Flat Network Strength Also A Security Weakness

The arrival of flat networks on the IT scene has created new opportunities, as well as additional concerns for those responsible for protecting systems from intrusion and preventing data leaks. Nevertheless, they are growing in popularity and are becoming the alternative to traditional tiered networks, which have started to encounter connectivity limitations due to inherent design limitations.

Flat networks and tiered networks differ in some fundamental ways, which greatly affect how those network ideologies are deployed, supported and secured. Flat network design came into being because an alternative was needed to interconnect systems relying on massive amounts of connections, caused by heavy virtualization and the convergence of networking technologies.

Flat networks tackle those connectivity problems by eliminating the Achilles' heel of tiered networks, the Spanning Tree Protocol (STP), which effectively restricts the number of paths packets can take through the network. Flat networks (sometimes referred to as a network fabrics) employ other approaches to open more paths and increase potential bandwidth.

Flat network options include both standards-based approaches, such as Transparent Interconnection of Lots of Links (TRILL) and Shortest Path Bridging (SPB), as well as proprietary vendor approaches. Those approaches address shortcomings of STP and can make a data center network more flexible and responsive to the changing demands of highly virtualized environments.

However, deploying those flat network technologies often requires rearchitecting the network, and, in most cases, upgrading hardware to deal with what may be new frame types. Those potential cons are only some of the downsides for migrating to a fabric, or flat, network.

Another major concern is security, as flat networks need a different approach than that used in a tiered network. One of the primary strengths of a flat network also tends to be the primary security weakness. Flat networks eschew the need for Layer 3 routing, which effectively removes traditional security technologies, such as firewalls, filters and other security appliances from the subnet. However, greater network throughput is realized when L3 routing is minimized. The net result is that, with a flat network, security, in the form of access control and connections, needs to be moved down to Layer 2 of the OSI network model.

Richard Dreger, president of WaveGard, recently authored a comprehensive report for Network Computing’s sister publication, InformationWeek. The report provides significant depth and associated research for securing Flat Networks at L2. The report offered some significant revelations on how to best secure flat networks. Dreger wrote, "Moving to a flat network, common L3 filtering controls such as firewalls and access control lists won’t necessarily be available because more devices will sit on the same subnet. But this doesn’t mean giving up on security controls. A variety of Layer 2 technologies are available for physical networks and virtualized environments that let IT restrict communications among devices."Dreger identifies the key security elements for L2 as strong segmentation and filtering options between L2 entities; intuitive labeling and management of devices, because VLANs won’t necessarily provide context clues; consistent application of L2 access controls via usable tools; security controls designed for the unique requirements of virtual environments (for example, quick system builds and virtual machine migration); and an ability to clearly show how traffic is being controlled to meet audit requirements.

It is the above elements, combined with best practices, that will bring a stable security footing to flat networks. Naturally, it will also take an active management role to further improve security. That active management can take the form of defining rules on security appliances that support L2 firewalling. In most cases, those rules will take the form of VLAN access control lists (VACLs), private VLANs (PVLANs) and filtering controls.

Dreger reports that VACL technologies can be used in much the same way as traditional L3/L4 ACLs, with the added benefit that they are also applied at L2 on a physical switching/routing device. That means a VACL can filter traffic bridged between devices on the same VLAN and does not just need to apply to routed traffic going into or out of a VLAN. VACLs can be defined to block specific traffic types (such as UDP and TCP) and be applied directionally to and from various hosts. More specifically, VACLs can be tied to specific interfaces or be more generally applied to a whole VLAN.

Of course, VACLs are only the beginning when it comes to securing flat networks at the L2 level. Administrators will need to still take a layered approach to security, further fortifying virtual devices, virtual machines, applications and other members of a flat network architecture. Here, security begins to take a more familiar form, using the same security tools that tiered networks have come to rely on.

Dreger writes, "Fortunately, when you understand VACLs, PVLANs and L2 firewall control options in the physical realm, VM-centric controls will not appear radically different." In other words, if administrators can conquer the physical portion of L2 network security, the virtual elements should pose little or no problem.

Learn more about Strategy: SIEM by subscribing to Network Computing Pro Reports (free, registration required).