Best IT Documents.com Blog


Characteristics of the Cloud Network of the Future

Posted in Security (1500),Virtual - VMWare (30),Visio Samples - Stencils (457) by Guest on the August 18th, 2017

While perimeter defenses may remain in place, they will play a lesser part of the overall protective function and become more distributed. Above depicts scenarios in which the combination of network firewalls and security overlays allows implementation of a typical zone model across the multiple organizations, sites, users and mobile devices that perform the work of the enterprise.

 

While cautioning that much of the vision of de-perimeterized is not yet practical, there is a clear value in adopting a layered model approach as a targeted security model for the future. The reality of de-perimeterization shifts the emphasis on risk mitigation and investment in policy enforcement mechanisms to resources-hosting systems and applications.

 

Fundamentals

  1. The scope and level of protection should be specific and appropriate to the asset at risk.
  • Business demands that security enables business agility and is cost-effective.
  • Whereas boundary firewalls may continue to provide basic network protection individual systems and data will need to be capable of protecting themselves.
  • In general, it’s easier to protect an asset the closer protection is provided.
  1. Security mechanisms must be pervasive, simple, scalable, and easy to manage.
  • Unnecessary complexity is a threat to good security.
  • Coherent security principles are required which span all tiers of the architecture.
  • Security mechanisms must scale; from small objects to large objects.
  • To be simple and scalable, interoperable security “building blocks” need to be capable of being combined to provide the required security mechanisms.
  1. Assume context at your peril.
  • Security solutions designed for one environment may not be transferable to work in another. Thus, it is important to understand the limitations of any security solution.
  1. Problems, limitations, and issues can come from a variety of sources, including geographic, legal, technical, acceptability of risk, etc. Devices and applications must communicate using open, secure protocols.
  • Security through obscurity is a flawed assumption – secure protocols demand open peer review to provide robust assessment and thus wide acceptance and use.
  • The security requirements of confidentiality, integrity, and availability (reliability) should be assessed and built in to protocols.
  • Encrypted encapsulation should only be used when appropriate and does not solve everything.
  1. All devices must be capable of maintaining their security policy on an un-trusted network.
  • A “security policy” defines the rules with regard to the protection of the asset.
  • Rules must be complete with respect to an arbitrary context.

Any implementation must be capable of surviving on the raw Internet; e.g., will not break on any input.

Comments Off on Characteristics of the Cloud Network of the Future

Sample – Cloud Zoning Architecture

Posted in Visio Samples - Stencils (457) by Guest on the August 10th, 2017

Zones are defined by the sequences of protective measures employed at their perimeters. Zones that do not allow direct connections from outside the organization are considered further inside the organization than zones that allow connections from the outside. Zones that do not allow any traffic (inbound or outbound) to systems outside the organization are considered the furthest inside. In effect, the perimeter protections of a zone build on those of zones farther outside create a defense in depth.   Thus, as we move into the organization, the susceptibility of each zone to successful attack and exploitation from outside the organization is likely to be lower than that of each zone to successful attack and exploitation from outside the organization is likely to be lower than that of the next zone out on the ring of trust. Conversely, outer zones are subject to more attach and must provide appropriate security for resisting those attacks.

 

However, all else being equal the larger the zone, the more risk of unauthorized penetration. For many organizations, replacing the “flat-network” architecture (i.e., where a small number of centralized firewalls control access to thousands of end user devices, offices, etc.,) with a logically and physically sub-zoned network is the answer. The replacement strategy is to retract the network firewalls that really matter to the data center edge, equip endpoints to self protect, but don’t trust them too much.

Risks

  1. Political considerations require strong sponsorship and clear (initial funding).
  2. Multiple stakeholders and IT groups will need to be involved.
  3. Technology risk associated with being an early adopter:
  4. Standards are immature, and few organizations have deployed cloud network architecture.
  5. Vendor product roadmaps are aggressive, and product cycles are accelerated.
  6. Interdependencies lead to complexity; will require careful planning
    1. Multiple interdependent IT initiatives’ create potential for project slippage delays.
    2. Prioritize foundational projects to lay groundwork.
    3. Troubleshooting is more complex when so many changes are being made over a relatively short period.
  7. Multiple solutions can lead to inconsistent controls:
    1. A combination of technical approaches may be needed to support all of the identified use cases.
    2. Each approach involves an administrative process for defining and managing controls, which could get out of synch.
  8. Trade-off between secure communication and policy enforcement:
    1. Encrypted traffic may prevent inspection and enforcement of controls needed for compliance.
  9. Risk of malware from unmanaged and lightly managed endpoints continues to increase:
    1. NAC-style scanning and enforcement may be needed.
  10. Maturity and migration risks:
    1. Some of the technical mechanisms have seen limited use and may experience typical early product life cycle problems.
  11. Support for the added complexity involved with mixed IPv4 and IPv6 will be required for a long time.
Comments Off on Sample – Cloud Zoning Architecture

Enterprise Cloud Network Architecture Risks

Posted in Virtual - VMWare (30),Visio Samples - Stencils (457) by Guest on the August 8th, 2017

Introduction

Today effective security network control is declining due to de-perimeterization, an emerging term used to describe the erosion of the enterprise firewall as a single point of control due to many trends including workforce mobility, smarter mobile devices, business partnerships, wireless access, Service Oriented Architecture (SOA) and Software as a Service (SaaS).

New technologies, products and services, customers, and user behaviors will continue to drive significant changes to our enterprise network infrastructures and its management.

Some of the more significant Enterprise trends that will continue to pose challenge to the Corporate Enterprise Network include:

  1. Externalization: Use of IT products and services outside of the enterprise
  2. Consumerization: Desire of individuals to choose personal devices / services / apps
  3. Democratization: Rise of social networks within / external to the enterprise
  4. Business Process Transformation: Aligning Corporate people, process and technology initiatives more closely with the Corporate business strategy and vision.
Comments Off on Enterprise Cloud Network Architecture Risks

We are still here… just really busy

Posted in Virtual - VMWare (30),Visio Samples - Stencils (457) by Guest on the August 2nd, 2017
Comments Off on We are still here… just really busy

Configuring the Syslog Service on VMware

Posted in Virtual - VMWare (30),Visio Samples - Stencils (457) by Guest on the July 30th, 2017
All ESX and ESXi hosts run a syslog service (syslogd), which logs messages from the VMkernel and other system components to a file.
To configure syslog for an ESX host:
Neither vSphere Client nor vicfg-syslog can be used to configure syslog behavior for an ESX host. To configure syslog for an ESX host, you must edit the /etc/syslog.conf file. 
To configure syslog for an ESXi host:
On ESXi hosts, you can use the vSphere Client or the vSphere CLI command vicfg-syslog to configure the following options:
  • Log file path: Specifies a datastore path to the file syslogd logs all messages.
  • Remote host: Specifies a remote host to which syslog messages are forwarded. In order to receive the forwarded syslog messages, your remote host must have a syslog service installed.
  • Remote port: Specifies the port used by the remote host to receive syslog messages.
To configure syslog using vSphere CLI command:
For more information on vicfg-syslog, refer the vSphere Command-Line Interface Installation and Reference Guide.
To configure syslog using vSphere Client:
  1. In the vSphere Client inventory, click on the host.
  2. Click the Configuration tab.
  3. Click Advanced Settings under Software.
  4. Select Syslog in the tree control.
  5. In the Syslog.Local.DatastorePath text box, enter the datastore path to the file where syslog will log messages. If no path is specified, the default path is /var/log/messages.
The datastore path format is [<datastorename>] </path/to/file> where the path is relative to the root of the volume backing the datastore.
Example: The datastore path [storage1] var/log/messages maps to the path / vmfs/volumes/storage1/var/log/messages.
  1. In the Syslog.Remote.Hostname text box, enter the name of the remote host where syslog data will be forwarded. If no value is specified, no data is forwarded.
  2. In the Syslog.Remote.Port text box, enter the port on the remote host where syslog data will be forwarded. By default Syslog.Remote.Port is set to 514, the default UDP port used by syslog. Changes to Syslog.Remote.Port only take effect if Syslog.Remote.Hostname is configured.
  3. Click OK.
Comments Off on Configuring the Syslog Service on VMware

Six common Cloud Services Requirements

Posted in Virtual - VMWare (30),Visio Samples - Stencils (457) by Administrator on the July 17th, 2017
  1. Wide-area networking
  2. Intra-cloud network
  3. Compute cluster (Virtual instance) – (Elastic)
  4.  Storage service (Blob, Table and Queue)
  5.  Disaster Recovery / Business Continuity
  6.  Security (design, build, deployment, management / maintenance)
Comments Off on Six common Cloud Services Requirements
« Previous PageNext Page »