Solved

Vlan design for guest vms in virtual desktop environment

Posted on 2013-11-30
1
444 Views
Last Modified: 2013-12-09
Hi

I am planning to migrate my physical desktops to virtual desktops.Currently we have different vlans in different floors of our office as well as branch offices .Some users have client server applications and hence lot of them in different departments have point to point firewall rules open and in place..we are planning to group images based on departments and applications used by them..how should I be designing virtual desktop vlans..I think it's a dirty practice to maintain one to one firewall rules as now to cater specificequirements..what are best practices in virtual desktop world
0
Comment
Question by:Sukku13
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39687825
Typically network is preferred to split into VM, PVS and Management Traffic.
See this which covers quite good information on segregation design and requirement too: http://support.citrix.com/servlet/KbServlet/download/27046-102-666250/XS-design-network_advanced.pdf

And also if you are using provisioning services in your environment you may want to also consider reading this: http://blogs.citrix.com/2012/05/01/pvs-stream-traffic-isolation

Overall, the segregation principle should not solely only based on "department" though it is good separation inputs consideration. There is another aspects on security response E.g. for containment during ongoing breach or mass infection detected or to isolate investigation etc

I believe this AUS DSD guidelines will give you good start to kick off with your infra and network architect and team, but do balance the business and not going too granular in segregation as operationally there can be unmanageable and susceptible to more human error (or abuses too) and misconfiguration.  

http://www.asd.gov.au/publications/csocprotect/network_segmentation_segregation.htm

Other summarised pointers to top off a/m

a) Have proper risk management in a virtualized environment too with the network security controls maintaining and enforcing policy as VMs move. e.g.
- apply policy to traffic that moves between VMs on the same physical host
- separation enforced between individuals who implement/operate the VM environment and those individuals responsible for enforce/monitor security policy.
- have priority to monitor/audit administrative (privileged) conducts regardless separation established  

b) A positioning of security control influence the policy enforcement:
- at the zone perimeter, check on egress/ingress traffic of each zone
- inside a zone, check egress/ingress traffic of each VM and different or child "zoned" VMs
- inside a VM, check egress/ingress traffic of each application within VM

But do note that having numerous connections to VLANs (for example, 100s) configured on a host creates an additional load on the Control Domain, which frequently results in reduced network performance. Having numerous VLANS can also impact your host, pool, and VMs performance
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Legal Discovery - Export Keywords to PST 2 54
Cannot join domain and UNC paths 9 52
Eset Smart Securties ARP poisoning attack 3 46
DFS replication issue 7 19
Will try to explain how to use the VMware feature TAGs in the VMs and create Veeam Backup Jobs using TAGs. Since this article is too long, I will create second article for the Veeam tasks.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question