Application publishing and network isolation using Virtualization

At present, many organizations are planning and considering more security issues at the beginning of network construction. The uncommon security measure is to isolate the network, the so-called network isolation is the concept of "getting out", either getting out of the enterprise intranet, or getting out of the enterprise Internet. Physical isolation is obviously a solution for security. However, when two networks are built, the maintenance cost of enterprise informatization will increase rapidly, security Access and identity authentication, virus protection, data leakage, and mobile media management should be considered for the Intranet. Behavior auditing, traffic management, and access control should be considered for the Internet, in short, the cost after the isolation of enterprises is not imagined by many enterprises, so many did not achieve the expected design effect, so is physical isolation necessary?

Let's take a look at where the policies and requirements of physical isolation come from?

1. Document 17 of the General Office of the CPC Central Committee stipulates that the E-government network consists of the government intranet and the government Internet. The two networks are physically isolated and the government Internet and the Internet are logically isolated.

2. Article 6 of Chapter 2 of the State secrecy administration on International Network of Computer Information Systems (ICPs) stipulates: "All computer information systems involving state secrets, do not directly or indirectly contact the Internet or other public information.

3. Classified Protection GB/T 22239-2008 border integrity check S3)

A) unauthorized devices should be able to be connected to the internal network without authorization, and the locations should be accurately determined and effectively blocked.

B) internal network users should be able to inspect the behavior of private access to the external network, accurately determine the location, and effectively block it.

What security risks do enterprises face if they are not isolated?

1, Important information systems may face multiple threats, such as illegal attacks, malicious scans, Data leaks, database tampering, etc. The operation of information systems has security risks.

2, Due to the absence of Intranet/Internet isolation, the overall network security controllability is reduced and the anti-attack capability is low.

3, Because Intranet terminals are not isolated from internal and external networks, they are prone to attack springboards. Internet security risks such as viruses, worms, and Backdoor trojans spread to the entire network or an important application server zone.

4. The branches use both the Intranet and Internet to easily spread security risks to the Group headquarters.

5, Remote users lack necessary third-party identity authentication and access, and unauthorized access or unauthorized operations exist.

6. The business traffic sorting of the entire network is complicated, and the access control policies must be strict and complex.

7. Leakage of enterprise data is highly likely.

8. Mixed Use of Intranet and Internet leads to high possibility of various faults.

Is there any good solution besides physical isolation of network separation? Many people adopt logical isolation, that is, firewall for access control and regional division and isolation. More security devices, such as IPS, may also be added. Of course, there are also people who have added network switches for physical isolation. What else?

Virtualization may be a solution. A virtual area is added to the entire network, which defines the Office business area, and each area has its own virtual desktop for access, this may implement the following:

Are two computers isolated and disabled? Porting business applications to the Intranet does not affect user experience on any device anywhere )? Can I quickly complete the Intranet and Internet security planning at reasonable costs?

Virtualization actually does not require a high-performance access terminal because the operation is not on the terminal), virtualization does not require a large bandwidth because only the image changes and mouse and keyboard commands are transmitted using the ICA Protocol ), virtualization does not need to worry about Data leaks. Any data is stored in the data center and can be audited. virtualization does not require administrators to worry about patch and anti-virus because the technology solves management problems) virtualization does not have to worry about poor user experience because all operations are the same as those on the computer, and applications are provided through IE to provide standard business releases and various plug-ins have been installed)

 

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/19393B5J-0.png "border =" 0 "alt =" "/>

On-demand application delivery

Citrix®XenApp™Is an on-demand application delivery solution that allows you to virtualize, centrally save, and manage any Windows application in the data center, and then deliver it to users on demand from any device anytime, anywhere. More than 0.1 billion million users around the world use XenApp. It has a bright future with its widely recognized application compatibility. Compared with traditional application deployment technologies, XenApp-based virtual application delivery can help enterprises improve application management in the following ways:

1. centrally manage applications in the data center-reduce costs

2. Control and encrypt access to data and applications-improving security

3. Quickly deliver applications to users anywhere

Why do we need to deliver applications on demand?

Virtual application delivery allows the IT Department to manage a single portal system, OA system, and financial system in an application center within the data center. Applications are then delivered to terminals through the Application stream technology, or run on powerful servers in the data center for users to use online through any device or operating system.

Virtualization is not a solution.

 

 

This article from the "diving Dragon" blog, please be sure to keep this source http://chengfei.blog.51cto.com/503939/1166966