Networking

11:05 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

How To Secure Your Flat Network

You don't have to trade control for a faster network architecture.

Flat networks are a hot topic: They can be faster and perform better than conventional tiered networks because they enable more direct communication among devices. They're also well-suited for highly virtualized environments and can facilitate virtualization-specific features, such as VM mobility.

However, a shift to flatter networks brings a familiar security conundrum: how to balance performance against risk. In particular, a flat network removes the Layer 3 network segmentation boundaries that we've long used to segment traffic and provide defense in depth.

Most networks today have been carved into myriad virtual LANs, with each VLAN representing a subnet. VLANs are created to break up broadcast domains, logically group devices, and provide a point for implementing access controls between subnets--all valuable tools for security teams. In our practice, we see various methodologies for determining exactly which devices belong in a given VLAN; maybe IT wants to separate devices by type, putting all servers into one or more VLANs. Or maybe the goal is to separate devices by physical location, such as floors or buildings.

Once devices have been assigned to a VLAN, they can then be tied back together with Layer 3 routing devices, firewalls, or other mechanisms to allow them to communicate with approved systems on other subnets.

Another benefit of separating devices into various subnets/VLANs is that it provides network administrators with context clues as to the nature of the systems residing on that network. For instance, the operations team might know that all the devices on a given VLAN are wireless corporate users. This information can help with troubleshooting, network optimization, and other common activities. Moreover, basic firewalls and access control lists (ACLs), two of the most common network filtering controls, usually operate on Layer 3 network parameters, such as IP addresses. Data flows originate from and are delivered to particular IP addresses or groups of addresses. Security policies and system requirements dictate filtering rules that manage which IP-to-IP flows should be permitted or denied.

By removing this intersubnet role and putting more devices on the same subnet, we lose a security tier.

However, as we'll discuss, IT can maintain robust network traffic segmentation using Layer 2 controls, both for physical networks and in virtualized environments that rely on virtual network interfaces. These controls include VLAN access control lists, private VLANs, and Layer 2 firewalling. We'll also discuss the use of port profiles and security zones that can be applied to virtual machines.

Our full report on securing flat networks is free with registration.

This report has action-oriented analysis and real-world insight on security and networking. What you'll find:
  • Detailed discussion of differences in Layer 2 and 3 controls
  • Analysis of virtualization security, including port profiles
Get This And All Our Reports


Previous
1 of 4
Next
Comment  | 
Print  | 
More Insights
Hot Topics
14
White-Box Switches: Are You Ready?
Tom Hollingsworth 7/28/2014
7
Understanding IPv6: Link-Local 'Magic'
Denise Fishburne, Cisco Champion,  7/24/2014
4
Fall IT Events: On The Road Again With 10 Top Picks
James M. Connolly, Editor in Chief, The Enterprise Cloud Site,  7/29/2014
White Papers
Register for Network Computing Newsletters
Cartoon
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Slideshows
Twitter Feed