Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The network’s role in improving application security, reliability and efficiency

David Klebanov | March 21, 2011
Access to data center resources needs to be fast, secure and reliable, a significant challenge for the data center network infrastructure which is tasked to adhere to the following principles

In case of Layer 3 "adjacency," when servers are separated from the service appliances by Layer 3 hop(s), Aggregation/Distribution Layer devices hold the traditional role of the default gateway and route, rather than bridge, the traffic toward the service appliances.

 

Service appliances most often maintain session state and require symmetric traffic flow between clients and servers; failure to do so breaks TCP session establishment. In the case of a single data center special care needs to be taken to force the returning traffic (from servers to clients) back to the service appliances rather than having Aggregation/Distribution Layer devices route the traffic directly towards the clients bypassing them.

In case of multiple data centers or cloud deployment, several service appliances pairs can exist and it is important to make sure the returning traffic reaches the service appliances pair which processed the "going forward" traffic, because this pair will have the state for these connections. There is no particularly elegant way of making it happen and tools such as Source NATing or policy-based routing have to be employed, unless you're willing to consider and experiment with LISP.

Another consideration in regard to Layer 3 "adjacent" service appliances is to prevent servers behind these service appliances from talking to each other, bypassing security policy enforcement, such as the case with firewalls and IPSs. In this case, direct server communication can be avoided by utilizing VLAN-to-VRF mapping defined on aggregation/distribution devices. VLAN-to-VRF mapping is also an essential tool for creating security zoning, were VLANs belonging to a common VRF (common security zone) can communicate without firewall policy enforcement or IPS inspection, while only traffic traversing the security zone boundaries is forwarded to the firewall or IPS for analysis.

 

Bridge operation mode

Bridge mode service appliances behave as switches or bridges forwarding traffic based on MAC address reachability, with client and server facing sides sharing the same IP subnet. Introduction of bridge mode service appliances does not require IP address changes, which makes them attractive. However, being Layer 2 entities, they must play "nicely" with the Layer 2 bridging domain to prevent formation of loops. This can be achieved by either not forwarding traffic on standby appliances (assuming two appliances exist for high-availability) or passing Spanning Tree BPDUs on both active and standby appliances while allowing the surrounding Layer 2 network to converge around them (Spanning Tree-wise).

 

Previous Page  1  2  3  4  5  Next Page 

Sign up for Computerworld eNewsletters.