Understanding The Hazards of a Converged Internet Edge

Enterprises and their users are facing a host of security challenges, from phishing attacks to risks from unsecured Wi-Fi. And now we're even seeing Internet edge implementations add security risks.

 

Below I'll discuss the two approaches for building a secured Internet infrastructure and discuss the best option for you and your users.

 

Internet connectivity for most organizations follows a pretty standardized approach. Figure 1 (below) shows the most common topology.

 

 

A router connects Internet service providers (ISPs) to a perimeter firewall that protects a services network, often called a demilitarized zone (DMZ), where Internet-facing services live (e.g., web servers). These services rely on internal applications and data systems. An internal firewall separates the DMZ and internal systems to prevent an attack if DMZ systems are compromised. Connections between the DMZ services and internal systems generally initiate from the inside network to the outside, providing another level of security. More specifically, connections can’t be initiated from the DMZ services to the internal servers. Redundant components like two ISPs, dual routers, firewall pairs, load balancers, and multiple web servers provide resilience. Everything connects to switches for flexibility in interconnections.

 

There are two choices in how to construct the Internet edge infrastructure: the separate device model and the converged network model.

 

The traditional approach uses physically separate devices at each security boundary (as shown above). The routers, switches, and perimeter firewalls are all physically separate devices. The DMZ networks and the servers within the DMZ are also separate from the internal network infrastructure.

 

The trend has developed to converge multiple logical networks onto one set of physical hardware. It’s possible to use fewer switches and routers to provide the necessary connectivity by using virtual routing and forwarding (VLANs and VRFs) instances. Multiple firewall instances can be run on one hardware platform using virtual machine technology. The logical connections between components result in the same network as shown above. But the physical topology is very different, as shown in Figure 2 (below).

 

 

The firewalls can often run on the same x86 platforms hosting the DMZ services. The converged solution can be less expensive than the physically separate solution.

 

Networking is always about making good choices when presented with tradeoffs. Let’s look at the tradeoffs with the separate or converged Internet edge.

 

Most organizations focus on reducing capital costs without considering the operational costs. Will the physically separate network cost more? Perhaps not. The smaller, simpler devices on the Internet edge can often be less expensive and more customized for the task.

 

Another criterion is its resilience. We can think of the converged solution as “putting your eggs in one basket and watching it carefully,” while the physical solution strives for resilience through redundancy.

 

The configuration of the converged infrastructure is more complex than the physically separate architecture. You’ll need staff with a higher level of expertise who must be more careful when planning and executing infrastructure changes. Being extra careful means that change control planning will have to expand. Since all changes could impact network security, every change on the converged infrastructure should go through a security review.

 

Maintenance outages are more difficult to schedule on converged infrastructure because the services concentrate on fewer devices. Patching software to address security vulnerabilities has forced organizations to perform regular software maintenance updates. The need for software maintenance patching runs counter to the difficulty of scheduling maintenance windows.

 

Conversely, the physically separate infrastructure reduces the possibility of a cabling error or a configuration error opening a security hole. Cabling changes become clearer with physically separate devices. It’s also easier to maintain connectivity and Internet routing to ISPs on devices dedicated to external connectivity.

 

Regardless of whether you use converged or physically separate infrastructure, network automation will require that the basic design and implementation are standardized as much as possible. The goal is to maximize the opportunity to automate configuration maintenance and validation testing resulting in lower operational costs.

 

Another factor in Internet edge design is determining the so-called the blast radius or failure domain of a problem. You want to limit how much the business will be impacted when something bad happens. A problem in the DMZ shouldn’t cause a problem with internal network operations.

 

However, convergence concentrates more services on fewer devices, increasing the extent of negative impacts. In an ideal world, you want the internal business operations to continue to function, even if the Internet edge network is experiencing a cyber-attack or a device in the Internet edge is malfunctioning.

 

Once you understand the blast radius, you’ll want to use designs that reduce the size of the failure domains. Network segmentation applies here—often implemented for security purposes—but also to network resilience design.

 

Closely related to the blast radius is the impact of cyber-attacks. A distributed denial-of-service (DDoS) attack against your Internet edge infrastructure shouldn’t affect the performance of the internal systems. It may be tempting to incorporate the Internet edge with data center-to-data center connectivity—but an attack on the Internet edge equipment could cause problems with communications between data centers. Wide-spread problems can be difficult to diagnose and impossible to remediate without changing the network. This scenario is real; we’ve had customers experience these problems.

 

The highest security risk comes from network changes, which have consistently been identified in the network industry as the most common cause of network failures. The risk is that an incorrect change within the Internet edge network infrastructure jeopardizes the internal network.

 

Is separate physical infrastructure or a converged infrastructure best? Converged network infrastructure for the Internet edge may have some advantages at the initial purchase price (i.e., capital costs). But those advantages are outweighed by the increase in operational costs. There are even times when we’ve seen that smaller individual devices are less expensive than using larger, more expensive devices to build a converged network. Some of the operational risk due to the factors mentioned above can be minimized with various mechanisms like DDoS mitigation. We recommend that you consult with your equipment vendors to determine the best and safest way to implement your Internet edge design.