Reclaiming The Network Perimeter

The traditional network perimeter has vanished, but new architectures allow you to control security at the virtual machine or via cloud infrastructures.

Network Computing logo

Cloud computing and virtualization have drastically changed enterprise IT over the past several years, yet security components and architectures have largely remained the same. The concept of traditional perimeter security -- a valid architecture in the past -- is now ineffective in many areas.

Today's network infrastructures and sensitive corporate data have multiple points of entry. Some of these are owned and controlled by the enterprise. Service providers manage others. The ability to control end-to-end security is next to impossible using today's security tools.

Two schools of thought are emerging to address this issue. One recommends moving perimeter security all the way back to the virtual machine level, where policies and data flows are monitored and enforced, all under the control of a centralized management system. Alternatively, some vendors are developing ways to provide complete transparency and pass control of network security back to cloud customers. So which solution is right for you?

Before virtualization and cloud computing became mainstream, IT security was a much easier task. The firewall acted as the sole traffic cop by allowing Internet users access only to a defined set of services that lived on a segmented demilitarized zone, or the externally facing network. This protected internal resources by blocking virtually anything from an untrusted Internet from getting into the corporate network. The company privately leased or owned its WAN links and managed all remote data and servers in house. And, most importantly, it stored its data either locally on servers or on dedicated backend storage networks.

But once virtualization and cloud computing took off, suddenly you had network components that were managed by a third party. Additionally, data could be stored in-house, in the cloud, or virtually anywhere else you wanted it. These advancements were great for utility and redundancy, but they caused all kinds of data security problems.

One solution to the IT security perimeter problem is simply to move the perimeter back to the virtual machine level. A company called vArmour -- a startup that recently came out of stealth mode -- is looking to do just that by hardening what is visible in the cloud. For IaaS offerings, the virtual machine becomes the new perimeter; it's the first visible line of defense that the customer can manage. Placing probes on each VM allows data flows to be monitored and flagged or denied if suspicious behavior is detected. This methodology lets your service provider continue to manage and secure the infrastructure as it sees fit, while ensuring your data and applications are protected.

A different approach is to hand control of infrastructure security back to the customer. This is essentially the concept that Cisco's InterCloud and VMware's NSX architectures are seeking to accomplish. Imagine a day when security postures from your private data center can be copied and pushed out to any number of hybrid cloud providers. There will be no more duplicating rules and recreating the wheel from a security perspective. Best of all, you'll actually get to see and control your cloud infrastructure just as if it were your privately owned equipment.

The bottom line is that both solutions attack the problem of an eroding security perimeter that virtualization and cloud computing have chipped away at over the past decade. IT security can't be decoupled from the underlying network infrastructure, but it could be pushed back or reclaimed using one of these competing architectures.

About the Author(s)

Andrew Froehlich, President, West Gate Networks

President, West Gate Networks

As a highly experienced network architect and trusted IT consultant with worldwide contacts, particularly in the United States and Southeast Asia, Andrew Froehlich has nearly two decades of experience and possesses multiple industry certifications in the field of enterprise networking. Froehlich has participated in the design and maintenance of networks for State Farm Insurance, United Airlines, Chicago-area schools and the University of Chicago Medical Center. He is the founder and president of Loveland, Colo.-based West Gate Networks, which specializes in enterprise network architectures and data center build outs. The author of two Cisco certification study guides published by Sybex, he is a regular contributor to multiple enterprise IT related websites and trade journals with insights into rapidly changing developments in the IT industry.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights