Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • IT Management

    5 Shortcomings of Legacy Firewalls for Internal Data Center Security

    An overview of the shortcomings of traditional firewalls for internal data center security – including ideas about how to boost security.

    By
    eWEEK EDITORS
    -
    June 24, 2021
    Share
    Facebook
    Twitter
    Linkedin

      Day after day, companies of all sizes are victimized by cybercrimes and malicious insider threats. In fact in 2020, Verizon reports that there were over 3,950 confirmed data breaches, almost double compared to the year prior. These data breaches impact millions of people, cost companies large amounts of time, money and resources, and have long-lasting implications.

      In today’s rapidly changing world, CISOs need a way to defend the growing number of dynamic workloads and increasing internal network traffic against cyberattacks. Traditional security approaches are not enough. Highlighting the need for a new approach, particularly inside the perimeter, is a newly released threat landscape report from the VMware Threat Analysis Unit. In North-by-South-West: See What Evaded Perimeter Defenses (link to report), the findings are clear: despite a cadre of perimeter defenses being deployed, malicious actors are actively operating in the network.

      For this eWEEK Data Points we connected with Dhruv Jain, senior director, network security product marketing of VMware, to five shortcomings of traditional firewalls for internal data center security.

      Shortcoming No. 1: Perimeter firewalls mostly focus on the old, not the new traffic patterns

      Most internal firewalls descend from enterprise edge firewalls designed to secure limited amounts of traffic moving in and out of organizations (north-south traffic). However, in modern data centers, there is a higher volume of east-west traffic, meaning traffic that moves laterally across the data center. As more monolithic applications are replaced or re-architected into distributed applications, the amount of east-west traffic now far surpasses that of north-south traffic.

      Too many organizations make the mistake of retrofitting traditional perimeter firewalls designed to monitor north-south traffic to protect their internal networks. While it may be tempting to do so, using perimeter firewalls for east-west traffic monitoring is not only expensive, but also highly ineffective in delivering the level of control and performance required to protect large numbers of dynamic workloads.

      Shortcoming No. 2: Perimeter firewalls don’t scale

      Monitoring north-south traffic using a perimeter firewall typically doesn’t create performance bottlenecks because the volume isn’t nearly as large as it is for east-west traffic. If an enterprise uses a perimeter firewall for east-west traffic and wants to inspect all (or most) of the traffic, the cost and complexity goes up exponentially, to the point where organizations simply don’t address the issue.

      Shortcoming No. 3: Hairpins are good for hair, not data center traffic

      If a perimeter firewall is used to monitor east-west traffic, the traffic is forced to and from a centralized appliance. This creates a hair-pin pattern, which uses an inordinate amount of network resources in the process. In addition to increasing latency, hair-pinning internal network traffic adds complexity, both from a network design as well as a network operations perspective. Networks must be designed to account for the additional (hair-pinning) traffic routed through a perimeter firewall. From the operational side, the security operations team must adhere to the network design and be aware of constraints when sending additional traffic for inspection to the firewall.

      Shortcoming No. 4: Perimeter firewalls don’t provide clear visibility

      Monitoring east-west traffic and enforcing granular policies requires visibility down to the workload level. Standard perimeter firewalls do not have clear visibility into the communication patterns between the workloads and microservices making up modern, distributed applications. This lack of visibility into application flows makes it extremely challenging to create (and enforce) rules at the workload or individual traffic flow level.

      Shortcoming No. 5: I have this security policy, but where’s my app?

      Traditional firewall management planes are designed to handle dozens of discrete firewalls but are not designed to support workload mobility with automatic reconfiguration of security policies. Therefore, when a perimeter firewall is used as an internal firewall, network and security operators must manually create new security policies whenever a new workload is created and modify these policies when a workload is moved or decommissioned.

      Rethinking Internal Data Center Security with a Zero Trust Approach

      Given these shortcomings, it’s time to rethink internal data center security, and begin to implement Zero Trust security . If traditional perimeter firewalls are not appropriate or effective as internal firewalls, what type of solution is best suited for monitoring east-west traffic? Based on the shortcomings outlined above, organizations should begin to evaluate their firewall approach to support:

      • Distributed and granular enforcement of security policies
      • Scalability and throughput to handle large volumes of traffic without impeding performance
      • A low impact on network and server infrastructure
      • Intra-application visibility
      • Workload mobility and automatic policy management

      A perimeter firewall cannot deliver on these requirements without incurring exceptionally high costs and complexity while requiring too many security compromises. Instead, a distributed, software-defined approach is the most effective way to implement internal firewalls to monitor east-west traffic. The right software-defined, internal firewall approach delivers the scalability, cost-effectiveness and efficiency to secure tens of thousands of individual workloads across thousands of applications, and helps organizations move towards regarding the ZT point, it would best towards implementing a Zero Trust model inside the data center.

      ABOUT THE AUTHOR:

      Dhruv Jain is senior director, network security product marketing, VMware

      eWEEK EDITORS
      eWeek editors publish top thought leaders and leading experts in emerging technology across a wide variety of Enterprise B2B sectors. Our focus is providing actionable information for today’s technology decision makers.

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×