AlgoBuzz Blog

Everything you ever wanted to know about security policy management, and much more.

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt
Search in comments
Filter by Custom Post Type
Posts

Is My Datacenter Agile? Tips to Help Simplify the Datacenter Security Policy Migration Process

by
[addtoany]

When working with some of the largest organizations in the world, many are now asking me just how agile is my data center? How easy would it be to migrate it to a cloud-based platform?

Migrating a data center is actually easier now than it was just a few years ago. But, when working on data center migration projects, I have found that the logical or policy layer is often the most challenging to replicate between data centers and even cloud environments. From my experience I believe that the best way to migrate the policy layer is utilizing a parallel deployment methodology. Here are some specific tips to help simplify the process:

Working with your virtual infrastructure. The good news is that a heavily virtualized infrastructure is relatively easy to migrate from one virtual platform to another (even if you have a mixed virtual environment). But what if you have firewalls, load-balancers, and other controllers running on virtual appliances? Here are my recommendations:

  • Create snapshots and data backups of ALL virtual instances and machines.
  • For traditional VMs (running a Windows OS): Either rebuild the VM and reattach the storage repository, or copy the VM as is to the new location.
  • For virtual appliances (usually running some kind of Linux kernel): Create a config file and make sure to offload ALL policies, settings and other critical data points. In many cases, you may have to rebuild the appliance in the other data center. If you do this in parallel while BOTH appliances are running in different locations you will be able to analyze settings and make sure nothing was missed.

Identifying policies (network and firewall).  These policies are the central nervous system of your entire data center. Just to make things more interesting, say you have two data centers (a primary and a secondary one), with each one running a completely different infrastructure. Let’s assume your primary data center has Cisco Nexus routers with PIX and ASA security appliances and your secondary data center is all about Juniper SRX devices, some Cisco Layer-3 Switching, and maybe a Palo Alto PAN-OS virtual appliance environment. In such a heterogeneous environment, migrating policies can be challenging. Here’s how you can make this part a little easier:

  • For security appliances: Whether they’re virtual or physical, policy analysis and configuration control is essential. If you have a one-to-one device migration on the same family of appliances, a config dump and upload can be an easy way to migrate. However, if you’re working with a truly heterogeneous platforms – visibility into everything is critical so you need to work with tools that can give you the full picture. This is especially critical if you’re working with regulations or compliance factors. By having granular visibility into all security policies you’ll ensure the safe migration of Identity Control, Application Security, and corporate VPNs rule-sets.
  • For network appliances: Creating and understanding network routes is critical for a data center migration process. But how can you manage network policies in general? What if you’re using firewalls from multiple vendors? First, creating a config file for each core networking component is very important. Second, creating a network map and diagram is essential. Generate an interactive topology map of all network firewalls and routers, subnets and zones, so that you can see all the security policies as well as network traffic. This will help you figure out if there are any unknown network closets, hidden policies or devices. Security policies and networking gear work very closely together to ensure the safe and optimal delivery of data. Make sure to you have visibility into all critical aspects of your network and security architecture when planning a migration.

Migrating a data center or even components within you infrastructure doesn’t have to be an intimidating or even impossible process. In fact, data center migrations are an important part of keeping your business agile and competitive. When creating a new data center migration plan always take into account best practices, the goals of your organization and, very importantly the ultimate impact on users and their data.

Subscribe to Blog

Receive notifications of new posts by email.