该供应商编写的技术底漆已经被网络世界编辑,以消除产品推广,但读者应该注意到它可能会倾向于提交者的做法。有个足球雷竞技app
VMware’s NSX virtual network technology can help organizations achieve a greater level of network security, but how you approach deployment will vary depending on whether you are working with new applications (greenfield) or are moving applications from existing infrastructure to NSX (brownfield).
NSX’s micro-segmentation capabilities essentially allow placement of virtual firewalls around every server to control East-West traffic, thereby limiting lateral exploration of networks by hackers, and making it significantly easier to protect applications and data. It can enable a level of security that previously would have been prohibitively expensive and complicated using traditional hardware.
From a security perspective, a greenfield scenario is ideal because it allows security to be baked in from the start and setting up micro-segmentation is relatively easy. From the outset, security teams can plan the different datacenter zones and tiers they need and assign IP addresses accordingly. They can then create bespoke security policies to support the segmentation architecture to precisely suit their needs. It’s all clean and logical.
However, most organizations will likely face a brownfield scenario, where they are migrating existing applications from a physical to a virtualized environment. In these cases, existing security policies will need to be migrated and adjusted, but chances are the original design didn’t have micro-segmentation in mind, making the process of identifying and designing the zones and tiers within the micro-segmented environments much more difficult.
它可以是具有挑战性的工作出哪些服务器应该生活在其中的区域,并确定必要的防火墙规则,因为安全团队往往没有足够的可视性业务应用组件之间的流动。所以,你应该怎么做法规划和管理一个NSX虚拟化环境的棕地应用迁移?
*应用程序连接:一个发现的过程。The critical first step is discovering and mapping the connectivity flows of the applications you wish to migrate. You need to know the existing flows in order to make the necessary changes when you migrate to NSX.
It’s a challenging task that shouldn’t be underestimated. Disciplined organizations that maintain accurate, up-to-date, machine-readable records of the traffic flows supporting each application can quickly start the migration process. In most cases, however, this discovery step will combine all available data sources: importing data from CMDB or home-grown repositories, machine-assisted discovery, and intelligent traffic-based application connectivity discovery.
*移动你的应用程序到他们的新家。一旦你已经成功地发现所有的交通流,你准备好你的应用程序迁移到NSX。第一步是确定你需要搬家,为每个服务器,您需要在新的环境中定义一个匹配的服务器的服务器。
要做到这一点,你应该建立一个映射表,以确定为每个新服务器的新的IP地址。在这个阶段,你也应该识别和定义的工作量为每个服务器,覆盖所需的存储,CPU,操作系统和数据库。下一个步骤是安装现有的应用程序到服务器上。
这涉及到重新配置连接为每个已移动的服务器,以及可能连接到那些你已经迁移的任何服务器和应用程序流。这需要你的政策的一些调整,并有可能写一些新的政策,让您的NSX和现场环境能够和谐工作,而不会中断您先前发现的流量模式与新服务器的IP地址的工作。
此外,您必须确保由VMware与对齐提供的安全控制和政策,支持现有的应用流。如果你不这样做,你仅仅依靠旧的过滤策略,传播到新的服务器可能会被阻止。你需要允许流量和新地址 - 而要做到这一点,你确保你的政策,无论是在您的NSX和现场环境,支持这一点,是至关重要的。
所以,你需要每一个过滤规则去了你的网络安全设备,发现这里所有的服务器的旧地址显示的位置。然后,你需要复制这些规则,修改它们以包括新服务器地址。
一旦新的过滤策略都写,你需要将它们部署到相关设备。这需要配置防火墙,路由器和负载平衡器,以允许流量和新的服务器。
* Testing生产。通过this stage you will have a functional system which you can test thoroughly, to ensure all the required functionality is in place and everything operates as it should. You can only move on from this stage once you are confident the application in its test environment is equivalent to the final production environment.
Moving from test to production is essentially about renaming things: there may be a public name for the server, or a website that users need to access your application. You now need to reconfigure the official published access points to direct to your NSX deployment instead of the old server. It’s also important at this stage to check whether you need to make changes to your filtering policy too.
*退役旧版本。The final stage is decommissioning the legacy versions of application connectivity - but don’t do it before you’re absolutely ready. Make sure your new system has had time to mature, is stable and is fully tested for an adequate time period. To avoid creating security gaps and entry points for hackers, best practice requires decommissioning all the filtering rules from your old firewalls, routers and load balancers. However, don’t forget to check that these rules aren’t still being used by other functioning applications in your NSX deployment, before decommissioning them!
管理网络
一旦您完成迁移过程中,您将需要管理和维护整个企业网络的安全策略。最有效的办法是与整体上支持NSX防火墙和云安全控制,在保留现有传统的内部部署防火墙房地产的自动化解决方案。
It’s important to note that your NSX deployment will be subjected to the same compliance and auditing requirements as your existing network, so you’ll need a security management solution capable of providing visibility across both your physical and virtual network functions so that its compliance status can be centrally monitored and logged for audit purposes.
应用程序迁移到NSX也是一个很好的机会,以消除不必要的安全策略杂波可能多年积累,如重复,多余和不必要的规则。一个好的安全策略管理解决方案将自动标记任何裁员等风险,因此很容易简化和清理的政策。
总之,将应用程序迁移到NSX需要强大的,可重复的流程,以确保成功。还有就是可以在点击鼠标的一切转换没有一劳永逸的解决方案。自动化是项目成功的关键,消除了许多耗时,容易出错的手动安全流程,如连接发现和映射,迁移和持续维护的。而且,作为一个结果,你的团队会被释放到战略性最大化最大化更大的灵活性和增强的网络安全,你报名参加了NSX的部署和重点的好处。
欲了解更多信息,请访问:AlgoSec.