Virtualization: How to Isolate Application Traffic

Many people are concerned with virtualization security (already coined VirtSec), and they're applying that concern from the virtual images all the way down the stack, to the network infrastructure through which virtualized application traffic is delivered. The desire for network infrastructure to be itself virtualized is growing out of a perceived need to isolate application traffic at every point in the infrastructure. But the technology to isolate application traffic at layer 2 and 3 of the infrastructure already exists, and has been essentially virtualized for years.

The sudden desire for everything in the infrastructure to be virtualized completely is borne primarily out of security concerns. When you're running two or three or more virtual images on the same server it's natural to want them to be isolated from one another, so that a potential problem with one does not affect another. Too, it's an issue with keeping application data segmented, separated in order to clearly delineate the delivery path and to keep each stream of traffic pure.

Of course that's amusing as multiple applications deployed on the same application server container, such as IBM WebSphere or Oracle/BEA WebLogic, cross the streams necessarily, so the sudden "OMG we have to isolate traffic completely" is a bit incongruous with most architectures, but c'est la vie, right?

This leads to the belief that routers, switches, and application delivery solutions must be virtualized and compartmentalized such that application data is isolated even as its traversing the network.

But the actual mechanism for how this is accomplished does not need to mirror virtualization as it is understood at the operating system or application level because for many years we're have something called VLANs (Virtual LAN) that performs this task for us already.

VLANs are a standard layer 2 mechanism for segmenting and effectively isolating application traffic. Data on one VLAN cannot be seen or accessed by data traversing another VLAN, they are effectively separate streams. It is interesting to note that VLANs are one of the core technologies used to implement solutions such as NAC (Network Access Control) because it does the job and isolates "good" traffic from "might be bad" traffic in order to preserve the cleanliness of the network and protect access to resources. How the VLANs are used is part of the secret sauce of NAC and related technologies, with user traffic being moved from one VLAN to another as it moves through the authentication and authorization process. There's more to NAC than this, of course, but VLANs are almost always part of the equation - because they do the network side job so well without incurring the additional overhead of new infrastructure solutions.

That's because traffic assigned to different VLANs is isolated. Traffic on one VLAN cannot be seen or accessed by traffic on another VLAN. Servers on one VLAN cannot talk to servers on another VLAN unless a switch or router or other routing-capable device allows the traffic to pass across the VLANs.

VLANs are supported by all layer 2/3 capable devices today, which means just about everything - from routers to switches to load balancers to servers. The problem is that we've grown to use VLANs as an architectural tool rather than a security tool, and often don't consider how valuable such a simple, existing technology can easily be applied to more emerging, cutting edge concepts. In fact, VMWare has an excellent white paper on how to configure ESX 3 with VLANs using vSwitches that not only explains how to configure ESX to take advantage of VLANs, but also discusses VLANs in general including various approaches and their relative merits.

There's a lot of new technology you need to acquire and implement for a successful virtualization initiative, but products that specifically isolate application traffic using nifty new virtualized systems is not necessarily one of them. I'm sure there are architectures and business reasons why you might need more, but if you're just attempting to isolate application traffic as due diligence, you may be overanalyzing the situation. Your existing infrastructure is almost certainly VLAN capable right now, and can likely be used right now to accomplish your goals of isolating application traffic.

Sometimes the answer to a problem really is an existing technology or solution, you've just got to cut through the hype out there to find it.

AddThis Feed Button Bookmark and Share

Published Nov 07, 2008
Version 1.0
No CommentsBe the first to comment