Mercy Medical Centre’s security wish list is far from atypical. The Baltimore healthcare provider wants to make sure that users access only the services and servers they require and that its datacentre servers remain secure and problem free. Nevertheless, it hasn't yet found quite the right technology combination.
Network access control (NAC) gear from ConSentry Networks handles the user-access-control piece, but the technology doesn't give Mercy Medical a way to address the additional, server-level security it would like. "We want to segregate the servers in the datacentre from one another," says Mark Rein, the centre’s senior IT director. The organisation needs this separation because it opens its datacentre servers to third-party vendors handling certain management and maintenance duties. "We want them to access just that one server or application, and not be able to see or talk to any of the other servers. It's like we need NAC, but at the server level."
This is not an extravagance. "The server is the primary attack-point nowadays, which means that the server is also a great jumping-off point," says Joel Snyder, a senior partner with Opus One and a Network World product tester. "As organisations have heterogeneous datacentres - mixes of Unix flavours, Windows, old mainframes - there are going to be issues with older systems that might not be patched or closely protected becoming infected and turning into attack vectors for other servers."
That can be an especially brutal problem for enterprises whose security defences line up at the edge of the datacentre. If an attack gets through to a server and rides over unprotected high-speed, server-to-server connections, the enterprise quickly gets compromised. Never mind the problems encountered when these servers exist in a virtualised environment.
"Most of our servers are virtual servers sitting in blade chassis. When you start looking at how these virtual servers are potentially talking or co-mingling over the hypervisor to one another, that's a tough problem. At this point, available tool sets are not really great," Rein says.
NAC-like server firewalls
Unlike traditional firewalls, which rely on port numbers to differentiate traffic, Palo Alto's appliance is like NAC in that it can see up to Layer 7. It filters traffic based on application and user role via Microsoft's Active Directory, a tactic that becomes useful as more applications run over the single superhighway of Port 80.
The vendor, however, hasn't integrated some of the higher-end capabilities that users, such as Mercy Medical's Rein, hope it one day will for even better server-level protection. These include intrusion-prevention systems (IPS) and data-leakage-prevention services.
Nir Zuk, CTO of Palo Alto, agrees that functions such as these are important and says the company is working on developing them."You want the firewall to do the IPS function and make sure people don't hack the servers. You also want to make sure that it looks for data leaking out of the datacentre, things like Social Security numbers," he says, adding that speed is a prevailing issue. "Nobody has those pieces yet at the speeds required in a datacentre box."
Server-focused firewalls would need to run at a minimum of 10Gbits/s to support typical performance levels, experts say. Such firewalls also would need to support rich per-server policies that ensure safe traffic, such as backups, gets fast-tracked, and malicious traffic is checked and discarded. In addition, management - something Snyder says could be a "total nightmare" - must be easy.
"Lots of firewall companies have centralised management, but the ability to control dozens of firewalls with hundreds of rules all in a single data centre is a rare product," Snyder says. "In this case, I'd take a weaker firewall with a better management tool."
Firewall vendors Check Point Software, Cisco and Juniper Networks are working to address the IPS, management and other issues. While they may not have the high level of application- and user-awareness of a Palo Alto device, data-centre performance and scalability are big focuses. These vendors caution, however, that such capabilities come with performance hits that might not be acceptable to many enterprises.
Users who want to separate data-centre servers must pick a firewall that not only is very fast, but also has robust management, policy and virtualisation capabilities, says Tom Russell, Cisco senior product manager. The vendor recently rolled out an example of this with the ASA-5580, a firewall-VPN product that has 20Gbits/s throughput and supports as many as 10,000 remote users, 75,000 policies and 150,000 connections per second.
Intrusion prevention wasn't a focus for this level of firewall, Russell says. An integrated IPS-firewall works best at speeds no higher than 1Gbits/s, he contends, noting that enterprises needing better performance tend to use separate firewalls and IPSs.
Jon Yun, a Juniper product marketing manager, agrees. "In the server-server scenario, depending on the performance, the integrated IPS products would be ideal. But if there's a huge datacentre or service-provider type of network, then a dedicated box may be better suited," he says. "Right now, we're at 30Gbps throughput [with the NetScreen-5400]. And if you deploy a firewall like that and then you virtualise it so that it supports 10 different servers on the back end, it still gives you quite a bit of capacity and throughput."
Check Point is working to make sure its software can make the best use of Intel's multi-core chip technology. The goal is to keep performance high while adding such features as IPS. "We're looking to speed up this whole idea of application awareness and intelligence," says Bill Jensen, product marketing manager for Check Point's VPN-1 line. "If you buy a $5,000 server from IBM or Dell that has a couple of the Intel multi-core chips on it, and you turn on 70 percent of the application inspection in our firewall software, you're still going to run around 2Gbits/s, which is very high."
Server-to-server firewalls, on the other hand, don't require as much IPS horsepower, Jensen says, because they can be tuned specifically to individual server traffic (versus perimeter firewalls that need to check everything coming into the enterprise). "Once you get into individual racks in the datacentre and you can have a lower level of inspection turned on, the performance shoots up even higher," he says.
Beyond performance hits, budgets can get in the way, users say. Baptist Healthcare Systemin Louisville uses Cisco PIX firewalls at its perimeter and is rolling out stand-alone IBM-ISS IPS boxes at the edge of its data centre. While per-server, NAC-like protection is the ideal, "we have to do more edge-based protection, where there's more bang for our buck," says Tom Taylor, Baptist Healthcare's corporate manager for client/server infrastructure.
Jim Laval, network manager at the organisation, agrees. "It took us two years of budget process just to get the first phase of the IPS project approved, and that was about $110,000 (£55,000). I don't see us going to the server level anytime soon."