Blog

Data Center Security Gateway (DCSG) – Convergence of DCFW and DCIPS

December 20, 2017 and

The digital world has transformed modern business. The growing use of the Internet has placed more demands than ever on the corporate data center. Organizations today rely more on their IT infrastructure to enable growth, agility, and productivity. But where there is opportunity, there is also risk. The threat landscape is evolving, and new attacks from various vectors are constantly emerging to exploit enterprises. Enterprises must protect their end users and they must also protect the intellectual property and mission-critical applications that reside in their data centers.

While perimeter devices are expected to protect end users and a wide range of end user applications, data center security devices are deployed to protect servers and applications hosted in the data center.

Firewalls are among the most mature technologies used to secure the data center. They have evolved from packet filtering and circuit-level gateways to application layer (proxy-based) and dynamic packet filtering firewalls that use port and protocol combinations to create and enforce access control policy between trusted and untrusted networks:

  • Untrusted network –Typically external and is considered unknown and not secure
  • Trusted network –Typically internal and is considered protected and secure
  • Intrusion prevention systems (IPS) are also deployed within the data center and are subjected to significantly higher traffic levels than are IPS deployed at the corporate network perimeter. An IPS sits inline (“a bump in the wire”) behind the perimeter of the data center to provide deep packet inspection and internal network segmentation.

Data center security gateways (DCSGs) converge data center firewall (DCFW) and data center IPS (DCIPS) technologies, and as such, play a vital role in today’s security infrastructure. The DCSG must be capable of performing access control and deep packet inspection in order to protect server applications from remote attacks. Unlike its NGFW cousin, which protects users from the Internet, the DCSG protects data center servers and the applications that run on them (i.e., web servers, mail servers, DNS servers, application servers etc.) from the Internet.

Enterprises are considering the implications of replacing their DCFWs and DCIPS with multi-function devices at the edge of the data center. In some cases, a DCSG can replace both a DCFW and a DCIPS in the data center.

NSS Labs will soon be releasing the results of its 2017 Data Center Security Gateway Group Test, which reveal the security effectiveness, stability and reliability, and total cost of ownership (TCO) of tested devices as well as their performance for both IPv4 and IPv6. Organizations can use DCSG test results to make informed decisions on whether to augment or replace their existing data center security infrastructure.