The History of Network Architecture
The goal of any network and its underlying infrastructure is simple. It is to securely transport the end user’s traffic to support an application of some kind without any packet drops which may trigger application performance problems.
Here a key point to consider is that the metrics engaged to achieve this goal and the design of the underlying infrastructure, derives in many different forms. Therefore, it is crucial to tread carefully and fortify the many types of web applications comfortably under an umbrella of hardened security.
The network design has evolved over the last 10 years to support the new web application types and the ever-changing connectivity models such as remote workers and Bring Your Own Device (BYOD).
Transition from Layer 2 to Layer 3 Designs
Initially, we transitioned from flat Layer 2 data center design to more robust Layer 3 only designs.
In Layer 2 networks there is no media access control address (MAC) hierarchy addressing unlike Layer 3 that uses IP address allocation to support the hierarchy. The only way to scale is to have hierarchy in your network design. However, Layer 2 does not support this, which flares up the grey area.
Layer 2 networks are not accorded with controlled / efficient network discovery protocols. Address Resolution Protocol (ARP) is used to locate the end hosts and uses Broadcasts and Unicast replies. Layer 2 is a troublesome layer to have on any network unless it is watched over and solely used in small network islands interconnected by a Layer 3 boundary.
Port-level security such as Dynamic Host Configuration Protocol (DHCP) snooping, IP source guard, ARP security, private virtual LANs (VLANs) exist and are in use but the general assumption is that there are not many sufficient ways to shield this layer.
Comparatively, Layer 3-only-designs are more robust but the legacy applications may push the design back to Layer 2-only.
The 3-Tiered Network Design
The transition of network designs has reallocated from a simple three-tiered architecture to complex leaf and spine designs.
The traditional three-tiered model is characterized by aggregation pairs (AGGs), thereby aggregating different points in the network. Hosts connect to access or edge switches, these switches further connect to distribution and distribution connects to the core.
The new application requirements force the architects to revisit this AGG model. The prerequisites consisted of the introduction of equidistant endpoints (equal distance between nodes) with non-blocking network core, unlimited workload placement and mobility, lossless transport for storage and other elephant flows.
The Leaf and Spine Architecture
These obligations germinate a new style of leaf and spine network design to knock socks off the shortcomings of the traditional tree architectures. The spreading of the fabric resulted in the new leaf and spine switches. Every leaf edge switch connects to every spine core switch; this empowers every edge device with full bandwidth of the fabric. As a result, each node has equidistant endpoint reachability.
The History of Traffic Flows
A traffic flow is a sequence of packets from a source to a destination. The final destination for the sequence of the packet can either be local or remote. At a basic level, IP addresses and MAC address are used, along with any Domain Name System (DNS) for lookups and routing based protocols for endpoint reachability.
Traditionally we have north to south traffic flows. North to south (up / down) corresponds to traffic between the servers and the external world (outside the network). These types of flows are observed in the three-tiered architecture, previously discussed.
The advent of virtualization and Virtual Machine (VM) mobility introduced a new style of traffic known as east to west traffic. East to west corresponds to internal communication between applications. This type of traffic is always internal and does not leave the network. For example, the functions of a web server communicating internally. These types of flows are witnessed in the leaf and spine design.
Factually, the type of traffic flow not only affects the design you choose but also the selected security model. It introduces new security paradigms which require a different type of technical hat.
Security Issues with North to South Traffic Flows
Security for the north to south traffic flows was by design a simple approach. However, simple does not necessarily signify more secure.
A centrally located Firewall is placed in the middle of the network and all traffic leaving the data centre would flow through this centrally located security appliance. We have been engineering these designs and security appliances for decades. We have umpteen lessons learned and validated designs from all vendors on how to securely lock down your network with a centrally located design.
The physically central Firewall has taken many years to develop over time to combat cyber criminal’s latest activities and has every feature under the sun to do this. These Firewalls have a range of features that can apply a policy to IP, Port numbers, Ethernet MAC addresses, operate up to Layer 7 with advanced Deep Packet Inspection (DPI), filtering, redirection and rate limiting to name a few. They can also be connected to various threat-intelligence feeds to combat day-zero attacks.
This sounds pretty secure, right? We have been doing it for years so there should be no holes unknown. However, unfortunately that’s not the case.
Evolution of the Network Architecture & How It has Affected Security