Flat Network Strength Also A Security Weakness
Frank J. Ohlhorst
March 22, 2012
The arrival of flat networks on the IT scene has created new opportunities, as well as additional concerns for those responsible for protecting systems from intrusion and preventing data leaks. Nevertheless, they are growing in popularity and are becoming the alternative to traditional tiered networks, which have started to encounter connectivity limitations due to inherent design limitations.
Flat networks and tiered networks differ in some fundamental ways, which greatly affect how those network ideologies are deployed, supported and secured. Flat network design came into being because an alternative was needed to interconnect systems relying on massive amounts of connections, caused by heavy virtualization and the convergence of networking technologies.
Flat networks tackle those connectivity problems by eliminating the Achilles' heel of tiered networks, the Spanning Tree Protocol (STP), which effectively restricts the number of paths packets can take through the network. Flat networks (sometimes referred to as a network fabrics) employ other approaches to open more paths and increase potential bandwidth.
Flat network options include both standards-based approaches, such as Transparent Interconnection of Lots of Links (TRILL) and Shortest Path Bridging (SPB), as well as proprietary vendor approaches. Those approaches address shortcomings of STP and can make a data center network more flexible and responsive to the changing demands of highly virtualized environments.
However, deploying those flat network technologies often requires rearchitecting the network, and, in most cases, upgrading hardware to deal with what may be new frame types. Those potential cons are only some of the downsides for migrating to a fabric, or flat, network.
Another major concern is security, as flat networks need a different approach than that used in a tiered network. One of the primary strengths of a flat network also tends to be the primary security weakness. Flat networks eschew the need for Layer 3 routing, which effectively removes traditional security technologies, such as firewalls, filters and other security appliances from the subnet. However, greater network throughput is realized when L3 routing is minimized. The net result is that, with a flat network, security, in the form of access control and connections, needs to be moved down to Layer 2 of the OSI network model.
Richard Dreger, president of WaveGard, recently authored a comprehensive report for Network Computing’s sister publication, InformationWeek. The report provides significant depth and associated research for securing Flat Networks at L2. The report offered some significant revelations on how to best secure flat networks. Dreger wrote, "Moving to a flat network, common L3 filtering controls such as firewalls and access control lists won’t necessarily be available because more devices will sit on the same subnet. But this doesn’t mean giving up on security controls. A variety of Layer 2 technologies are available for physical networks and virtualized environments that let IT restrict communications among devices."