• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 454
  • Last Modified:

Vlan design for guest vms in virtual desktop environment


I am planning to migrate my physical desktops to virtual desktops.Currently we have different vlans in different floors of our office as well as branch offices .Some users have client server applications and hence lot of them in different departments have point to point firewall rules open and in place..we are planning to group images based on departments and applications used by them..how should I be designing virtual desktop vlans..I think it's a dirty practice to maintain one to one firewall rules as now to cater specificequirements..what are best practices in virtual desktop world
1 Solution
btanExec ConsultantCommented:
Typically network is preferred to split into VM, PVS and Management Traffic.
See this which covers quite good information on segregation design and requirement too: http://support.citrix.com/servlet/KbServlet/download/27046-102-666250/XS-design-network_advanced.pdf

And also if you are using provisioning services in your environment you may want to also consider reading this: http://blogs.citrix.com/2012/05/01/pvs-stream-traffic-isolation

Overall, the segregation principle should not solely only based on "department" though it is good separation inputs consideration. There is another aspects on security response E.g. for containment during ongoing breach or mass infection detected or to isolate investigation etc

I believe this AUS DSD guidelines will give you good start to kick off with your infra and network architect and team, but do balance the business and not going too granular in segregation as operationally there can be unmanageable and susceptible to more human error (or abuses too) and misconfiguration.  


Other summarised pointers to top off a/m

a) Have proper risk management in a virtualized environment too with the network security controls maintaining and enforcing policy as VMs move. e.g.
- apply policy to traffic that moves between VMs on the same physical host
- separation enforced between individuals who implement/operate the VM environment and those individuals responsible for enforce/monitor security policy.
- have priority to monitor/audit administrative (privileged) conducts regardless separation established  

b) A positioning of security control influence the policy enforcement:
- at the zone perimeter, check on egress/ingress traffic of each zone
- inside a zone, check egress/ingress traffic of each VM and different or child "zoned" VMs
- inside a VM, check egress/ingress traffic of each application within VM

But do note that having numerous connections to VLANs (for example, 100s) configured on a host creates an additional load on the Control Domain, which frequently results in reduced network performance. Having numerous VLANS can also impact your host, pool, and VMs performance
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now