Secure Data Center Architecture

OVERVIEW:
This paper discusses secure data center design implementations, specifically, those used to address network access to data center resources. Corporate access to systems is a fundamental component of data center architecture. This paper will focus on the various methods of network access.
We will discuss use cases to illustrate and explain each design implementation. Since this paper discusses network access into the data center, the use cases will focus on the various individuals and roles commonly expected to require network access.
Data centers are extensions of an organization’s network. From a high level, network access to systems within a data center should be secured similarly to how the organization’s internal network is secured. As an example of what is meant by this, consider a couple of regulatory and business requirements.
Payment Card Industry (PCI) standards require systems containing cardholder data be separated and isolated from general users. It is also common practice for businesses to require that the network infrastructure supporting their Finance departments be protected.
When these same systems move to a data center, the same rules for design apply. In addition, the design of the data center network must address the data center implementation (company owned, shared, etc.). Therefore, another focus in the paper will be on the network access requirements for the data center regardless of implementation circumstances.

KEY SECURITY PRINCIPLES:
Secure architecture design requires consideration of key security principles. While network architects are aware of network centric security principles in their designs, there are often regulatory and business security requirements that must also be considered in such designs. Often, there is a misunderstanding of the regulatory or business requirements with respect to how they translate into the network design. Therefore, we will discuss key security principles common to network design, specifically, those related to network access requirements.

LEAST PRIVILEGE
The principle of least privilege commonly refers to the scope of access a user has to a system or data set. However, this concept also applies to the level of access users may have within a given network. For example, in a flat network, all users have access to all systems from a network access perspective. Whether they have user accounts on those systems is not a determining factor in how the network should be defined.
The network design consideration here is to restrict access to network segments based on specific criteria. Examples of criteria can include geodata (e.g., where the user is connecting from) and unique keys (e.g., the identity of the user). A network architect should think in terms of how the network be designed to restrict access to network segments to all but those authorized to access those segments. The network architect must consider the least privilege requirement as applicable to the network.

SEGREGATION OF DUTIES:
Separation of duties is a key concept that implements checks and balances on the activities of individuals. From a business perspective, this control is intended to limit or prevent fraud or errors in processes. However, when applied to network design, this concept defines control over who can access and administer systems. The network can be designed such that system administrators have management access to the resources for which they are responsible for maintaining and do not have access to or the capability to access network devices and vice versa.
The network architect needs to consider this requirement from the perspective of how to restrict network access based on an individual’s duty. Again, this should not be left to the whether or not a user has a user account on the systems within the network to which they access.

DEFENSE-IN-DEPTH:
This security principle is the concept of implementing a combination of controls around (and for) the protection of an asset. An example of the significance of this control is how networks used to be designed. Decades ago (although we still encounter some instances of this thinking) it was assumed that a lone perimeter firewall was sufficient for the protection of the internal network. However, as we’ve long since learned, while firewalls are great at preventing unwanted incoming traffic on all but specific ports, services can still be attacked and systems compromised through a valid open port.
Therefore, defense-in-depth provides additional controls that can detect, limit, and/or prevent malicious activity. The network architect should always consider defense in depth for all designs.

DESIGN CONCEPTS:
The following discusses some of the common design concepts that we will implement in our use cases. While some of these do not appear related to network access specifically, they are vital components when defense in depth is considered. In addition, these design elements focus on isolation or access restriction to the target networks / systems.

IN-BAND MANAGEMENT:
This is the most common design concept in which management of the network devices or services is addressed over the user or corporate network. In terms of the access to those systems in the data center, management is addressed over the WAN as if the data center were an extension of the internal network.

OUT-OF-BAND MANAGEMENT:
There are various implementations of this design concept. The key element of this concept is that the management interfaces of the network devices or systems to be managed are not connected to the internal network. Access is granted via dial-up or perhaps via a cellular network. There are pros and cons with design, but that is beyond the scope of this paper.

BASTION HOST / JUMP HOST:
A bastion host is only part of a larger design concept. This design is a combination of the in-band and out-of-band design concepts. The management network is isolated as in the out-of-band design, but is connected to the internal network via a single (or limited set) bastion host, sometimes referred to as a jump host or jump server.
The management interfaces for the network devices and servers are isolated on a single network. A bastion host in placed inside the isolated management network and has network access to all systems managed on that network. Administrators access the jump server through a single port on a single IP address.
This can be more granular by isolating the network devices on one network and the servers on another. An alternative is to provide two jump servers in a single management network, one for network administration and the other for server administration.

VPN:
This is the most common remote network access solution. While dial-up is certainly a consideration, dial-up tends to be limited and doesn’t allow for multiple, simultaneous users. What should be considered with VPN is the ability to control which network to allow a user access to depending on their role.

USE CASES:
The following are example cases based on the role and responsibility of the user requiring network access. As should be the case with all network designs, individual business requirements drive the design. These use cases represent high-level design concepts and are not intended as the final design. They are presented as considerations to address given requirements. Other requirements will most likely apply and the design changed accordingly.

NETWORK ADMINISTRATION:
The role of network administrator offers at least two network access use cases. Network availability is one of the most significant requirements for any network. As such, network administrators must be able to access their network devices and management tools easily and from most anywhere. However, the requirement for ease of access should not compromise or supersede the requirement for the network to be secure.
In general, the compromise of the network is more dangerous to the organization and therefore more valuable to the hacker than a server. While some servers are critically valuable and the ability of a hacker to use any server as a pivot point to attack other servers is a significant risk, it is the network that provides that defense-in-depth the servers need for protection. Compromise of the network is a ‘game-over’ scenario. That is not necessarily true, but think of it as ‘control the network, control the world’.

USE CASE #1 – CORPORATE NETWORK ACCESS TO THE DATA CENTER:
Network administrators must have access to all network devices in the data center; however, that does not necessarily mean network access to those devices must be allowed from anywhere within the corporate network. To be clear, this means that under no circumstances should network access to the network devices in the data center be accessible by the general user population.

It has long been a best practice to never use clear text protocols for logging into any system. Based on experience, most organizations have moved to secure protocols, but instances of non-secure protocols can still be found. The use of clear text protocols for logging into network devices may expose network administration credentials when used over the corporate network. The combination of clear text protocols and unrestricted network access to network devices exposes those devices to compromise. A first layer in a defense-in-depth strategy is the use of encrypted protocols for logging into network devices.

A second layer of a defense would be restricting network access to network devices in the data center from the corporate network. There are numerous design solutions to address this control such as ACLs, firewall rules, and NAC (Network Access Control), which are discussed below. For the purpose of this paper, keep in mind that the design is less important than the intent. Network architects must consider the least privilege security principle when designing network access to network devices in the data center from the internal corporate network.

The in-band management design concept has both pros and cons when used to control or restrict network access to network devices in the data center from the corporate network. A benefit of using in-band management is the relative ease of implementation. In-band management requires ACLs or firewall rules to isolate specific network segments in the corporate network and in the data center. The corporate network segments are allowed access to the data center network segments to which the administrative interfaces of all network devices are connected.

A potentially significant concern with in-band management is the administrative overhead of effectively managing the ACLs and firewall rules. Another concern is that network administrators can only access those devices from within their own assigned network segments. In more complex networks, the administrative overhead becomes a liability and is not recommended.

Out-of-band management has a higher cost to implement, but lowers the administrative overhead of the in-band management design. This design is generally considered for external access to the target network, but network administrators can use it from within the corporate network. Benefits of this design include network access from anywhere in the corporate network and access is limited to those with access credentials into the out-of-band network. The downsides to this design are that it tends be slower to access network resources and requires additional software or technology on the network administrator’s workstation.

The bastion host or jump server design concept is a good compromise between the in-band and out-of-band network
management solutions. The jump server design concept can be used in conjunction with either in-band or out-of-band designs, but is most commonly used as part of the in-band design. To be clear, the jump server solution does not require either; however, implementing a jump server as part of an in-band solution provides another layer of defense while decreasing the administrative overhead.

By itself, a jump server provides least privilege network access through access control to the jump server (only network administrators have access to the jump server). A benefit of this solution is that a network segment does not need to be isolated within the corporate network for network administrators. Network administrators can access the jump server from any location within the corporate network.

A jump server isolates access to the network devices in the data center to a single IP from the corporate network, which in turn, effectively restricts access. The protocol used to log into the jump server should be encrypted to prevent compromise of network administration credentials. This provides layers of defense in the design. We could add another layer by implementing ACLs or firewall rules to restrict access to the jump server IP to an isolated segment of the network. This does add some administrative overhead, but not as much as with the in-band solution.

USE CASE #2 – EXTERNAL ACCESS TO THE DATA CENTER:
Being awakened in the middle of the night to deal with some urgent network issue is a rite of passage for most network administrators. In today’s world, the network must always be available. Access to the network in the data center away from the office is a crucial design requirement.

VPN is a great solution because it is available from anywhere in the world over the Internet, is encrypted, AND can provides two-factor authentication. Many VPN solutions provide both authentication and authorization and some include AD integration. Remote access to the data center cannot be based on authentication alone otherwise all users would have access to all network resources. Authorization within the VPN solution provides role-based access to network resources. This allows network administrators access to the network management segment and restricts all other users.

VPN is the first solution that comes to mind; however, it is possible that 1) access to the VPN server is not available, or 2) access to the network from the VPN server is not available. While VPN is certainly a design consideration, alternative solutions must be considered to gain more direct access to the network devices in case of severe outages.
An out-of-band network is an effective solution for when other access solutions fail. Old school, yet still effective, are modems. Modems can be accessed from anywhere and provide encrypted authentication to prevent war-dialing attacks. Today, the preferred solution is cellular remote access. These solutions provide greater user access and more bandwidth. Properly configured, the system can support role-based access for access to other isolated networks.

For defense-in-depth, remote access can be combined with other design concepts such as in-band-network and jump host. An isolated, network-management network should already be in place as part of an in-band-network for the corporate network and may include a jump server. Remote access via VPN would then be configured to connect to the isolated in-band-network or to the jump server within that network. This also applies to the cellular remote access solution.