Classification of enterprise network security patterns in virtual environment

Enterprise IT organizations often work around the computing, network, storage, and security areas of maintenance and support. The further specialization of these teams is driven by influence and skill areas, with responsibilities and resources transformed into the role of business, architecture and engineering.

These organizational structures are layered, standardized, and process-driven and cannot be aligned with the agile methods needed when the environment becomes highly virtualized. When a system administrator is responsible for all virtualization functions, the technical domain is integrated and abstract.

While these architectural and it-class consolidations force new business models to emerge, our approach to protecting the virtual environment has not evolved with a new operating model.

The most advanced mode of protecting workloads

When the team considers the security of the Enterprise network in a virtual environment, or uses virtualization to provide security services, you can select Physical device mode, virtual device mode, or combination mode:

Physical device enforced security. Network teams use virtual LANs and IP subnets to manage physical networks and to segment them logically. This enables the use of routers or firewalls to combine physical air gaps with interface or zone based isolation. In this case, there will be a dedicated team to maintain the standalone virtual exchange, the network topology to manage the virtual host. In the same zone (physical or virtual), there is generally no technology specifically applied to workload security. If the workload attempts to cross regional boundaries, traffic must pass through a physical firewall/router outside the virtual computing infrastructure. This is the classic "horseshoe" perimeter security design pattern.

Virtual devices enforce security. In a virtual device enforcement security situation, the system administrator uses the logical virtual "edge" security device and the routing device that is placed in the front-end workload collection in the logical area. These virtual devices (virtual machine workloads) Replace the physical device, but are closer to the workload that is being protected. When traffic needs to cross the area boundary, across the position of the relative workload, decide how to forward and how to ensure security while approaching a virtual device. Logical segmentation is convenient in a physical network, but because a lot of traffic is moving in the virtual network, the physical firewall has never encountered so much network traffic. This architecture means that these policies are only loosely coupled in physical separation or fragmentation at the bottom of the network.

Physical and virtual devices. Combining these two models, you can provide logical segmentation and regional physical isolation of a workload cluster with a virtual host. This approach provides optimized local segmentation and forwarding of virtual workloads (with context), which often means less optimal virtualization computing rates as virtualized clusters are limited by the services they provide. However, this model is approved by the compliance, auditing and risk teams.

A combination of Super manager and virtual devices with security enforcement in the Super manager based on workload isolation. Draft the policy and attach it to the workload, along with the workload, across the virtualization structure itself, and execute in a combination of Super Manager or Super Manager and integrated virtual devices. Because of the integration of virtual environments and virtualization platforms, this approach provides very high performance and really takes into account the protection of workloads, whether in physical or logical networks or in mobile workloads.

Blending mode. This pattern is a combination of any of these options, or all of the options. This model has the potential to provide a truly homogeneous approach that provides the most flexible execution capabilities. But the balance of this approach is very complex. Mixed mode requires an integrated approach across functional teams, and relies on a high level of workflow automation.