|
|
|
This section presents deployment scenarios for different types of large organizations and illustrates how VSX provides security both internally and at the perimeter. The discussion covers the following types of organizations:
Large enterprise network environments typically have a variety of diverse networks, distributed over multiple locations around the world. These networks often have different security and access requirements for various departments and branches. The ability to centrally manage cyber security, and to maintain throughput, is a critical requirement.
Many Enterprise environments are based on core networks. Situated adjacent to core network backbone switches, VSX protects the internal network by providing security at layer-2, layer-3 or both. VSX communicates with the core network using the existing infrastructure. With Virtual Systems in the Bridge Mode, VSX can protect departmental networks, while simultaneously preventing network segmentation. In this case, switches are located at the entrance to each department's network.
Item |
Description |
|
Item |
Description |
|---|---|---|---|---|
1 |
Internet |
|
8 |
LAN Switches |
2 |
Core Network Backbone switch |
|
9 |
Sales |
3 |
VSX Cluster |
|
10 |
Finance |
4 |
Router |
|
|
Sync Network |
5 |
VLAN |
|
|
Physical Interface |
6 |
Member 1 |
|
|
VLAN Trunk |
7 |
Member 2 |
|
|
|
VSX ensures connectivity between the core network and the Internet or external networks, while providing perimeter security. Security can be configured on a per VLAN basis.
In an enterprise network with dynamic routing protocols (OSPF/BGP), VSX secures the DMZ services, VPN peers, Domains and partner networks.
In this example, BGP neighbor updates in the routed core network are selectively redistributed to application networks. OSPF provides connectivity between Virtual Routers, Virtual Systems, the core network and application networks.
Item |
Description |
|
Item |
Description |
|---|---|---|---|---|
1 |
Internet |
|
6 |
Partner Network |
2 |
Virtual Routers |
|
7 |
BGP |
3 |
OSPF |
|
8 |
OSPF 802.1q |
4 |
Virtual Systems |
|
9 |
BGP in Routed Core |
5 |
Extranet |
|
10 |
DMZ |
For example, security is enforced on each VLAN. The OSPF and BGP Dynamic routing protocols provide connectivity to multiple security zones along the perimeter.
Item |
Description |
|
Item |
Description |
|---|---|---|---|---|
1 |
Partner Access |
|
6 |
BGP |
2 |
Customers |
|
7 |
VSX Cluster |
3 |
IPsec tunnel |
|
8 |
802.1q VLAN Trunk |
4 |
Internet |
|
9 |
Internal Network |
5 |
Partner |
|
10 |
DMZ |
Notes to this scenario:
Managed service providers give connectivity and security services for Domain networks. Some of these Domains require remote access capabilities. In this service oriented environment, VSX and Multi-Domain Server provide central management and make connectivity and security easier, without affecting the existing IP topology.
In this scenario, a VSX Cluster is in a Point of Presence (POP) deployment for a service provider. VSX consolidates hardware for the service provider and ensures privacy and secure connectivity solutions (VPN) for users. This scenario is appropriate for High Availability and Virtual System Load Sharing cluster modes.
VSX and Multi-Domain Server provide a centralized, granular provisioning system for a number of Domains. Applications and services are separated by discrete Virtual Systems. Access to these services and applications is based on need.
Scenario:
Item |
Description |
|---|---|
1 |
Internet. Routers are between the VSX Cluster Members and the Internet. |
2 |
VSX Cluster. One VSX Cluster Member handles the Local Exchange, and another VSX Cluster Member handles server traffic of different Domains. |
3 |
Core IP VPN Network. |
4 |
Multi-Domain Server at the Network Operation Center monitors POP and connects to VSX Gateway. The Multi-Domain Log Server in the NOC collects data for each Domain and stores the logs in separate private databases. |
5 |
Multi-Domain Server at the NOC and the VSX Gateway make the Local Exchange. |
6 |
Domain A web servers. |
7 |
Domain B DMZ. |
8 |
Domain C mail servers. |
9 |
PE Router. |
10, 11, 12 |
Domain A, B, and C. Each Domain manages its own security and cannot define Virtual Systems or other network components. Domains have secure VPN connectivity. |
13 |
Remote access |
Data center providers supply external hosting services for Domain servers and databases. The service typically includes infrastructure, connectivity, and security for multiple Domains.
For example, you can have a scenario such as:
For cyber security and management, the data center provider deploys a VSX Gateway with one Virtual System for each Domain.
Item |
Description |
|
Item |
Description |
|---|---|---|---|---|
1 |
Remote Users |
|
10 |
Virtual System for Customer A |
2 |
Internet |
|
11 |
Virtual System for Customer C |
3 |
Remote network behind VPN-1 Edge |
|
12 |
Customer C |
4 |
Customer B |
|
13 |
Data Center |
5 |
Customer A |
|
14 |
Customer A web servers each with separate VLAN ID |
6 |
MPLS Backbone |
|
15 |
Customer B mail servers |
7 |
802.1q |
|
16 |
Customer A Extranet |
8 |
VSX Gateway |
|
17 |
Customer C databases |
9 |
Virtual System for Customer A |
|
|
|
This scenario offers a cost effective scalability solution for network expansion by means of remote connectivity. In this example, a VPN connection between a Domain Virtual System and a Check Point appliance that protects a remote network, integrates that network in the MPLS core. A Virtual System can give access to remote users who connect intermittently.
This example scenario illustrates how VSX provides security management for enterprise data centers. By assigning layer-2 connections to Virtual Systems, VSX reduces the number of physically managed devices within a data center while providing the same high level of security.
For example, a VSX Gateway allows authorized users to access data center resources. The objective here is to protect shared resources with differing access permissions and security requirements, while implementing network granularity.
Item |
Description |
|
Item |
Description |
|---|---|---|---|---|
1 |
Internet |
|
7 |
VLAN Trunk |
2 |
VSX Gateway |
|
8 |
Web Servers VLAN 02 |
3 |
VLAN 02 |
|
9 |
Data Bases VLAN 03 |
4 |
VLAN 03 |
|
10 |
Application A VLAN 04 |
5 |
VLAN 04 |
|
11 |
Application B VLAN 05 |
6 |
VLAN 05 |
|
|
|
For example, one Virtual System protects databases against SQL vulnerabilities. Another Virtual System protects Web Servers using IPS. When new applications and services are added to the enterprise data center, new Virtual Systems are easily created to secure them according to their specific requirements.
