Time to reconsider security zones in system and network design
- Date: June 28th, 2009
- Author: Rick Vanover
- Category: Ethernet, Infrastructure, Servers, System Administration, Virtualization, network tools, security, storage technology
- Tags: Network, Network Design, Security Zone, Security, Networking, Rick Vanover
As IT professionals balance many responsibilities, we may omit certain fundamentals that are made easier in the current technology landscape through multiple layers of abstraction, virtualization, and management. IT Jedi Rick Vanover suggests that it’s a good time to rethink security zones.
—————————————————————————————————————
The current inventory of networks and servers has many layers of abstraction, virtualization, and management in today’s data center. Recently in a discussion with independent security expert Edward Haletky, I discovered it is definitely time to revisit how security zones are provisioned in new and existing network infrastructure.
Edward pointed out that many administrators, myself included, are crossing security zones without even knowing it with the various layers of management and abstraction that are in use today. The security zones that I am referring to are the classes of service for various levels of a network infrastructure.
Take for example a typical server in today’s data center and also assume it is a virtual machine host. This particular server may have the following network attributes: a hardware management interface such as an HP Integrated Lights-Out management processor, the operating system management interface, the virtualization layer migration interface, a storage interface for a system such as iSCSI, and a number of virtual machines all on separate VLANs. In this example, the single piece of equipment interacts with no fewer than five security zones before the actual systems come into play.
This discussion brought me to consider that with technologies such as VLANs and options made available through virtualization, it is prime time to rethink where everything resides. Security issues aside — it simply makes sense to separate these network presence points where they are classified as security zones. Performance reasons will also benefit, as I mentioned in a prior post about iSCSI network separation.
How do you approach different security zones on networks? Are VLANs enough — or are fully separate switching environments adequate for your requirements? This area is very compliance- and requirement-driven, so there is no clear answer. Share your comments below on this area where we all can likely improve.
Rick Vanover is an IT Infrastructure Manager for Alliance Data in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware. You can catch Rick on Twitter and read his full profile.
