Here’s a quote from a network administrator: “I have a flat network. There are no VLANs, no nothing extra, just one big flat network. While it is very large it is quite simple. I enjoy the simplicity of this network. On the other hand, this is a very large network and if there is a problem it is a mess to figure out sometimes. A routed network has much smaller segments and if something goes wrong there is a lot less of it to go wrong.”
Here’s a quote from another network professional, also talking about a flat network: “When some malware gets past the filters it will have access to the entire network. The entire company could come to a screeching halt until everything is restored from backup. Most businesses that large wouldn’t want to be down for long enough to restore all the servers and workstations, even from recent snapshots of servers and re-imaging all the workstations.”
Those two quotes, in a nutshell, describe the risks and rewards of running a flat network: security versus simplicity.
Also read: Networking 101: Understanding SASE
What is a Flat Network?
A flat network is just about the simplest network that you can design. It works by connecting all devices back to a single switch, and that implies that all devices connected to the flat network are part of the same broadcast area, and are connected to each other without having to pass to a different network segment.
Flat Network Benefits
One benefit of a flat network is that it is cheap to set up. That’s because there’s no need for multiple routers and switches, as everything is connected back to a single switch, with low-cost hubs providing additional connectivity where necessary.
Because of this simplicity, it is very easy to design a flat network. Not a lot of thought has to go into architecting it, it’s easy to build, it’s easy to operate (when it’s working properly, that is) and it is easy and cheap to maintain.
With a single DHCP range in use, a flat network also makes adds, moves, and changes easy. If you want to move a device from one desk or one building to another, you just unplug it from the old location and plug it in to an Ethernet jack at the new one.
Also read: Networking 101: What is NVMe?
What are the Risks of Flat Networks?
A flat network in a home or very small office makes a great deal of sense, where low costs and simplicity are very important. But when you start dealing with larger organizations, the downsides to a flat network very quickly become apparent.
Easy to hide
Let’s consider what happens when hackers succeed in penetrating the network perimeter and get on to a corporate network. What happens next is that the hackers attempt to remain undetected on the network, while at the same time performing scans and other network reconnaissance moves to navigate their way around the network to find the most valuable assets that they can plunder.
On a large flat network, it becomes very much easier for a hacker to remain undetected. That’s because with so many devices and applications communicating with each other — from IP phones to desktops to print servers to security cameras — it is much harder for security systems to analyze data flows and spot anomalous traffic that might be the tell-tale signs of hackers at work.
Everything is vulnerable
But perhaps more importantly, a flat network means that hackers have the run of everything: they can find any device, and intercept any data. By contrast, in a segmented network, the broadcast domain is far smaller and hackers can only easily reconnoitre the devices on the segment they find themselves in.
“Once an attacker gets into a [flat network] environment it’s like a shopping trolley dash but without the clock; you can just take whatever you like,” said Rick Holland, a former Forrester analyst and now CISO at security company Digital Shadows. “What you need is a bulkhead approach like in a ship: if the hull gets breached you can close the bulkhead and limit the damage.”
As well as making life harder for hackers, a segmented network also makes it very much harder for network worms and other malware to propagate beyond the segment that they find themselves in.
Lack of redundancy
The simplicity of a flat network also comes at a cost: dependence on a single switch. The risk in a flat network is that if the key switch fails, the whole network could come to a grinding standstill as there is no alternative network path.
Ironically, the simplicity of design of a flat network also means that troubleshooting can be much harder. When a network problem occurs it could be almost anywhere on the network, so finding the root cause of the problem can be difficult and time consuming. By contrast, on a segmented network it can be easier to isolate the location of the problem, and even if major infrastructure needs to be replaced the problem can be isolated to the network segment hosting that infrastructure.
One final factor against flat networks is that they can suffer when it comes to performance when compared to a segmented network. The reason for this is that there is much more processing burden on the key switch, and there is greater potential for collisions due to the use of dumb hubs instead of smarter switches. The counter argument to this is that a segmented network uses more switches, with traffic being delayed each time it is processed through a switch.
It’s also the case that by limiting routed traffic to segments, the overall traffic usage on the network is reduced, so the potential for network congestion impacting performance is diminished.
Flat or Not
Ultimately the decision to run a flat network or a segmented one is a matter for each individual organization, and the decision will always be impacted by what currently exists. A flat network may well be simpler and cheaper to set up, but if an organization already has a more complex network then there is no obvious reason to change it.
The bottom line is that while flat networks may be less complex, segmented networks offer the possibility of better security. It’s up to each organization to decide which of those is most important.