Overlay Networks

So far, we have discussed the exchange of packets as the folks who wrote TCP/IP originally intended. The original design philosophy was that a packet travelled from end-to-end, with a unique address. NAT does interfere with this, but in a manner which is easy to explain and understand. But sometimes we need more complex solutions, in business, on the Internet and in Data Centres. Networks function in the way they do not because it is the best way, but due to a sequence of paths of least resistance over the history of network development.

At layer 2, we have a broadcast domain with many nodes. In modern switched Ethernet, each connection is a broadcast domain and much of the original functionality requiring carrier sense for multiple access and collision detection (CSMA/CD) no longer has a real purpose. An Ethernet network is a single broadcast domain; a frame sent to the broadcast address will be received by every node on that network. This presents a horizontal attack surface; if a single node on an Ethernet is compromised, it can attack every node on that Ethernet. This original design was based on peer-to-peer networking, which has little place in modern networks. This underlying design could be claimed to be wrong, but almost all conventional networks are built this way. Technologies which allowed circuit switched or point-to-point connectivity on the LAN, such as Asynchronous Transfer Mode (ATM), did not gain wide commercial acceptance and have been deprecated. To reduce the size of Ethernets, nodes can be placed on separate networks. Originally these were separate physical networks, but on a modern LAN, virtual networks (VLANs) separate the logical design of a network from its physical design. Unfortunately, there are attacks which defeat this strategy and allow an attacker to “jump” networks.

At layer 3, our networks are packet switched. The layer 3 subnet is again a common broadcast domain, with all the performance and security issues that that entails. We have already seen how to segment networks using VLANs. It is hard to find precise guidelines on how to approach segmentation. In my notes, I take this back to the early days of Ethernets which were built using COAX. A LAN was a group of nodes which shared the same geographic location, the same requirements for access to applications, at the same security level. We use the same definition for VLANs. On a network diagram, the flows of data from client node to a server tend to be up and down, we refer to this as north-south traffic. In classic designs, the servers are protected by a firewall. In the notes on VLANs, we also introduced the concept of a private VLAN and port isolation. In this case, a node can only communicate with uplink ports, not with ports that are nominally in the same VLAN. This sort of functionality is very useful in apartment blocks, where we can service each end-user and provide Internet access, whilst isolating the end users from each other at layer 2. I could make a strong argument that this is a correct design for any modern enterprise LAN.

In modern data centre design, we introduce the concept of micro-segmentation. Traffic from a load balancer to a Web server passes across the data centre, and in classic designs, does not pass through a firewall. This is referred to as east-west traffic. One way to secure this traffic, would be to ensure that the Web server shared a broadcast domain with only the load balancer. We could do this using VLANs, but is would not scale well.