The concept of network segmentation and isolation is far from new -- in fact, security professionals have long espoused the concepts of defense in depth and layered network security, both of which include network segmentation as a vital component. But how does this work within virtualized infrastructures? Can the same types of network isolation be achieved within these environments? Fortunately, the answer is yes, although the techniques and technologies may differ somewhat from traditional physical networks. Let’s take a look at some
Network segmentation best practices: Segmentation categories
There are several categories of segmentation that need to occur within virtual and private cloud environments. The first is between different types of network segments particular to the virtual environment itself. These include network segments that carry production traffic to and from virtual machines, segments that carry management traffic, and specialized traffic such as that used for storage networks and memory/data migration between hypervisor platforms.
For most enterprise virtualization platforms, there is a specialized virtual network connection designated for management traffic. For VMware platforms, this is known as the “service console” traffic, and is used to connect hypervisor platforms to management systems such as vCenter, as well as standalone SSH connections and vSphere client connections. As this traffic may contain sensitive data, it should be segregated with a completely distinct virtual switch, if possible, as well as a separate network interface card in the server (NIC).
The second major traffic type in most virtual environments is virtualization operations traffic, usually associated with dynamic memory migration (VMware vMotion for Microsoft Live Migration, for example) and storage operations (commonly iSCSI-based). This traffic may contain the contents of a virtual machine’s dynamic memory (RAM) or storage information, and also should be isolated on a separate virtual switch and NIC. The third traffic type is virtual machine production traffic, and this should be separate from the other two types discussed. If separate virtual switches are not possible, separate subdivisions of virtual switches called port groups can be used to isolate the specific ports needed for these traffic types.
Network segmentation best practices: Switch-based segmentation
The second major type of segmentation capability available to virtual environments is traditional switch-based segmentation. Aside from separate virtual switches and port groups, all virtualization platforms support traditional layer 2 virtual LAN (VLAN) tags, which separate broadcast domains. These can be applied in a number of places. For most complex virtualization deployments, virtual switches are assigned with distinct VLAN tags for numerous port groups that connect to a physical switch trunk port via one or more NICs. For the simplest implementation, one VLAN can be assigned to an entire virtual switch, and each virtual machine connected to the switch communicates on that VLAN alone. However, this can lead to a large number of virtual switches, and this may become unwieldy, especially in systems with a limited number of physical NICs. Most large deployments will simply assign different VLANs to separate port groups on each virtual switch, and then pass these through physical switch trunk ports.
For organizations that require even more granularity, some virtual switch types support private VLANs (PVLANs). This also allows a single VLAN to be subdivided into additional port groupings. VMware’s Distributed Switch, a standard vSphere feature, supports PVLANs, and so does Cisco’s Nexus 1000v switch, among others.
Network segmentation best practices: Higher-layer segmentation
The final isolation technique for virtual and private cloud infrastructure is higher layer segmentation, namely using IP addresses (Layer 3). This is often accomplished with router access control lists (ACLs), firewall rule sets and load balancers, although other access control devices like proxies can also be used. Many network access control devices can now be implemented as virtual appliances, allowing higher-level network segmentation to occur completely within the hypervisor platform itself. Existing network access control platforms can also be used to segment traffic into and out of virtual environments, although some re-architecture or segment design work may be required to create new rules for all virtual machines within a specific segment.
Security practitioners have known for some time that network segmentation is a useful step in protecting their networks, and fortunately, this can be done very effectively within virtual and private cloud infrastructures. Although some planning and architecture design may be needed, network segmentation best practices are still a key control to help combat threats, prevent data breaches and meet compliance requirements.
About the author:
Dave Shackleford is the senior vice president of research and the chief technology officer at IANS. Dave is a SANS analyst, instructor and course author, as well as a GIAC technical director. Dave previously was the founder and principal consultant with Voodoo Security, and has consulted with hundreds of organizations in the areas of security, regulatory compliance and network architecture and engineering. Dave is a former QSA with several years' experience performing PCI assessments. He is a VMware vExpert, and has extensive experience designing and configuring secure virtualized infrastructures. Dave previously was CSO for Configuresoft, CTO for the Center for Internet Security, and has also worked as a security architect, analyst, and manager for several Fortune 500 companies.
This was first published in October 2011