5 gaps in legacy firewalls for internal data center security


Day after day, businesses of all sizes fall victim to cybercrime and malicious insider threats. In fact, in 2020, Verizon reports that there were more than 3,950 data breaches confirmed, almost double compared to the previous year. These data breaches impact millions of people, cost businesses significant time, money and resources, and have long-term implications.

In today’s fast-paced world, CISOs need a way to defend the growing number of dynamic workloads and increasing internal network traffic from cyber attacks. Traditional security approaches are not enough. Highlighting the need for a new approach, especially inside the perimeter, is a new report on the Threat Landscape from VMware’s Threat Analysis Unit. In North by southwest: see what escaped the perimeter defenses (link to the report), the conclusions are clear: despite the deployment of a framework of perimeter defenses, malicious actors are actively operating in the network.

For this eWEEK Data Points, we connected with Dhruv Jain, Senior Director, Marketing of VMware Network Security Products, to five gaps in traditional firewalls for internal data center security.

Flaw # 1: Perimeter firewalls mainly focus on old traffic patterns, not new ones

Most internal firewalls are derived from corporate edge firewalls designed to secure limited amounts of traffic in and out of organizations (north-south traffic). However, in modern data centers, the volume of east-west traffic is higher, which means that the traffic moves sideways through the data center. As more and more monolithic applications are replaced or restructured into distributed applications, the amount of east-west traffic now far exceeds that of north-south traffic.

Too many organizations make the mistake of modernizing traditional perimeter firewalls designed to monitor north-south traffic to protect their internal networks. While it may be tempting to do so, using perimeter firewalls for monitoring east-west traffic is not only expensive, but also very inefficient in providing the level of control and performance required to protect a person. large number of dynamic workloads.

Flaw # 2: Perimeter firewalls don’t adapt

Monitoring north-south traffic using a perimeter firewall typically does not create performance bottlenecks because the volume is not as large as for east-west traffic. If a business uses a perimeter firewall for east-west traffic and wants to inspect all (or most) of the traffic, the cost and complexity increases exponentially, to the point that organizations simply don’t solve the problem. .

Gap # 3: Hairpins are good for hair, not data center traffic

If a perimeter firewall is used to monitor east-west traffic, the traffic is forced to and from a centralized appliance. This creates a hairpin pattern, which uses an excessive amount of network resources in the process. In addition to increasing latency, hairpin internal network traffic adds complexity, both from a network design perspective and from a network operations perspective. Networks should be designed to accommodate the additional (hairpin) traffic that is routed through a perimeter firewall. On the operational side, the security operations team should adhere to the network design and be aware of the constraints when sending additional traffic to the firewall for inspection.

Flaw # 4: Perimeter firewalls do not provide clear visibility

Monitoring east-west traffic and enforcing granular policies requires visibility down to the workload level. Standard perimeter firewalls do not provide clear visibility into the communication patterns between workloads and microservices that make up modern distributed applications. This lack of visibility into application flows makes it extremely difficult to create (and enforce) rules at the workload or individual traffic flow level.

Flaw # 5: I have this security policy, but where is my application?

Traditional firewall management plans are designed to manage dozens of discrete firewalls, but are not designed to support workload mobility with automatic reconfiguration of security policies. Therefore, when a perimeter firewall is used as an internal firewall, network and security operators must manually create new security policies each time a new workload is created and modify those policies when they are created. ‘a workload is moved or taken out of service.

Rethinking Internal Data Center Security with a Zero Trust Approach

With these shortcomings in mind, it’s time to rethink internal data center security and start implementing Zero Trust security. If traditional perimeter firewalls are not suitable or effective as internal firewalls, what type of solution is best suited to monitor east-west traffic? Based on the gaps described above, organizations should begin to assess their firewall approach to support:

  • Distributed and granular enforcement of security policies
  • Scalability and throughput to handle high volumes of traffic without compromising performance
  • Low impact on network and server infrastructure
  • Intra-application visibility
  • Workload mobility and automatic policy management

A perimeter firewall cannot meet these requirements without incurring unusually high cost and complexity while requiring too many security tradeoffs. Instead, a distributed, software-defined approach is the most efficient way to implement internal firewalls to monitor east-west traffic. The right software-defined internal firewall approach delivers scalability, cost-effectiveness, and efficiency to secure tens of thousands of individual workloads across thousands of applications, and helps organizations move towards point ZT , it would be better to implement a Zero Trust model inside the data center.


Dhruv Jain is Senior Director, Network Security Product Marketing, VMware

Leave A Reply

Your email address will not be published.