Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Using Private vlans

From: avi shvartz <yram () netvision net il>
Date: Fri, 22 May 2009 20:43:13 +0300
Hello list,

We are in a design process of network infrastructure that will allow our
workers to
  Connect to the internet from the personal workstations in the campus.

There is a decision to use Virtual Desktop Infrastructure (VDI) technology
for the connection:
 The user will have an "Internet connection" Icon in his local desktop,
clicking on it will
  activate a dedicated virtual machine (VM) that is security hardened, 
  and contains only a browser and several other internet oriented
applications.
That VM will be located in a different communication segment (separate vlan)
in that new infrastructure,
  and will be isolated from the campus network and from the Internet via
firewalls.
  All the communication to\from the campus and to\from the internet will be
scanned and filtered.
   IPS/IDS are all in place as well.

The security folks wants to add another level of separation:
  define each VM (can be up to 8,000 such machines) in that segment
    in an Isolated Private VLAN (I-PVLAN).
 The main claims:
   - The VM will still be separated from the network even in case of hostile
takeover from the Internet.
- In such usage, those VM's are going to communicate to the Internet only
and not to each other or to
  other resources in the campus, so it's not a big problem from maintenance
point of view.

The sysadmins (communication and system) are against:
  - Communication: yet another complexity.
  - System: there will be connections to resources in the campus such as
       printing, file transfer, software distribution etc.

 So, it's more ongoing maintenance.  

I would like to ask the following:
  - Any experience implementing Internet access using VDI ? conclusions ?
best practices ? 
  - Any experience implementing I-PVLAN in such cases ? in other segments of
the enterprise network ? conclusions ?
  - As continuation to the Simplicity vs. Security discussion, any thoughts
? a "bottom line"  ?

Thank you all for your time and kind help

Avi  


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: