012
ENFORCEMENT LAYER
01
ENTERPRISE SECURITY BLUEPRINT
Security Virtualization
While gateway consolidation can achieve significant cost benefits, enforcement point
consolidation can present some disadvantages. In particular, a more complex security
policy can translate into an increased risk for configuration errors. For example, a
misconfigured rule allowing access between two internal segments might inadvertently
allow inbound Internet access.
As an alternative to the monolithic configuration depicted in Figure 1-C, a virtual
security gateway can be considered (Figure 1-D). Under this scenario, a single appliance
hosts multiple virtual systems. Each system is logically equivalent to a security gateway
and can be managed independently.
Security virtualization simplifies management. Each virtual system corresponds to
a security segment enforcement point, and its security controls can be deployed and
managed independently. At the same time, the use of a unified hardware platform
helps deliver a lower cost of ownership.
Server Virtualization (Cloud)
In a server virtualization environment (
see Appendix - Design Pattern: Cloud
)
virtual security gateways can be implemented using virtual machines (VMs), as depicted
in Figure A-D. The cloud infrastructure provides the underlying virtualization technology
and ensures that inter-segment traffic flows through the VM-level enforcement points
by creating VLANs and connecting them through the enforcement point. Traffic
Security control virtualization
Figure 1-D
Figure 1-d: Security virtualization
INTERNET
MPLS
VIRTUALIZED
SECURITY GATEWAY
V
V
V
V
V
V
V
DMZ
LAN
SENSITIVE
SERVERS
INTERNAL
SERVERS
DEPARTMENTAL
SERVERS
Security
virtualization
simplifies
management and
delivers a lower
cost of ownership
