Virtual Security
As mentioned earlier, flat network architectures are well-suited to private clouds or highly virtualized data centers, where VMs often migrate among servers. But you still need Layer 2 networking controls in these architectures, and that means working with virtual interfaces and switches.
Fortunately, when you understand VACLs, PVLANs, and L2 firewall control options in the physical realm, you can transfer that know-how, because the VM-centric versions of these controls will not be radically different.
Let's look at some tenets of granular L2 segmentation for virtual systems. Bywords are strong auditing, scalability, and visibility into how traffic is being controlled.
Strong, low-level segmentation is still required in a virtualized network, and in fact becomes more important as the quantity of virtualized devices occupying a given subnet expands and the complexity of the design increases.
A key concept in securing flat, heavily virtualized networks is port and security profiles, collections of settings that dictate how VMs assigned to a specific group function. Once you create and assign profiles, the configurations stick with a VM even as it migrates to different physical hardware or changes state.
These profiles can be applied dynamically, as VMs are spun up. For example, a profile might be created to lock down administrative GUI access to a particular management subnet. Or a profile might explicitly deny network access from a less trusted group of systems to a more sensitive set of VMs. Profiles simplify administrative tasks and help enforce a consistent policy baseline for similar systems.
Beyond profiles, administrators can create security zones for network segmentation. A security zone is simply a grouping of devices that share some common characteristics, such as operational role, relative security value, or access requirements. These grouping will provide simplicity and time savings later on. Application servers can be put in an app-zone, Web servers in a web-zone, and so on.
Flatter networks, particularly in virtualized environments, can reduce network complexity (fewer VLANs and simpler subnets) and improve performance. While breaking down network boundaries isn't the right answer in all cases, it's an intriguing option for virtualized architectures or where you have a need for speed. With the right tools we have the ability to provide filtering controls very close to the source of the network traffic, on the virtual NIC, which helps reduce resource waste and improve performance as bad traffic is dropped close to the source. By using the tools at our disposal for both physical and virtual deployments, IT can implement strong controls at Layer 2 and enjoy the benefits of going flat.
Richard Dreger is president of WaveGard, a consulting firm. Write to us at [email protected].
Subsea cable alternatives can provide a level of comfort for those concerned about disruptions. Realistically, they will continue to play a small, but critical role in the short term.
Maintaining existing network infrastructures often incurs huge technical debt before newer technologies are adopted over time.
Amid ongoing regional uncertainties, telecom infrastructure in the Middle East has expand to include terrestrial low-latency network infrastructure, which offers resilience and agility in navigating political complexities without relying solely on undersea networks.
