is that the user does not have
to invest large amounts into infrastructure and ongoing upgrades and service, while retaining operational
flexibility. The down side is that this model requires the user to have a higher degree of technical
knowledgeor at least know or employ someone who does.
Platform as a Service (PaaS). The PaaS model provides an additional level of service to the user
beyond the IaaS model. In this model, the provider not only builds the infrastructure, but also provides
monitoring and maintenance services for the user. Users of PaaS cloud services have access to
middleware to assist with application development, as well as inherent characteristics including
scalability, high availability, multi-tenancy, SaaS enabling, and other features. This allows the user to
focus on what is most important to their businesstheir application(s). In particular, businesses large or
complex enough to employ an enterprise data center model benefit greatly from PaaS because it reduces
the amount of coding necessary and automate business policy.
Software as a Service (SaaS). The SaaS model represents the largest cloud market and continues to
grow. This model takes the final step of bringing the actual software application into the set of functions
managed by the provider, with the user having a client interface. Because the application resides in the
cloud itself, most SaaS applications may be operated through a web browser without the need to
download or install resident software on individual physical systems. This allows businesses to
develop software and operational requirements, but to have those requirements written and fulfilled by
a third party vendoralthough such designs typically involve customization of pre-existing software
applications, because SaaS does not provide the broad flexibility of software development options
available in the PaaS model.
Figure 9[3] shows examples of businesses that use the SaaS , PaaS, and IaaS service models.

NSE 1: Data Center Firewalls Study Guide

14

 Data Center Firewall Characteristics Summary

Figure 9. Examples of businesses using IaaS, PaaS, and SaaS cloud models

Shared Security Responsibility (SSR) Model

When you use application services for applications and access to databases, these services come with a
shared responsibility for security and operations. This responsibility is split between the cloud provider
and the cloud tenant. Depending on which cloud service model you useIaaS, PaaS, or SaaSyour
level of security responsibility changes. As you relinquish more control of operations, decision-making,
and configuration to the vendor or provider, such as with the SaaS model, your degree of security
responsibility also decreases. Conversely, if you decide to retain more management responsibility, such
as in the IaaS model, your security responsibility increases.

Summary
From an introduction to the current status of computer network options and configurations, to the
challenges posed by evolving technologies and advanced threats, this module has prepared a foundation
for more focused discussion on emerging threats and the development of network security technologies
and processes designed to provide organizations with the tools necessary to defend best against those
threats and continue uninterrupted, secure operations. An additional module in this program will focus on
the Next Generation Firewall (NGFW), an evolving technology in network security.

NSE 1: Data Center Firewalls Study Guide

15

 Key Acronyms

Key Acronyms
AAA

Authentication, Authorization, and

ICMP

Internet Control Message Protocol

Accounting

ICSA

International Computer Security

AD

Active Directory

Association

ADC

Application Delivery Controller

ID

Identification

ADN

Application Delivery Network

IDC

International Data Corporation

ADOM Administrative Domain

IDS

Intrusion Detection System

AM

Antimalware

IM

Instant Messaging

API

Application Programming Interface

IMAP

Internet Message Access Protocol

APT

Advanced Persistent Threat

IMAPS Internet Message Access Protocol

ASIC

Application-Specific Integrated Circuit

ASP

Analog Signal Processing

IoT

Internet of Things

ATP

Advanced Threat Protection

IP

Internet Protocol

AV

Antivirus

IPS

Intrusion Prevention System

Secure

AV/AM Antivirus/Antimalware

IPSec Internet Protocol Security

BYOD Bring Your Own Device

IPTV

Internet Protocol Television

CPU

IT

Information Technology

DDoS Distributed Denial of Service

J2EE

Java Platform Enterprise Edition

DLP

Data Leak Prevention

LAN

Local Area Network

DNS

Domain Name System

LDAP Lightweight Directory Access Protocol

DoS

Denial of Service

LLB

Link Load Balancing

DPI

Deep Packet Inspection

LOIC

Low Orbit Ion Cannon

DSL

Digital Subscriber Line

MSP

Managed Service Provider

FTP

File Transfer Protocol

MSSP Managed Security Service Provider

FW

Firewall

NGFW Next Generation Firewall

Gb

Gigabyte

NSS

NSS Labs

GbE

Gigabit Ethernet

OSI

Open Systems Infrastructure

Gbps

Gigabits per second

OTS

Off the Shelf

GSLB Global Server Load Balancing

PaaS

Platform as a Service

GUI

PC

Personal Computer

Central Processing Unit

Graphical User Interface

HTML Hypertext Markup Language

HTTP Hypertext Transfer Protocol

PCI DSS Payment Card Industry Data

Security
Standard

HTTPS Hypertext Transfer Protocol Secure

IaaS

Infrastructure as a Service

NSE 1: Data Center Firewalls Study Guide

PHP

PHP Hypertext Protocol

16

 Key Acronyms
POE

SWG

Secure Web Gateway

POP3 Post Office Protocol (v3)

SYN

Synchronization packet in TCP

POP3S Post Office Protocol (v3) Secure

Syslog Standard acronym for Computer

QoS

Power over Ethernet

Quality of Service

Message Logging

Radius Protocol server for UNIX systems

TCP

RDP

Remote Desktop Protocol

TCP/IP Transmission Control Protocol/Internet

SaaS

Software as a Service

SDN

Software-Defined Network

TLS

SEG

Secure Email Gateway

SFP

Small Form-Factor Pluggable

TLS/SSL Transport Layer Security/Secure

Socket

SFTP

Secure File Transfer Protocol

SIEM

Security Information and Event

Management

SLA

Service Level Agreement

SM

Security Management

SMB

Small & Medium Business

SMS

Simple Messaging System

SMTP Simple Mail Transfer Protocol

SMTPS Simple Mail Transfer Protocol Secure
SNMP Simple Network Management Protocol
SPoF

Single Point of Failure

SQL

Structured Query Language

SSL

Secure Socket Layer

NSE 1: Data Center Firewalls Study Guide

Transmission Control Protocol

Protocol (Basic Internet Protocol)

Transport Layer Security

Layer Authentication
UDP

User Datagram Protocol

URL

Uniform Resource Locator

USB

Universal Serial Bus

UTM

Unified Threat Management

VDOM Virtual Domain

VM

Virtual Machine

VoIP

Voice over Internet Protocol

VPN

Virtual Private Network

WAF

Web Application Firewall

WANOpt Wide Area Network Optimization

WLAN Wireless Local Area Network
WAN

Wide Area Network

XSS

Cross-site Scripting

17

 Glossary

Glossary
ASIC. Application Specific Integrated Circuits (ASICs) are integrated circuits developed for a particular
use, as opposed to a general-purpose device.
Big Data. A massive volume of both structured and unstructured data that is so large it is difficult to
process using traditional databases and software techniques. In many enterprise scenarios, the data is
too big, moves too fast, or exceeds current processing capacity.
Bridge Mode. A virtual firewall operating in bridge mode acts like a physical firewall, normally situated at
an inter-network switch or bridge to intercept network traffic needing to travel over the bridge.
BYOD. Bring Your Own Device (BYOD) refers to employees taking their own personal device to work,
whether laptop, smartphone or tablet, in order to interface to the corporate network. According to a Unisys
study conducted by IDC in 2011, nearly 41% of the devices used to obtain corporate data were owned by
the employee.
Cloud Computing. Computing in which large groups of remote servers are networked to allow the
centralized data storage, and online access to computer services or resources. Clouds can be classified
as public, private or hybrid.
Computer systems. Computer systems are simply sets of components that are assembled into an
integrated package.
CPU. The heart of a computer system is the central processing unit (CPU), around which various other
components are built. A CPU is the electronic circuitry within a computer that carries out the instructions
of a computer program by performing the basic arithmetic, logical, control, and input/output (I/O)
operations specified by the instructions.
Data Center Firewall. In addition to being a gatekeeper, data center firewalls serve a number of
functions, including:

IP Security (IPSec)

Web Filtering

Firewall

Antispam

Intrusion Detection System/Intrusion

Prevention System (IDS/IPS)

Traffic Shaping [1]

Antivirus/Antispyware

Databases. Databases are simply electronic repositories of data used to store information for the
organization in a structured, searchable, and retrievable format.
Edge Firewall. Implemented at the edge of a network in order to protect the network against potential
attacks from external traffic, the edge firewall is the best understood, or traditional, role of a firewall
the gatekeeper.
Hypervisor Mode. In hypervisor mode the virtual firewall is not actually part of the virtual network at
all; rather, it resides in the host virtual machineor hypervisorin order to capture and analyze
packets destined for the virtual network.
Infrastructure as a Service (IaaS). This is the most basic of the three cloud service models. The
service provider creates the infrastructure, which becomes a self-service platform for the user for
accessing, monitoring, and managing remote data center services.
Internet of Things (IoT). The [once future] concept that everyday objects have the ability to connect
to the Internet & identify themselves to other devices. IoT is significant because an object that can

NSE 1: Data Center Firewalls Study Guide

18

 Glossary
represent itself digitally becomes something greater that the object by itself.
OpenFlow. OpenFlow enables network controllers to determine the path of network packets across a
network of switches. The controllers are distinct from the switches. This separation of the control from the
forwarding allows for more sophisticated traffic management than is feasible using access control
lists (ACLs) and routing protocols. OpenFlow allows switches from different vendors often each with
their own proprietary interfaces and scripting languages to be managed remotely using a single, open
protocol.
NGFW. Next Generation Firewall (NGFW) provides multi-layered capabilities in a single firewall appliance
instead of a basic firewall and numerous add-on appliances. NGFW integrates the capabilities of a
traditional firewall with advanced features including:

Intrusion Prevention (IPS)

Deep Packet Inspection

(DPI)

Network App ID & Control

Access Enforcement

Distributed Enterprise
Capability

Extra Firewall Intelligence

Third Party Management

Compatibility

VPN

Application Awareness

Platform as a Service (PaaS). The PaaS model provides an additional level of service to the user
beyond the IaaS model. In this model, the provider not only builds the infrastructure, but also provides
monitoring and maintenance services for the user.
Programming. Programming consists of the scripts or computer instructions used to validate data,
perform calculations, or navigate users through application systems.
SDDC. The software-defined data center (SDDC) presents a paradigm that infrastructure such as
servers, network, and storage can be logically and dynamically orchestrated without the need for adding
or configuring new physical appliances or expanding into new facilities.
Shared Security Responsibility (SSR) Model. When using application servicesthe cloudfor
applications and access to databases, these services come with a shared responsibility for security and
operations split between the cloud provider and the cloud tenant.
Software as a Service (SaaS). The SaaS model takes the final step of bringing the actual software
application into the set of functions managed by the provider, with the user having a client interface.
Software-Defined Networks (SDN). An approach to networking in which control is decoupled from
hardware and given to a software application called a controller. Dynamic, manageable, cost-effective,
and adaptable, making it ideal for the high-bandwidth, dynamic nature of today's applications.
Virtual Firewall. A virtual firewall is simply a firewall service running entirely within the virtual
environment, providing the typical packet filtering and monitoring that would be expected when using a
physical device in a physical network.
Virtualization. Creating a virtual version of a device or resource, such as a server, storage device,
network or even an operating system where the framework divides the resource into one or more
execution environments.
VLAN. Virtual networks (VLANs) may be used to segment multiple subnets logically on the same
physical switch.

NSE 1: Data Center Firewalls Study Guide

19

 References

References
1.

UAB, M., Fortinet Secure Gateways, Firewalls. 2013.

2.

Frampton, K., The Differences Between IaaS, Saas, and PaaS. 2013, SmartFile.

3.

Bray, G., SaaS vs PaaS vs IaaS. 2010, Stack Exchange.

NSE 1: Data Center Firewalls Study Guide

20