Back to Basics – Network Design
Networking is fun. It should also be pragmatic. There are many networks in production that have been architected like a service provider network, or how networking companies want them designed. This is not to say that these networks aren’t providing service, as they all are, just not to the scale of an ISP. These designs are likely implemented by people who love networking and just want to see as much of it as possible, at the expense of being impractical and expensive.
While robust and highly scalable, in most (outside of ISP’s all) environments this is like putting out a match with a firehose.
An illustration.
Many environments attempt to employ a very robust architecture like the one diagramed above that contains;
- Border Routers that connect to the Internet and are the first hop for the IPs provided by the ISP.
- Core Routers or Switches that handle routing between internal networks.
- Distribution Routers or Switches that aggregate Access Switches. They will either pass traffic between locally connected access switches or forward traffic up to the core.
- Access Switches that provide physical ethernet connectivity for endpoints (clients and servers).
- Security Gateways that may include multiple layers of firewalls, Network IPS, Web Gateway, and Email Gateway.
In most environments there are typically a few other erroneous network elements. Routers to connect to partner network, legacy environments that people are intimidated to change, proxy servers, and VPN concentrators.
The challenge with this architecture is that it introduces many points of management, many points of failure, many points of capital costs, and lack of visibility into what is transiting the network. The last point is critical. Because much of the internal traffic will go from a endpoint to a switch then to another switch without hitting the security gateways it cannot be scrutinized.
For better management and security all of this functionality can and should be collapsed into 2-3 layers.
- Firewalls (we will use security platform in placement of for a better description)
- Access/Distribution Switches
In the architecture above we would terminate the Internet connection to the security gateways(s). Getting high availability from an Internet connection has the same challenges regardless of the type of device. HA Internet would require two cables from the same ISP or a cable from two separate ISP’s. If necessary we implement dynamic routing protocols like BGP for high availability or OSPF for MPLS across the WAN interfaces of the security gateways. Threat modules should be enabled on the security gateways to perform Network Intrusion Prevention and Malware detection. All of the site-to-site and client based VPN’s should terminate here too.
By policy switches should connect to the security gateways inside interfaces as much as possible with as few other switch hops as possible. This allows us to route traffic from the access switches up to the security gateways so that security security policy is applied to as much internal traffic as possible. Many environments end up with one large pair of core switches that we put into layer2 mode (imagine the diagram above without the need for the switches between the access switches and security gateway). When there are so many access switches required that the security gateway doesn’t have enough ports to support them all, then distribution switches must be introduced as depicted in the diagram above.
Further reduction in equipment may be had by using VLANs on the distribution switches for both LAN and DMZ (and any number of other VLANs currently required) rather than having a dedicated switch for each network. As you will notice though traffic between the LAN access switches is blind to the security gateway, like in this drawing below. This is why the more ports we can connect switches directly to the security gateway the better.
There are a number of benefits to this design:
- Capital cost savings. We have eliminated at least three layers of physical appliances. While the cost of individual security gateways may increase due to their larger capacity, there is still cost savings of 50% on the overall equipment costs due to the reduction of metal boxes.
- Operational cost savings. All of the complex routing and filtering is being done on a single security gateway (or HA pair). Most of the daily modifications and troubleshooting will be on a single pair of devices. The switches can all be in simple layer2 mode. This is less places to look for trouble which saves time. Because the operational team will be spending most of their time in the security appliances they will develop strong skills fast which will also reduce the time to repair. Lest we forget rack space, power, and cooling.
- Better security. The more traffic that we route on an internal core network the less traffic will be visible to the security gateways. By putting the default gateway for all networks on the security gateway traffic between those networks will be scrutinized.
With the direction of modern datacenters it is equally important to ensure that the security platform you select can be deployed in virtual and public cloud environments to provide continuity.
Complexity and obscurity are the real enemies of security and availability. Simplicity and efficiency are the friend.
*** This is a Security Bloggers Network syndicated blog from Insecurity authored by asdfasdfasdfasdf. Read the original post at: http://stephenperciballi.blogspot.com/2014/04/back-to-basics-network-design.html
