Natalie Timms

Upcoming Events

Where the Cloud Touches Down: Simplifying Data Center Infrastructure Management

Thursday, July 25, 2013
10:00 AM PT/1:00 PM ET

In most data centers, DCIM rests on a shaky foundation of manual record keeping and scattered documentation. OpManager replaces data center documentation with a single repository for data, QRCodes for asset tracking, accurate 3D mapping of asset locations, and a configuration management database (CMDB). In this webcast, sponsored by ManageEngine, you will see how a real-world datacenter mapping stored in racktables gets imported into OpManager, which then provides a 3D visualization of where assets actually are. You'll also see how the QR Code generator helps you make the link between real assets and the monitoring world, and how the layered CMDB provides a single point of view for all your configuration data.

Register Now!

A Network Computing Webinar:
SDN First Steps

Thursday, August 8, 2013
11:00 AM PT / 2:00 PM ET

This webinar will help attendees understand the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging. It will also help users decide whether SDN makes sense in their environment, and outline the first steps IT can take for testing SDN technologies.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

See more from this blogger

Building an Information Security Policy Part 4: Addresses and Identifiers

The first three posts in this series have focused on many physical aspects of building a secure network: choosing hardware and software, and understanding your physical topology in order to apply your security policy. In this post, I will cover the key element of effective network security: understanding addresses and identifiers that will serve as policy selectors for network traffic.

Addresses and identifiers are the basis for which actual security policy rules and requirements are implemented. Each type of traffic identified is associated with various security techniques that will each have benefits, but may also introduce complexity; security policy must be uniformly applied across the network, and one technique should not adversely impact another.

Traffic identifiers such as IP addresses, VLANs, and VRFs have two major functions. First, they allow traffic to be routed, forwarded and segmented across the network. A poorly designed IP addressing scheme will impact forwarding by introducing delays, overloading routing tables (through the inability to support summarization), and possibly impacting resource availability by black holing traffic.

[Read how Tom Hollingsworth sees VMware NSX as a way to bring networking and security together in "Networking, Security, And Grand Unified Theory."]

The second function of logical identifiers is to classify traffic of interest that requires further evaluation. Once you identify these flows, you can apply security policy to them. The types of security techniques and the granularity applied to the interesting traffic flows are determined by the type of identifier used to classify the flow.

After the internal identification scheme is defined, it's also important to ensure that any part of it cannot be spoofed or modified to facilitate an attack.

Here is a summary of common traffic identifiers or policy selectors and some security measures associated with them:

Layer 2

• MAC addresses: port security, dynamic ARP inspection

• VLAN IDs: private VLANs (PVLAN), VLAN access lists

Layer 3

• IPv4/IPv6: IP-based access-list filtering, including best practices support for anti-spoofing, IPsec protection

• IPv6: ICMPv6 filtering, Secure Neighbor Discovery (SEND)

Layer 4

• Ports and protocols: stateful filtering, TCP normalization, TCP SYN attack protection

Layer 7

• IP/TCP Header fields: RFC compliance checks, threat vector identification for IPS services

Implementing security methods at Layer 4 and above typically uses two methods to identify interesting traffic. First, a subset of overall network traffic is identified (using IP addresses, for example), and this is then filtered through the upper layer service.

Not all network traffic needs to be subjected to the same level of security or type of inspection, so identification must be done appropriately to protect effectively without impacting performance by subjecting all flows to in-depth analysis. Re-classification of traffic is often a result of policy non-compliance and is another consideration when designing an identification scheme.

This post has looked at more well-known traffic identifiers, such as IP addresses and VLANs. These classifiers are bound to the underlying topology and while they are used as the classification method for many security techniques, they lack context in terms of ease in identifying who and what the flows pertain to. This is especially true in networks that use address modification techniques, such as network address translation (NAT), and dynamic allocation of IP addresses. Audit and maintenance becomes difficult as administrators are forced to remember what addresses pertain to each resource or user group, particularly in a network that must handle many changes.

In my next post, I will examine address modification methods and also discuss how the use of identity-based traffic classification can be used to introduce role-based policy methods to enhance a security policy.

Related Reading

More Insights

Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Research and Reports

Network Computing: April 2013

TechWeb Careers