VMware VSHIELD MANAGER 4.1.0 UPDATE 1 - API Instrukcja Użytkownika Pobierz pdf (Strona 10)

vShield Quick Start Guide

10 VMware, Inc.

Deployment Scenarios

UsingvShield,youcanbuildsecurezonesforavarietyofvirtualmachinedeployments.Youcanisolatevirtual

machinesbasedonspecificapplications,networksegmentation,orcustomcompliancefactors.Onceyou

determineyourzoningpolicies,youcandeployvShieldtoenforceaccessrulestoeachofthesezones.

Protecting the DMZ

TheDMZisamixedtrustzone.ClientsenterfromtheInternetforWebandemailservices,whileservices

withintheDMZmightrequireaccesstoservicesinsidetheinternalnetwork.YoucanplaceDMZvirtual

machinesinaportgroupandsecurethatportgroupwithavShieldEdge.vShield

Edgeprovidesaccess

servicessuchasfirewall,NAT,andVPN,aswellasloadbalancingtosecureDMZservices.

AcommonexampleofaDMZservicerequiringaninternalserviceisMicrosoftExchange.MicrosoftOutlook

WebAccess(OWA)commonlyresidesintheDMZcluster,whiletheMicrosoftExchangebackendis

inthe

internalcluster.Ontheinternalcluster,youcancreatefirewallrulestoallowonlyExchanged ‐relatedrequests

fromtheDMZ,identifyingspecificsource‐to‐destinationparameters.FromtheDMZcluster,youcancreate

rulestoallowoutsideaccesstotheDMZonlytospecificdestinationsusingHTTP,FTP,

orSMTP.

Isolating and Protecting Internal Networks

YoucanuseavShieldEdgewiththePortGroupIsolationfeaturetoisolateaninternalnetworkfromthe

externalnetwork.AvShieldEdgeprovidesperimeterfirewallprotectionandedgeservicestosecurevirtual

machinesinaportgroup,enablingcommunicationtotheexternalnetworkthroughDHCP,NAT,andVPN.

Within

thesecuredportgroup,youcaninstallavShieldAppinstanceoneachESXhostthatthevDSspansto

securecommunicationbetweenvirtualmachinesintheinternalnetwork.

IfyouutilizeVLANtagstosegmenttraffic,youcanuseAppFirewalltocreatesmarteraccesspolicies.Using

AppFirewallinstead

ofaphysicalfirewallallowsyoutocollapseormixtrustzonesinsharedESXclusters.By

doingso,yougainoptimalutilizationandconsolidationfromfeaturessuchasDRSandHA,insteadofhaving

separate,fragmentedclusters.ManagementoftheoverallESXdeploymentasasinglepoolislesscomplex



thanhavingseparatelymanagedpools.

Forexample,youuseVLANstosegmentvirtualmachinezonesbasedonlogical,organizational,ornetwork

boundaries.LeveragingtheVirtualInfrastructureSDK,thevShieldManagerinventorypaneldisplaysaview

ofyourVLANnetworksundertheNetworksview.YoucanbuildaccessrulesforeachVLAN

networkto

isolatevirtualmachinesanddropuntaggedtraffictothesemachines.

1 2 ... 5 6 7 8 9 10 11 12 13 14 15 ... 29 30

Brak uwag

VMware VSHIELD MANAGER 4.1.0 UPDATE 1 - API Instrukcja Użytkownika Strona 10