Shulou(Shulou.com)06/01 Report--

In the traditional desktop scheme, physical isolation (such as isolation card scheme, dual PC mode) and logical isolation (such as ACL/VLAN-based network strategy) are mostly used to achieve network isolation.

In addition, we can also use this way, such as the network admission operation referred to as NAC, to achieve the logical isolation of the network NAC to support a variety of modes.

Based on 802.1x (interacting with the network switch to isolate the user terminal to a specific VLAN when it is found that the user terminal does not comply with the security policy).

NAC based on gateway mode (for example, when the NAC device is placed at the front end of the server to which the user needs to access, such as the company intranet portal user accesses the back-end service, the customer's traffic can be forced to do security check because it needs to pass through the NAC device).

DHCP-based NAC is relatively easy to skip as long as the machine does not use DHCP to specify the IP address DHCP's NAC will not work.

At present, the technical route of desktop virtualization mainly includes centralized VDI mode and distributed desktop mode such as Horizon Flex, which can be understood as VDI@PC mode. Both of these technologies can actually achieve network isolation on the desktop.

× × ×

In the centralized VDI, the virtual desktops that user devices access to the data center through remote desktop protocols such as VMware Blast,PCoIP,RDP,ICA have been isolated at the network protocol level. In many single-user multi-desktop environments, a user may need to access the desktops of multiple networks, such as office, development, Internet and so on, so the network isolation at the back end of the data center can meet the requirements of network security. At present, the network isolation at the data center side mainly includes physical isolation, mainly in industries with mandatory regulatory requirements, such as government and finance, that is, the deployment of multiple networks, multiple network devices, and so on, as well as the logical isolation of the same set of physical networks through logical networks but switch-based VLAN/ACL or network virtualization technologies such as VMware NSX.

The computing mode of the local virtual desktop in the distributed VDI@PC mode is very different from that of the centralized VDI. In the VDI@PC mode, all the computing is done on the user PC, similar to the VMware Workstation technology, thanks to the improvement of notebook performance in recent years, especially the popularity of SSD, it is no longer a problem to run the virtual machine on the client laptop. For example, the notebook used by the author is Apple Macbook AirCPU for Intel i5 1.4GHz and 128G of memory for 8GSSD. On such a notebook, multiple virtual machines can be run at the same time without affecting my experience.

In the distributed VDI@PC mode, because all computing and storage are implemented on local devices, the same is true on network connections. Horizon Flex can realize the security policy management of data, such as USB disabled, copy pasteboard disabled, and so on. In fact, in addition to the familiar bridging, NAT and Host modes, you can also use the function of × × to achieve network isolation.

Through the combination of data security policy, virtual machine encryption and network isolation strategy, VDI@PC mode can meet the needs of most customers in security. of course, I also find that some customers who have used VDI and have been in stable use for many years have prejudices and doubts about VDI@PC mode, but I believe time can solve this problem.

For more information about virtual desktop network isolation technology, you can click on the original text to download my 35-page PPT. Repost it to moments and send screenshots to Subscription account's friends to get an unlimited PPT version. I also work hard to add powder.

This article comes from Wechat Subscription account's "end-user Cloud Computing" WeChat account is "CHINAEUC". It is not easy to check all kinds of materials and be inspired to write an article. If you find the article useful, I hope you can forward it to your moments. Click the small print "end user Computing" below the title of the article to complete the follow. Reply "Dir" to view past articles.

Platform rental

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.