Avaya explains its 'hyper-segmentation' approach to security
It's time to make Layer 2 scaleable again
Interview It's way too easy to get past a firewall, map out an enterprise's network, and start tapping IP addresses looking for vulnerable machines – so why are we using Layer 3 addressing as the basis of the enterprise network?
Avaya's new software-defined-networking-based architecture proposes to stop TCP/IP-based attack traffic at the edge, by using Layer 2 for as much of the enterprise network as possible.
If it sounds a bit “back to the future” to you, you're not alone: Vulture South found itself travelling backwards in time to an era where products like Novell NetWare, Banyan Vines, LANTastic or Microsoft LAN Manager handled local network addressing, and the only device with a TCP/IP address was the router.
Network administrators abandoned that approach, a long time ago: operating systems that supported TCP/IP and DHCP no longer needed a LAN operating system.
Why would you go back in time? Avaya Australia senior network architect Lui Simonetti told Vulture South the mere addressability of devices adds to the threat vectors – and at the same time, the emergence of software-defined networking allows us to change how we create enterprise networks.
Simonetti said one of the big attractions of Layer 3 networking at the end of the 1990s was that networks were outstripping Ethernet's scalability at Layer 2.
“We (the users) made the networks complex,” he said; now, the aim is to “simplify the Layer 2, and make it scalable, so other benefits come to fruition.”
The basis of what Avaya's putting to users is based on the 802.11aq shortest path bridging (SPB) protocol it helped author, and its implementation of 802.1aq.
The approach is embedded in the company's Fabric Connect, Fabric Connect and Fabric Extend software; its Identity Engine network access software; its Open Networking Adapter server appliance; SDN controller; and WLAN 9100 wireless controller.
Using SDN at Layer 2 to build connectivity in the enterprise limits how far attackers can travel on the IP paths: they can still port-scan an edge router, for example, but IP isn't used to address traffic to clients on the “inside” (yes, in the world of the extended perimeter, “inside” is a rubbery term).
On the Ethernet side, there's no great difference for the client to notice, Simonetti said: “we're using flooding and learning”, familiar behaviours to build a table of every device you can attach to.
“In the backbone, there is no flooding, and it doesn't look at the frame to learn the structure of the network,” he said. Instead, the SBP protocol uses the IS-IS (intermediate system to intermediate system) protocol to learn the structure of the network and create adjacencies.
“If a node doesn't know a destination, it doesn't flood the network – it just drops the frame. If a router doesn't know a destination, it drops the packet.
“The Layer 2 component in the backbone is different from how Layer 2 normally works – it's behaving like a Layer 3 network.”
The other aspect of SPB is the use of MAC-in-MAC (media access control – a Layer 2 encapsulation) to get traffic between backbone nodes.
“Client frames get encapsulated in another Ethernet frame, but that frame is only addressed to the backbone nodes.”
In a normal Ethernet LAN, every node has to know about every other device it can reach, he said. In SPB, “the backbone only knows the devices inside the backbone, not all the clients.”
Networks within networks
From a security point of view, that means the network is (in Avaya's terms) “hyper-segmented” – and it lets admins “create stealth networks in which nodes have no IP addresses.
It should also make networks easier to take care of at Layer 2, Simonetti said, because it represents a simplified way to think of the VLAN.
“VLANs are network-significant – the minute you switch it on, it has to be consistent throughout the network.”
Instead, the approach Avaya is pushing makes the VLAN significant to a switch, or to a port, or to the services someone is using – they're segmented “to the port and beyond”.
At Layer 3, the company reckons, it becomes easier to create security zones in a network: “I can create a specific Layer 3 environment for a set of users, or for particular applications. I can create a Layer 3 environment that I only use for device management. Unless you're inside that environment, you can't address it.”
At this point, it's of course necessary to insert the “not a panacea” disclaimer – because end user clients will still get content from the outside world.
The phishing e-mail will, for example, still get from the Internet to the client's computer. But its immediate impact will be limited to those devices that it can address. ®