Flat networks are a hot topic: They can be faster and perform better than conventional tiered networks because they enable more direct communication among devices. They're also well-suited for highly virtualized environments and can facilitate virtualization-specific features, such as VM mobility.
However, a shift to flatter networks brings a familiar security conundrum: how to balance performance against risk. In particular, a flat network removes the Layer 3 network segmentation boundaries that we've long used to segment traffic and provide defense in depth.
Most networks today have been carved into myriad virtual LANs, with each VLAN representing a subnet. VLANs are created to break up broadcast domains, logically group devices, and provide a point for implementing access controls between subnets--all valuable tools for security teams. In our practice, we see various methodologies for determining exactly which devices belong in a given VLAN; maybe IT wants to separate devices by type, putting all servers into one or more VLANs. Or maybe the goal is to separate devices by physical location, such as floors or buildings.
Once devices have been assigned to a VLAN, they can then be tied back together with Layer 3 routing devices, firewalls, or other mechanisms to allow them to communicate with approved systems on other subnets.
Another benefit of separating devices into various subnets/VLANs is that it provides network administrators with context clues as to the nature of the systems residing on that network. For instance, the operations team might know that all the devices on a given VLAN are wireless corporate users. This information can help with troubleshooting, network optimization, and other common activities. Moreover, basic firewalls and access control lists (ACLs), two of the most common network filtering controls, usually operate on Layer 3 network parameters, such as IP addresses. Data flows originate from and are delivered to particular IP addresses or groups of addresses. Security policies and system requirements dictate filtering rules that manage which IP-to-IP flows should be permitted or denied.
By removing this intersubnet role and putting more devices on the same subnet, we lose a security tier.
However, as we'll discuss, IT can maintain robust network traffic segmentation using Layer 2 controls, both for physical networks and in virtualized environments that rely on virtual network interfaces. These controls include VLAN access control lists, private VLANs, and Layer 2 firewalling. We'll also discuss the use of port profiles and security zones that can be applied to virtual machines.