Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

How To Secure Your Flat Network: Page 3 of 4

Traffic Cops

 

On a flat network, private VLANs, again implemented at the physical switch/router, can be used to group a system into one of three category types, each with its own traffic control properties: promiscuous port, community port, and isolated port.

A promiscuous-port PVLAN designation, typically used for the gateway of a given subnet, has unfettered access to other interfaces on the PVLAN. A community-port PVLAN designation allows communication with other members of the community and promiscuous ports on the PVLAN, making this a good choice for a group of servers that need to talk on a given segment, such as a group of Web servers and a database server. The isolated-port PVLAN applies the tightest controls, limiting the device to talking only with promiscuous ports on the PVLAN.

In general, PVLANs provide broad segmentation of L2 traffic rather than granular control. Still, they are useful to support defense in depth and break up subnet broadcast domains, plus, they work in tandem with VACLs if more specific access profiles are needed.

Layer 2 firewalling provides similar functionality as VACLs, but you can wrap it up in a nice user interface. Advanced firewalls, like those from Palo Alto Networks, support the ability to actually switch between two or more interfaces on the same VLAN and inspect traffic traversing this path. The upside to this approach is that it leverages the abilities of an enterprise-class firewall and provides a clean way of integrating controls into a consistent firewall policy. The downside? It's expensive to implement due to port-density requirements and the cost of each physical interface.

True Layer 2 firewalling (not transparent mode firewalling), while fairly uncommon, can make sense implemented as a filter between communicating devices on the same subnet that reside on different physical switches.

Keep in mind that the addition of any Layer 2 control introduces another level of filtering and, potentially, breakage. If a host becomes inaccessible, you'll have to look at all the usual suspects--firewall, host adapter, application processes, network--in addition to determining if Layer 2 filtering might be causing a problem.

 

Private VLAN Choices
Administrators can use three types of private VLANs to segment Layer 2 traffic
Promiscuous port Device can communicate with other interface types on the PVLAN
Community port Device can communicate with promiscuous ports and other community members on the PVLAN
Isolated port Device can only communicate with promiscuous ports on the PVLAN

Hey, we said it could make the network faster. We didn't say it would make your life easier.

Consider the operational impact particularly when you apply controls such as VACLs and PVLANs. Insist on excellent management and audit capabilities to streamline configuration tasks and ease troubleshooting. Typically, this means using a management tool or element manager that can monitor filtering rules; provide centralized, actionable audit logs; and help enforce consistency throughout your implementation. These concepts of manageability and consistency are essential as we move away from physical appliances and transition into our next topic: virtual L2 controls.