Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Vlan design for guest vms in virtual desktop environment

Posted on 2013-11-30
1
Medium Priority
?
449 Views
Last Modified: 2013-12-09
Hi

I am planning to migrate my physical desktops to virtual desktops.Currently we have different vlans in different floors of our office as well as branch offices .Some users have client server applications and hence lot of them in different departments have point to point firewall rules open and in place..we are planning to group images based on departments and applications used by them..how should I be designing virtual desktop vlans..I think it's a dirty practice to maintain one to one firewall rules as now to cater specificequirements..what are best practices in virtual desktop world
0
Comment
Question by:Sukku13
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 64

Accepted Solution

by:
btan earned 1500 total points
ID: 39687825
Typically network is preferred to split into VM, PVS and Management Traffic.
See this which covers quite good information on segregation design and requirement too: http://support.citrix.com/servlet/KbServlet/download/27046-102-666250/XS-design-network_advanced.pdf

And also if you are using provisioning services in your environment you may want to also consider reading this: http://blogs.citrix.com/2012/05/01/pvs-stream-traffic-isolation

Overall, the segregation principle should not solely only based on "department" though it is good separation inputs consideration. There is another aspects on security response E.g. for containment during ongoing breach or mass infection detected or to isolate investigation etc

I believe this AUS DSD guidelines will give you good start to kick off with your infra and network architect and team, but do balance the business and not going too granular in segregation as operationally there can be unmanageable and susceptible to more human error (or abuses too) and misconfiguration.  

http://www.asd.gov.au/publications/csocprotect/network_segmentation_segregation.htm

Other summarised pointers to top off a/m

a) Have proper risk management in a virtualized environment too with the network security controls maintaining and enforcing policy as VMs move. e.g.
- apply policy to traffic that moves between VMs on the same physical host
- separation enforced between individuals who implement/operate the VM environment and those individuals responsible for enforce/monitor security policy.
- have priority to monitor/audit administrative (privileged) conducts regardless separation established  

b) A positioning of security control influence the policy enforcement:
- at the zone perimeter, check on egress/ingress traffic of each zone
- inside a zone, check egress/ingress traffic of each VM and different or child "zoned" VMs
- inside a VM, check egress/ingress traffic of each application within VM

But do note that having numerous connections to VLANs (for example, 100s) configured on a host creates an additional load on the Control Domain, which frequently results in reduced network performance. Having numerous VLANS can also impact your host, pool, and VMs performance
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your vDisk VHD file gets deleted from the image store accidentally or on purpose, you won't be able to remove the vDisk from the PVS console. There is a known workaround that is solid.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
In this video tutorial I show you the main steps to install and configure  a VMware ESXi6.0 server. The video has my comments as text on the screen and you can pause anytime when needed. Hope this will be helpful. Verify that your hardware and BIO…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question