Cisco Subnet An independent Cisco community View more

Centralizing network security in the data center fabric

A basic overview of the data center fabric and centralized network security.

Welcome. You have taken the red pill, gone down the rabbit hole, and found my first post on secure data center.

Data center security is the topic of choice for many of the conversations I have today with customers, partners, and colleagues. There is growing concern, and for good reason, to protect the crown jewels from today’s advanced and growing threats. My goal in authoring this blog is to discuss the technology crossroads of data center and security technologies and how each can be leveraged together to provide an architectural advantage.

Discussing some of the fundamentals of data center network design and why they are important for network security seems like a great topic for this first post.

There are also many instantiations of data center - Internet Data Center, Extranet data center, Intranet Data Center, the wiring closet that now has servers, or the network and three servers under Bob’s desk. Scale and purpose can differ, but for the purpose of this discussion I will focus on a typical Enterprise Data Center design.

Of course, there are any number of designs possible and arguments for and against each. Should I use Layer 2 or 3 to the access? How do I integrate with Layer 3 encapsulation technologies such as FabricPath? For this initial post I will stick with a traditional Layer 2 design to the access layer.

The multi-layer network model is nothing new and it applies to the data center as much as anywhere else in the network. But I want to highlight a few terms and descriptions for those that don’t touch the data center on a regular basis.

Figure 1.

image alt text

Figure 1

Data Center Core:

  • High-performance Layer 3.
  • Linkage for multiple network modules: Campus Core, Data Center Aggregation.
  • Uncomplicated design, high availability and redundancy.

Data Center Aggregation 

  • Scalable building block and in many cases synonymous with the term end of row.
  • Aggregation block serves as a termination and delineation point between Layer 3 and Layer 2 in the data center.
  • Creates centralized points for ingress and egress data center flows.
  • Excellent location for data center services.
  • Centralized services can be scaled, carved up, and mapped to specific data center pods or containers.

Data Center Services

  • Designed as a Layer 2 offload point for data center services.
  • Adds some flexibility while lowering port utilization and potential complication at the Aggregation layer.
  • Centralized services can be scaled, carved up, and mapped to specific data center pods or containers.

Data Center Access

  • Provides scalable port density for physical server connections.
  • Often referred to as top of rack.
  • Can be Layer 2 or Layer 3 design.
  • Termination point at Aggregation Layer. This can vary depending on design, but that is another discussion.

Data Center Virtual Access

  • Virtual switching and network layer created through server virtualization and Hypervisor technologies.
  • Can span one or more physical servers.
  • Merging point between physical and virtual networks.

This network model is not new but it does offer a an architecture that provides a scalable building block approach to the Layer 2 and Layer 3 data center fabric.

There is by no means one "right" design. Virtualization, data center fabric technologies, high-speed computing, redundancy and scale, and the overall business mission can affect how the data center is architected and just as importantly how it is secured. Security can be a religious battle, but at a minimum it should provide security and augment an environment to preserve and protect the business.

I’ve seen all kinds of security designs for the data center. No firewalls. Firewalls used in the core, firewalls used as routers or switches, the list goes on and on. I always try and consider one important element when discussing network security for the data center; it must integrate with the data center fabric. Meaning it should not require major changes in the overall data center network design to implement.

By creating a centralized service model, network security can be sliced up and scaled per zone or container. Of course, this is not always possible, but there are benefits if it can be done.

Figure 2.

image alt text

Figure 2

In this example, network firewalls and other services are deployed at the Aggregation or Services Layer. This provides a way to forward specific ingress and egress flows through a security stack while bypassing the stack for other flows, such as server backups. As the needs of the data center grow, additional security services can be added to create some elasticity for the server zones. As long as there is enough throughput, port density, or slot capacity on the data center network devices, additional security modules or appliances can be added and remain centralized for all zones.

Figure 3.

image alt text

Figure 3

In many cases, the network firewall can be carved up into multiple virtual contexts that allow specific policy mappings to each zone or tenant. This can be done using VLANs, IP ranges, VRFs, specific for each of these zones and then mapping them back through each physical firewall or virtual context. In this example, the physical firewall is connected at the Aggregation Layer and we take advantage of virtual contexts with VRFs to logically insert the firewall and other services into each zone.

Figure 4.

image alt text

Figure 4

This type of segmentation can be accomplished with the sole use of physical firewalls, but by taking advantage of the virtualization features you are able to take a physical firewall at the Aggregation Layer and slice it up and provide security services for each server zone. This slicing is aligned with the use of VLANs, VRFs, and IP Subnets for each zone, as mentioned above. Alternatively, the firewall could have been located at the Services Layer with the same results. This centralized model can be leveraged by organizations using zones for simple segmentation or in a multi-tenant environment where each zone represents a customer.

This type of design can also be used to segment a multi-tier application environment by inserting context between server tiers using VLANs and VRFs.

Figure 5.

image alt text

Figure 5

In the above example, a firewall virtual context was created for Zone1 and is inserted between the VRF gateway and the Database. VLANs 141 and 142 are bridge by the firewall, which is configured in Layer 2 mode.

There is always the discussion of Layer 2 vs. Layer 3 firewalls in the data center and what is better and why. This is one of the topics I will discuss in future posts along with: virtualization security, the intersection of physical and virtual networks, threat defense and visibility, and other topics as they come up.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.