013
ENTERPRISE SECURITY BLUEPRINT
ENFORCEMENT LAYER
01
mediation between different VMs on the same physical host can be efficiently handled by an
enforcement point running in a VM on the host.
Enforcement can also be integrated into the hypervisor itself, ensuring that all information
flows are mediated, without requiring re-engineering of the virtual network to position
virtual machines behind the enforcement point. The hypervisor-level enforcement point uses
API hooks provided by the virtualization platform in order to receive all network traffic to
and from the hosted VMs.
Additionally, server virtualization environments can also incorporate physical virtualized
security gateways (as depicted in Figure 1-D) in order to offload security processing from the
virtualized server onto high-performance custom security hardware.
Virtual LANs (VLAN)
VLAN is a key networking mechanism used to segment the enterprise network. A security
gateway connected to a switch using a trunk interface can analyze and forward network traffic
through multiple VLANs. This configuration allows a single security gateway to control
network traffic between hundreds of VLANs. In Figure 1-E, the switch device would be
configured to forward all network frames flowing from VLAN02 to VLAN03 through the
security gateway, ensuring inter-segment traffic mediation through the virtualized segment
enforcement point implemented on the gateway.
The main drawback for segmenting VLAN architectures is the reliance on the network
switch to enforce the segment separation policy, as these switches are also prone to attacks.
Misconfiguration may allow them to be bypassed by VLAN-hopping attacks which allow
a VLAN host to cross over to another. Therefore, combinations of virtual and network
separation should be used to provide graded levels of inter-segment separation.
Using VLANs for network segmentation
Figure 1-E
NETWORK
05
Figure 1-e: Using VLANs for network segmentation
NETWORK
04
VLAN03
VLAN02
INTERNET
NETWORK
02
VLAN04
VLAN05
NETWORK
03
