Security Basics mailing list archives
Using Private vlans
From: avi shvartz <yram () netvision net il>
Date: Fri, 22 May 2009 20:43:13 +0300
Hello list, We are in a design process of network infrastructure that will allow our workers to Connect to the internet from the personal workstations in the campus. There is a decision to use Virtual Desktop Infrastructure (VDI) technology for the connection: The user will have an "Internet connection" Icon in his local desktop, clicking on it will activate a dedicated virtual machine (VM) that is security hardened, and contains only a browser and several other internet oriented applications. That VM will be located in a different communication segment (separate vlan) in that new infrastructure, and will be isolated from the campus network and from the Internet via firewalls. All the communication to\from the campus and to\from the internet will be scanned and filtered. IPS/IDS are all in place as well. The security folks wants to add another level of separation: define each VM (can be up to 8,000 such machines) in that segment in an Isolated Private VLAN (I-PVLAN). The main claims: - The VM will still be separated from the network even in case of hostile takeover from the Internet. - In such usage, those VM's are going to communicate to the Internet only and not to each other or to other resources in the campus, so it's not a big problem from maintenance point of view. The sysadmins (communication and system) are against: - Communication: yet another complexity. - System: there will be connections to resources in the campus such as printing, file transfer, software distribution etc. So, it's more ongoing maintenance. I would like to ask the following: - Any experience implementing Internet access using VDI ? conclusions ? best practices ? - Any experience implementing I-PVLAN in such cases ? in other segments of the enterprise network ? conclusions ? - As continuation to the Simplicity vs. Security discussion, any thoughts ? a "bottom line" ? Thank you all for your time and kind help Avi ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Using Private vlans avi shvartz (May 22)
- Re: Using Private vlans James Lee Bell (May 25)