Solved

Vlan design for guest vms in virtual desktop environment

Posted on 2013-11-30
1
439 Views
Last Modified: 2013-12-09
Hi

I am planning to migrate my physical desktops to virtual desktops.Currently we have different vlans in different floors of our office as well as branch offices .Some users have client server applications and hence lot of them in different departments have point to point firewall rules open and in place..we are planning to group images based on departments and applications used by them..how should I be designing virtual desktop vlans..I think it's a dirty practice to maintain one to one firewall rules as now to cater specificequirements..what are best practices in virtual desktop world
0
Comment
Question by:Sukku13
1 Comment
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39687825
Typically network is preferred to split into VM, PVS and Management Traffic.
See this which covers quite good information on segregation design and requirement too: http://support.citrix.com/servlet/KbServlet/download/27046-102-666250/XS-design-network_advanced.pdf

And also if you are using provisioning services in your environment you may want to also consider reading this: http://blogs.citrix.com/2012/05/01/pvs-stream-traffic-isolation

Overall, the segregation principle should not solely only based on "department" though it is good separation inputs consideration. There is another aspects on security response E.g. for containment during ongoing breach or mass infection detected or to isolate investigation etc

I believe this AUS DSD guidelines will give you good start to kick off with your infra and network architect and team, but do balance the business and not going too granular in segregation as operationally there can be unmanageable and susceptible to more human error (or abuses too) and misconfiguration.  

http://www.asd.gov.au/publications/csocprotect/network_segmentation_segregation.htm

Other summarised pointers to top off a/m

a) Have proper risk management in a virtualized environment too with the network security controls maintaining and enforcing policy as VMs move. e.g.
- apply policy to traffic that moves between VMs on the same physical host
- separation enforced between individuals who implement/operate the VM environment and those individuals responsible for enforce/monitor security policy.
- have priority to monitor/audit administrative (privileged) conducts regardless separation established  

b) A positioning of security control influence the policy enforcement:
- at the zone perimeter, check on egress/ingress traffic of each zone
- inside a zone, check egress/ingress traffic of each VM and different or child "zoned" VMs
- inside a VM, check egress/ingress traffic of each application within VM

But do note that having numerous connections to VLANs (for example, 100s) configured on a host creates an additional load on the Control Domain, which frequently results in reduced network performance. Having numerous VLANS can also impact your host, pool, and VMs performance
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
different settings in vcenter 4 56
Hyper-V won't open/import windows 7 vhd or vhdx create using disk2vhd in Windows 10 Pro 3 57
Port group in esxi 6 78
ISP Change 14 50
Veeam Backup & Replication has added a new integration – Veeam Backup for Microsoft Office 365.  In this blog, we will discuss how you can benefit from Office 365 email backup with the Veeam’s new product and try to shed some light on the needs and …
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question