Day after day, companies of all sizes are victimized by cybercrimes and malicious insider threats. In fact in 2020, Verizon reports that there were over 3,950 confirmed data breaches, almost double compared to the year prior. These data breaches impact millions of people, cost companies large amounts of time, money and resources, and have long-lasting implications.
In today’s rapidly changing world, CISOs need a way to defend the growing number of dynamic workloads and increasing internal network traffic against cyberattacks. Traditional security approaches are not enough. Highlighting the need for a new approach, particularly inside the perimeter, is a newly released threat landscape report from the VMware Threat Analysis Unit. In North-by-South-West: See What Evaded Perimeter Defenses (link to report), the findings are clear: despite a cadre of perimeter defenses being deployed, malicious actors are actively operating in the network.
For this eWEEK Data Points we connected with Dhruv Jain, senior director, network security product marketing of VMware, to five shortcomings of traditional firewalls for internal data center security.
Shortcoming No. 1: Perimeter firewalls mostly focus on the old, not the new traffic patterns
Most internal firewalls descend from enterprise edge firewalls designed to secure limited amounts of traffic moving in and out of organizations (north-south traffic). However, in modern data centers, there is a higher volume of east-west traffic, meaning traffic that moves laterally across the data center. As more monolithic applications are replaced or re-architected into distributed applications, the amount of east-west traffic now far surpasses that of north-south traffic.
Too many organizations make the mistake of retrofitting traditional perimeter firewalls designed to monitor north-south traffic to protect their internal networks. While it may be tempting to do so, using perimeter firewalls for east-west traffic monitoring is not only expensive, but also highly ineffective in delivering the level of control and performance required to protect large numbers of dynamic workloads.
Shortcoming No. 2: Perimeter firewalls don’t scale
Monitoring north-south traffic using a perimeter firewall typically doesn’t create performance bottlenecks because the volume isn’t nearly as large as it is for east-west traffic. If an enterprise uses a perimeter firewall for east-west traffic and wants to inspect all (or most) of the traffic, the cost and complexity goes up exponentially, to the point where organizations simply don’t address the issue.
Shortcoming No. 3: Hairpins are good for hair, not data center traffic
If a perimeter firewall is used to monitor east-west traffic, the traffic is forced to and from a centralized appliance. This creates a hair-pin pattern, which uses an inordinate amount of network resources in the process. In addition to increasing latency, hair-pinning internal network traffic adds complexity, both from a network design as well as a network operations perspective. Networks must be designed to account for the additional (hair-pinning) traffic routed through a perimeter firewall. From the operational side, the security operations team must adhere to the network design and be aware of constraints when sending additional traffic for inspection to the firewall.
Shortcoming No. 4: Perimeter firewalls don’t provide clear visibility
Monitoring east-west traffic and enforcing granular policies requires visibility down to the workload level. Standard perimeter firewalls do not have clear visibility into the communication patterns between the workloads and microservices making up modern, distributed applications. This lack of visibility into application flows makes it extremely challenging to create (and enforce) rules at the workload or individual traffic flow level.
Shortcoming No. 5: I have this security policy, but where’s my app?
Traditional firewall management planes are designed to handle dozens of discrete firewalls but are not designed to support workload mobility with automatic reconfiguration of security policies. Therefore, when a perimeter firewall is used as an internal firewall, network and security operators must manually create new security policies whenever a new workload is created and modify these policies when a workload is moved or decommissioned.
Rethinking Internal Data Center Security with a Zero Trust Approach
Given these shortcomings, it’s time to rethink internal data center security, and begin to implement Zero Trust security . If traditional perimeter firewalls are not appropriate or effective as internal firewalls, what type of solution is best suited for monitoring east-west traffic? Based on the shortcomings outlined above, organizations should begin to evaluate their firewall approach to support:
- Distributed and granular enforcement of security policies
- Scalability and throughput to handle large volumes of traffic without impeding performance
- A low impact on network and server infrastructure
- Intra-application visibility
- Workload mobility and automatic policy management
A perimeter firewall cannot deliver on these requirements without incurring exceptionally high costs and complexity while requiring too many security compromises. Instead, a distributed, software-defined approach is the most effective way to implement internal firewalls to monitor east-west traffic. The right software-defined, internal firewall approach delivers the scalability, cost-effectiveness and efficiency to secure tens of thousands of individual workloads across thousands of applications, and helps organizations move towards regarding the ZT point, it would best towards implementing a Zero Trust model inside the data center.
ABOUT THE AUTHOR:
Dhruv Jain is senior director, network security product marketing, VMware