Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

How To Secure Your Flat Network: Page 2 of 4

Layer Vs. Layer

 

Moving to a flatter network architecture may gain you speed, but be aware that it involves a very different design strategy. (For more on flat network design, see "Inside Flat Networks") For example, VLANs won't go away or be fully removed from the multitiered hierarchy. But their use will be limited as more diverse devices operate in the same subnet. For example, in a Layer 3 model, you might put Web servers and database systems in two different subnets and run the network traffic between those subnets through a firewall. In a flat Layer 2 model, you might now put those hosts into a single subnet but implement controls so only approved traffic flows through each system.

The first control in our toolkit is the VLAN access control list. VACLs are intended to be used in much the same way as conventional Layer 3/Layer 4 ACLs, with the added benefit that they are also applied at Layer 2 on a physical switching/routing device. This means that a VACL can filter traffic bridged between devices on the same VLAN and need not apply only to routed traffic going into or out of a VLAN. IT can define VACLs to block specific traffic types (for instance, UDP and TCP) or ports, and they may be applied directionally to and from various hosts. VACLs can be tied to specific interfaces or be more generally applied to a whole VLAN, depending on your needs. That means we can enforce least-privilege concepts--for instance, allowing traffic from one Web server to talk with its requisite database system on specific ports while blocking traffic going to a second, unrelated server on the same subnet.

However, correct implementation of VACLs requires a solid understanding of your hosts' data flows and network communication requirements. If your VACLs are not locked down properly, you may have unwanted communication occurring among devices. Conversely, if your VACLs are too strict, devices may be prevented from communicating with approved systems.

 

Diagram: Three segmentation scenarios