When NGFWs Aren’t Enough

By Elevate posted 11-11-2013 08:45


binary.jpgAs an industry, we have evolved from talking about security requirements for enterprise as a whole to a more segmented view that recognizes that security at the campus edge is not the same as security at the data center edge—and neither is like the security in the data center core. 


Why this distinction now? We are at a stage where the nature of increasingly malicious and targeted cyber threats are forcing us to recognize that what constitutes a strong defense in one part of the enterprise does not provide an equally strong defense in another part.  With cyber attacks becoming more sophisticated and more difficult to detect, the financial stakes are high for corporations.  In particular, the data center is becoming the target for cyber criminals, and security defenses that worked in the past are no longer effective. 


Why do NGFWs fall down when it comes to securing the data center?


It is well recognized that NGFWs deliver an effective security defense at the campus edge.  They play an important role by enforcing the perimeter for outbound and inbound traffic and protecting users (i.e., what we generally call an egress problem).  In the data center, the problem is reversed.  It is one of ingress. 


To be effective, the defense must shift from protecting users to protecting an organization’s crown jewels i.e. high value assets that contain sensitive information.  NGFWs do not prevent inbound attacks over authorized traffic channels, in particular attacks on Web and application servers.  In the data center, security defenses that protect against multiple attack vectors occurring over authorized and unauthorized traffic channels are the right solution.  


There is another aspect to this.  In the data center, the problem is also that of unknown attacks.  Here, signatures are not an adequate defense.  Signature-based solutions prevent based upon known attacks, but detecting unknown attacks requires a different approach.


How should we detect unknown and zero-day attacks against the data center?


Read the new IDC report for a more detailed perspective on the different use cases for target attacks in the enterprise, and Juniper’s approach to securing the data center.  And if you want to hear more—or have questions—join IDC’s Chris Christiansen and Juniper Networks’ David Koretz  on November 20, 9 AM PST // 12 PM EST // 6 PM CET, for their webcast: “Next-Generation Application Security for Today’s Modern Data Center.” Register now.