The current inventory of networks and servers has many layers of abstraction, virtualization, and management in today’s data center. Recently in a discussion with independent security expert Edward Haletky, I discovered it is definitely time to revisit how security zones are provisioned in new and existing network infrastructure.

Edward pointed out that many administrators, myself included, are crossing security zones without even knowing it with the various layers of management and abstraction that are in use today. The security zones that I am referring to are the classes of service for various levels of a network infrastructure.

Take for example a typical server in today’s data center and also assume it is a virtual machine host. This particular server may have the following network attributes: a hardware management interface such as an HP Integrated Lights-Out management processor, the operating system management interface, the virtualization layer migration interface, a storage interface for a system such as iSCSI, and a number of virtual machines all on separate VLANs. In this example, the single piece of equipment interacts with no fewer than five security zones before the actual systems come into play.

This discussion brought me to consider that with technologies such as VLANs and options made available through virtualization, it is prime time to rethink where everything resides. Security issues aside — it simply makes sense to separate these network presence points where they are classified as security zones. Performance reasons will also benefit, as I mentioned in a prior post about iSCSI network separation.

How do you approach different security zones on networks? Are VLANs enough — or are fully separate switching environments adequate for your requirements? This area is very compliance- and requirement-driven, so there is no clear answer. Share your comments below on this area where we all can likely improve.