Hacker News new | past | comments | ask | show | jobs | submit login

"You can’t use firewalls to secure East/West data flows in the network."

What does that mean?

Those labels of network flows have been gaining currency in the industry.

Here's an example diagram:


Also see "north-south" and "east-west" in sub-heading "Changing traffic patterns":


Amazon's AWS presentations also sometimes mention network traffic inside the datacenter in terms of “east-west traffic” & “north-south”.


Think of a blade chassis in a datacenter.

If blade1 needs to talk to blade2, running it through a firewall means that the communications needs to flow out of the blade back to the datacenter network (ie. flowing north to the top of the rack switch). That adds latency and requires more network and firewall capacity, as all traffic needs to leave the chassis.

If there is no firewall requirement, traffic flows east/west within the chassis on the blade backplane. Security can be layered with host firewall or similar technology. (ie. IPSec, proprietary solutions like Unisys Stealth)

"If blade1 needs to talk to blade2, running it through a firewall means that the communications needs to flow out of the blade back to the datacenter network (ie. flowing north to the top of the rack switch). That adds latency and requires more network and firewall capacity, as all traffic needs to leave the chassis."

For years (15 ?) I have been putting very simple, very small ipfw rulesets in place on non-firewall systems that allow only the traffic I believe that system should be sending/receiving.

It's a firewall. It's on the host itself. It is a firewall that is securing "east/west traffic". It's a simple model that any host can implement and has very low (typically zero) cost.


This is the first, and last, time I will ever use the term "east/west traffic". Christ.

Indeed. But the view of the NetSec team is that you server is not trusted to secure itself.

If every service in your ecosystem implemented ipfw rules (or equivalent) then that's great. But if your box got popped, then can I be sure that it won't be used as an attack vector for other machines? I will turn off the ipfw ruleset locally, and start connecting out to other systems. If there was a firewall sitting there between me and other systems, this would hit rules that should never be hit, resulting in the NetSec team getting some alerts.

Now I believe, like most sane people, that if you've popped an appserver, it's already likely to be game over, and this is a moot point.

For most applications, the app server doesn't live in its own little DMZ, and usually does have privileged access to the DB, often shares the same authentication domain as other services which is not properly secured (e.g. your [backup|log|monitoring|deployment] server connects to every machine with a service account, not SSH protected, and now I have the service account for all machines).

You wouldn't be foolish enough to have mixed admin functions (content management?), and user functions on the same app server... right? Right? Oh... wait... almost everyone does that.


Because left/right and up/down a rack are so complicated terms we need to use a compass... ;-)

It's a little new-speakish, but it basically means traffic flowing between servers in the same hosting tier.

Lateral flows of data within a network, as opposed to traffic that goes through a gateway.

Interesting. Never heard the term before.

I think it's from American football - east/west is lateral movement, north/south towards/away from the goal lines.

Apparently this has nothing to do with getting sun in your eyes.


I'd guess it more has to do with physical colo/datacenter layouts. Traffic moving between racks is considered east/west*. Traffic moving in and out of your routers (and through to the meet-me-room) would take place over fiber pairs up into the ceiling or down through the floor.

Just a guess.

It means he doesn't know about those PCI card firewalls specifically designed to enforce security policies on traffic flows within the network (or enclave). They're an uncommon thing in industry because most industry thinks outward-facing firewall = secure. Others that know better didn't want to spend money on a security device attached to every server they own. So, the companies in the 90's offering highly secure versions got acquired after little sales, the current ones are obscure, and all he got to see were the more limited crap the industry adopted en mass.

A sad, recurring theme in INFOSEC industry. They're figuring out a lot of the old stuff, though, slowly but surely. Especially in cutting edge datacenters doing things like OpenFlow.

You're diagramming your network. Typically network engineers like using a tree layout - core devices at the top, flowing down to aggregation devices, down to access devices, down to the end devices. Hence traffic to the North was to the core, and out, traffic SOuth was to the end devices.

Typically in a campus you would see traffic going from the end devices up to the core, and then out of the core, either to datacenters/machine rooms, or out to the internet.

In a datacenter, historically, you had a few servers that talked to each other, connected to the same "Access" switch (commonly refered to as the top-of-rack or end-of-row), and then almost all the traffic for those servers also went "north" to the core, with a much smaller amount going south. Almost all the traffic was from clients out in the corporate network, down to their specific set of services.

However over time, end users represent a smaller and smaller portion of what an application does. More systems integrate with more systems - pulling in data from many other systems, doing analysis, backup, etc. etc. This is the east - west traffic, that flows between things in the same tree diagram. East-west traffic is by far the largest throughput in a modern DC.

When the traffic was mostly north-south, network engineers secured the traffic at the edge of the DC - where the DC joined the core/internet. Now the traffic is between servers that are sitting in the same rack/row/room/DC, securing it in the same way just doesn't work.

Thanks for that excellent explanation of the terms in question about North-South, etc. It gives me a good visual perspective of it, too. Awesome. :)

Cool-kid words for cloud infrastructure in-groups. Somewhere along the line someone with clout and a laser pointer directed the attention of a roomful of people to an analogy in a Powerpoint presentation, and to curry favor and demonstrate loyalty, dear leader's clones started parroting each neologism.

Yep, all IT disciplines have their language. I get the same problem when listening to developers & DevOps spout their lingo.

Here is my explanation of the East/West & North/South int terms of Data Centre network architecture


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact