Data center security policy definition, deployment and management has traditionally remained a manual process, which is error-prone and tends to limit the effectiveness of the defined security posture. The security posture is weakened with the usage of rudimentary network domain specific layer-2/layer-3 primitives such as IP addresses, VLANs, ports and protocols that do not detect or prevent sophisticated attacks from finding a way around layer-2/layer-3 based policies.
The challenge of defining a uniform, automatable security policy is further exacerbated when sources of security policy are spread across multiple point products such as legacy firewalls, IPS, IDS and web security services. Each of these policy sources may have competing objectives and is subject to policy changes of varying frequency. Each also tends to have inconsistent automation capabilities and have little to no policy interaction with other data center services.
In other words, this is a lot to manage. Manual security policy management is not sustainable in today’s dynamic IT environments, especially in software-defined data centers (SDDC). There is also a need for expressive security domain-specific policy language that provides rich primitives for building a uniform security policy across your SDDC – and is extensible to public cloud environments.
An automated security policy for SDDC
The joint integration between VMware NSX and Palo Alto Networks VM-Series virtualized next-generation firewalls solves the problem of automating security policies across the SDDC. Infrastructure configuration changes and application mobility information are translated into security policy compliance without error. The process is automated using API interfaces between the VMware NSX manager and Panorama, our network security management platform.
Palo Alto Networks security policy language provides expressive primitives such as dynamic address groups that can translate policy primitives from other data center services such as security tags from VMWare NSX manager. The ‘security profiles’ construct provides extensive layer-7 primitives for in-depth matching of content. Together, these security domain specific constructs extend the expressiveness of the policy beyond the limitations of port/protocol primitives.
Data center policy governance is dependent on multiple sources of policy across different network infrastructure elements. Panorama provides a cohesive security policy management of your physical and virtual next-generation firewalls, and it’s made that much more powerful when integrated with partners such as Tufin. Tufin’s security orchestration suite, integrated with Panorama, ensures that the interactions across data center network policies and security policies happen in a streamlined manner.
Learn more about how SDDC policy orchestration by Tufin can help with security policy management within SDDC. Palo Alto Networks, VMWare and Tufin integration provides streamlined security policy management and meets the organizational compliance mandates of your SDDC.
Visit us at VMworld US 2016 (booth #1423) to learn more about how we protect applications, prevent threats, and automate security within SDDC environments. And while you’re here at VMworld, make sure you see and hear our other sessions, too.