Why securing East-West network traffic is so important – and how it can be done

Trending 1 month ago

Systems Approach One of nan nosy things astir being an Australian surviving successful nan Northern hemisphere (which was my business for complete 30 years) is having repeated conversations astir which measurement h2o rotates erstwhile it goes down nan drain.

OK, it becomes a spot little nosy complete time, but I was ever amazed that fewer group really tried nan research of checking retired a fewer different drains successful their ain hemisphere. It turns retired that drain geometry and first h2o activity successful nan sink, not nan Coriolis effect, predominate nan guidance of rotation – truthful you will spot some directions successful either hemisphere.

There is really a bully YouTube video that shows this, and past impressively proceeds to show nan effect of Coriolis unit connected h2o draining retired of a brace of identical kiddie pools successful nan 2 hemispheres (thus removing nan confounding factors successful astir sinks, toilets, etc.).

A akin magnitude of clip goes into explaining that North is not really "up" – it's conscionable shown that measurement connected maps drawn by Northern hemisphere-based explorers and almost each different cartographer since then.

My father, who traveled rather a spot to nan Northern hemisphere successful nan 1970s, mightiness person been 1 of nan first to make civilization maps that put South astatine nan top, to constituent retired to his overseas colleagues that their map-drawing conventions were conscionable that: arbitrary conventions. Never mind nan issues of projection, which near maine reasoning Greenland was bigger than Australia until I learned astir alternatives to Mercator.

All of this has been connected my mind this week arsenic (a) I returned to nan Northern hemisphere for nan first clip since 2020 (see previous notes astir my talk successful Edinburgh), and (b) I spent a batch of clip pinch maps erstwhile I was retired walking successful nan highlands of Scotland, and (c) I recovered myself needing to explicate nan quality betwixt East-West and North-South postulation to immoderate colleagues successful nan discourse of datacenter security.


I'm not precisely judge of nan origins of this naming convention, but nan thought is that nan ingress/egress constituent of a datacenter carries nan "North-South" traffic, while nan postulation that flows betwixt servers wrong nan datacenter is nan "East-West" traffic.

Why do we moreover make this distinction? One large logic is security. Historically, nan simplest measurement to "secure" a datacenter was to put immoderate group of appliances (firewalls, intrusion discovery systems, etc) astatine nan ingress/egress point.

This is nan "perimeter" exemplary of security, which became salient for respective reasons. First, nan number of ingress points to a datacenter is mini – possibly arsenic debased arsenic one, surely nary much than a handful. So it is earthy to spot centralized information appliances adjacent to those choke points truthful that each nan postulation tin beryllium passed done them.

Furthermore, nan bandwidth progressive astatine ingress is apt to beryllium orders of magnitude little than nan full East-West bandwidth. Traffic entering a datacenter is apt to beryllium measured successful gigabits per second, while East-West postulation tin easy tally into nan terabits. Neither of these points intends that perimeter information is simply a bully exemplary – conscionable that it was for a agelong clip nan astir applicable approach.


It is worthy taking a measurement backmost to inquire why centralized appliances became nan preferred measurement to use information controls.

One type of this communicative is that nan original net architecture had nary security, and that early efforts to adhd information followed nan end-to-end argument, which makes a bully lawsuit for putting information into end-systems.

We person to woody pinch nan world we unrecorded successful alternatively than immoderate idealized parallel universe

For example, encryption and authentication are information mechanisms that tin beryllium implemented successful end-systems (provided you tin find a measurement to negociate cardinal distribution, which has proven challenging).

However, arsenic David Clark (co-author of nan end-to-end argument) pointed retired successful a 2001 paper pinch Marjory Blumenthal, a multitude of factors pushed nan net towards nan take of centralized appliances inserted into nan way of postulation by nan precocious 1990s. Factors specified arsenic nan emergence of malware, nan take of nan net by unsophisticated users, and nan unreliability of package implementations connected end-systems (eg, operating strategy bugs).

While galore net purists lamented nan diminution of nan end-to-end principle, Clark and Blumenthal adopted nan position that we person to woody pinch nan world we unrecorded successful alternatively than immoderate idealized parallel universe. Centralized firewalls became portion of nan scenery because they allowed IT administrators to summation immoderate power complete nan information of their networks successful a world of expanding threats, without depending connected nan impractical conception that each end-system would do nan correct thing.

By nan clip I came to beryllium progressive successful datacenter networking astir 2012, nan thought of securing nan "perimeter" of nan datacenter – which fundamentally progressive putting a number of appliances into nan ingress/egress way – was good established.

Unfortunately, it was besides accelerated becoming clear that this attack was inadequate, arsenic a deficiency of East-West information meant that a discuss of a azygous (perhaps non-critical) strategy wrong nan perimeter could supply nan launching pad for a overmuch much superior onslaught via lateral activity among systems.

The poster kid for this rumor was nan 2013 cyber attack connected nan US superstore concatenation Target. The initial information breach took spot via a refrigeration contractor’s computer, allowing intruders to summation a foothold wrong nan perimeter of Target's network, from wherever they were able, complete a bid of weeks, to move laterally among systems until they obtained nan in installments paper specifications of astir 100 cardinal customers.

There was nary logic for nan contractor portal (the original introduction constituent for nan attack) to person immoderate connectivity to nan systems that had in installments paper data. Nevertheless, because some systems were "inside nan perimeter" location were constricted information controls betwixt them. Lack of power complete East-West postulation was nan cardinal to this and galore different attacks.

Not easy

Securing East-West postulation successful 2013 was a fundamentally difficult problem, because location is simply a immense number of paths betwixt systems carrying monolithic volumes of data, and nan accepted measurement to unafraid this would beryllium to disagreement nan web into a mini number of zones pinch firewalls betwixt them. Within a zone, postulation still flowed freely. It was either impractical aliases prohibitively costly to spot firewalls successful specified a measurement that each East-West postulation could beryllium intercepted.

I came to beryllium willing successful this rumor because of nan improvement of web virtualization that was taking spot astatine astir nan aforesaid clip arsenic nan Target information breach. Our early web virtualization merchandise astatine Nicira virtualized furniture 2 (switching) and furniture 3 (routing) and we had agelong held nan position that we would activity our measurement up nan layers to virtualize each of networking. A elemental firewall operates astatine furniture 4 (looking astatine carrier protocol larboard numbers) and truthful this was nan logical adjacent step.

Network virtualization enables an SDN-style implementation of a firewall. By SDN-style, I mean that nan information level is distributed while nan power level is logically centralized.

In nan sketch below, nan distributed information level runs successful nan virtual move of each server, inspecting nan postulation entering and leaving each virtual machine. (Similar approaches tin beryllium applied to containerized aliases bare-metal workloads.)

Diagram illustrating postulation successful a datacenter

This intends it is now imaginable to use firewall policies to each azygous packet that traverses nan datacenter – moreover packets that only walk from 1 VM to different successful nan aforesaid server. Since virtual switches tin process packets arsenic accelerated arsenic nan server tin nonstop them, it became feasible to person terabits of firewall capacity allocated to East-West traffic.

But because nan architecture is based connected SDN, location is simply a logically centralized power level that simplifies guidance of nan distributed information plane.

From a power level and guidance perspective, nan firewall still looks for illustration a centralized device, wherever an IT administrator (or an automated strategy calling an API) tin group nan firewall policies for nan full datacenter. But nan information level scales retired pinch server capacity, and location is nary request for heroic efforts to unit postulation to travel done immoderate centralized appliance.

  • Let's play... Force disconnected nan powerfulness to datacenter systems via these flaws
  • US intends to measurement up information for national datacenters: Both beingness and cyber
  • Pentester says he collapsed into datacenter via hidden way down toilets
  • Datacenters still a boys' club, staffing shortages whitethorn alteration that

There is much item astir this facet of web virtualization successful our SDN book. This is by nary intends nan past connection successful East-West information – Aviatrix, for example, addresses East-West information for unreality workloads.

And it's important to do much than conscionable inspect protocol ports, arsenic Thomas Graf shows successful a talk connected Cilium. Overall, nan creation of devices to efficiently supply information services to East-West postulation was 1 of nan cardinal components to implementing zero-trust information – a taxable we've covered previously.

It's besides 1 of nan main reasons that web virtualization achieved mainstream take successful endeavor datacenters: it became evident that relying only connected perimeter information and a fistful of firewall zones was insufficient for today's information challenges.

There is plentifulness much to beryllium done here, pinch service meshes being different area of progressive activity addressing (among different things) East-West security.

But astatine slightest we nary longer punt connected nan problem by relying solely connected centralized appliances astatine nan ingress to attraction only connected North-South traffic. ®