Solved

Vlan design for guest vms in virtual desktop environment

Posted on 2013-11-30
1
448 Views
Last Modified: 2013-12-09
Hi

I am planning to migrate my physical desktops to virtual desktops.Currently we have different vlans in different floors of our office as well as branch offices .Some users have client server applications and hence lot of them in different departments have point to point firewall rules open and in place..we are planning to group images based on departments and applications used by them..how should I be designing virtual desktop vlans..I think it's a dirty practice to maintain one to one firewall rules as now to cater specificequirements..what are best practices in virtual desktop world
0
Comment
Question by:Sukku13
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 39687825
Typically network is preferred to split into VM, PVS and Management Traffic.
See this which covers quite good information on segregation design and requirement too: http://support.citrix.com/servlet/KbServlet/download/27046-102-666250/XS-design-network_advanced.pdf

And also if you are using provisioning services in your environment you may want to also consider reading this: http://blogs.citrix.com/2012/05/01/pvs-stream-traffic-isolation

Overall, the segregation principle should not solely only based on "department" though it is good separation inputs consideration. There is another aspects on security response E.g. for containment during ongoing breach or mass infection detected or to isolate investigation etc

I believe this AUS DSD guidelines will give you good start to kick off with your infra and network architect and team, but do balance the business and not going too granular in segregation as operationally there can be unmanageable and susceptible to more human error (or abuses too) and misconfiguration.  

http://www.asd.gov.au/publications/csocprotect/network_segmentation_segregation.htm

Other summarised pointers to top off a/m

a) Have proper risk management in a virtualized environment too with the network security controls maintaining and enforcing policy as VMs move. e.g.
- apply policy to traffic that moves between VMs on the same physical host
- separation enforced between individuals who implement/operate the VM environment and those individuals responsible for enforce/monitor security policy.
- have priority to monitor/audit administrative (privileged) conducts regardless separation established  

b) A positioning of security control influence the policy enforcement:
- at the zone perimeter, check on egress/ingress traffic of each zone
- inside a zone, check egress/ingress traffic of each VM and different or child "zoned" VMs
- inside a VM, check egress/ingress traffic of each application within VM

But do note that having numerous connections to VLANs (for example, 100s) configured on a host creates an additional load on the Control Domain, which frequently results in reduced network performance. Having numerous VLANS can also impact your host, pool, and VMs performance
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question