Print Download PDF Send Feedback

Previous

Next

Organizational Deployment Strategies

This section presents deployment scenarios for different types of large organizations and illustrates how VSX provides security both internally and at the perimeter. The discussion covers the following types of organizations:

Enterprise Deployments

Large enterprise network environments typically have a variety of diverse networks, distributed over multiple locations around the world. These networks often have different security and access requirements for various departments and branches. The ability to centrally manage cyber security, and to maintain throughput, is a critical requirement.

Core Network Security

Many Enterprise environments are based on core networks. Situated adjacent to core network backbone switches, VSX protects the internal network by providing security at layer-2, layer-3 or both. VSX communicates with the core network using the existing infrastructure. With Virtual Systems in the Bridge Mode, VSX can protect departmental networks, while simultaneously preventing network segmentation. In this case, switches are located at the entrance to each department's network.

Item

Description

 

Item

Description

1

Internet

 

8

LAN Switches

2

Core Network Backbone switch

 

9

Sales

3

VSX Cluster

 

10

Finance

4

Router

 

Sync Network

5

VLAN

 

Physical Interface

6

Member 1

 

VLAN Trunk

7

Member 2

 

 

 

VSX ensures connectivity between the core network and the Internet or external networks, while providing perimeter security. Security can be configured on a per VLAN basis.

Dynamic Routing

In an enterprise network with dynamic routing protocols (OSPF/BGP), VSX secures the DMZ services, VPN peers, Domains and partner networks.

In this example, BGP neighbor updates in the routed core network are selectively redistributed to application networks. OSPF provides connectivity between Virtual Routers, Virtual Systems, the core network and application networks.

Item

Description

 

Item

Description

1

Internet

 

6

Partner Network

2

Virtual Routers

 

7

BGP

3

OSPF

 

8

OSPF 802.1q

4

Virtual Systems

 

9

BGP in Routed Core

5

Extranet

 

10

DMZ

Perimeter Security

For example, security is enforced on each VLAN. The OSPF and BGP Dynamic routing protocols provide connectivity to multiple security zones along the perimeter.

Item

Description

 

Item

Description

1

Partner Access

 

6

BGP

2

Customers

 

7

VSX Cluster

3

IPsec tunnel

 

8

802.1q VLAN Trunk

4

Internet

 

9

Internal Network

5

Partner

 

10

DMZ

Notes to this scenario:

Managed Service Providers Using Multi-Domain Server

Managed service providers give connectivity and security services for Domain networks. Some of these Domains require remote access capabilities. In this service oriented environment, VSX and Multi-Domain Server provide central management and make connectivity and security easier, without affecting the existing IP topology.

In this scenario, a VSX Cluster is in a Point of Presence (POP) deployment for a service provider. VSX consolidates hardware for the service provider and ensures privacy and secure connectivity solutions (VPN) for users. This scenario is appropriate for High Availability and Virtual System Load Sharing cluster modes.

VSX and Multi-Domain Server provide a centralized, granular provisioning system for a number of Domains. Applications and services are separated by discrete Virtual Systems. Access to these services and applications is based on need.

Scenario:

Item

Description

1

Internet. Routers are between the VSX Cluster Members and the Internet.

2

VSX Cluster. One VSX Cluster Member handles the Local Exchange, and another VSX Cluster Member handles server traffic of different Domains.

3

Core IP VPN Network.

4

Multi-Domain Server at the Network Operation Center monitors POP and connects to VSX Gateway. The Multi-Domain Log Server in the NOC collects data for each Domain and stores the logs in separate private databases.

5

Multi-Domain Server at the NOC and the VSX Gateway make the Local Exchange.

6

Domain A web servers.

7

Domain B DMZ.

8

Domain C mail servers.

9

PE Router.

10, 11, 12

Domain A, B, and C. Each Domain manages its own security and cannot define Virtual Systems or other network components. Domains have secure VPN connectivity.

13

Remote access

Data Centers

Data center providers supply external hosting services for Domain servers and databases. The service typically includes infrastructure, connectivity, and security for multiple Domains.

For example, you can have a scenario such as:

For cyber security and management, the data center provider deploys a VSX Gateway with one Virtual System for each Domain.

Item

Description

 

Item

Description

1

Remote Users

 

10

Virtual System for Customer A

2

Internet

 

11

Virtual System for Customer C

3

Remote network behind VPN-1 Edge

 

12

Customer C

4

Customer B

 

13

Data Center

5

Customer A

 

14

Customer A web servers each with separate VLAN ID

6

MPLS Backbone

 

15

Customer B mail servers

7

802.1q

 

16

Customer A Extranet

8

VSX Gateway

 

17

Customer C databases

9

Virtual System for Customer A

 

 

 

This scenario offers a cost effective scalability solution for network expansion by means of remote connectivity. In this example, a VPN connection between a Domain Virtual System and a Check Point appliance that protects a remote network, integrates that network in the MPLS core. A Virtual System can give access to remote users who connect intermittently.

Data Centers in an Enterprise

This example scenario illustrates how VSX provides security management for enterprise data centers. By assigning layer-2 connections to Virtual Systems, VSX reduces the number of physically managed devices within a data center while providing the same high level of security.

For example, a VSX Gateway allows authorized users to access data center resources. The objective here is to protect shared resources with differing access permissions and security requirements, while implementing network granularity.

Item

Description

 

Item

Description

1

Internet

 

7

VLAN Trunk

2

VSX Gateway

 

8

Web Servers VLAN 02

3

VLAN 02

 

9

Data Bases VLAN 03

4

VLAN 03

 

10

Application A VLAN 04

5

VLAN 04

 

11

Application B VLAN 05

6

VLAN 05

 

 

 

For example, one Virtual System protects databases against SQL vulnerabilities. Another Virtual System protects Web Servers using IPS. When new applications and services are added to the enterprise data center, new Virtual Systems are easily created to secure them according to their specific requirements.