SEC1747 Desktop Security Zones with VMware View and vShield App: A Reference Architecture Review Name, Title, Company Disclaimer This session may contain product features that are currently under development. This session/overview of the new technology represents no commitment from VMware to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies or features discussed or presented have not been determined. 2 Agenda Desktop Security Challenges General Data Center Security Challenges vShield Products Overview National Jewish Health Reference Architecture How vShield 5.0 Will Improve Reference Architecture Q&A 3 Desktop Security Challenges Desktops traditionally existed on the Edge Required agent based firewalls, filters and protection Day Zero attacks not always addressed Reaction only as fast as update distribution Not cost effective to make the entire network a firewall Traditional Desktop admins not firewall savvy 4 Security Enhancements from VMware VMware View moves Desktop to Data Center VMware View Composer • Single Image Management • Centralized updates Thinapp • Centralized app management • No more Local Admin vShield Endpoint • Host based Virus Protection • Always on protection vShield App • Client to Client firewall rules • Client to server firewall rules 5 View Virtual Desktop Access Centralized Virtual Desktops Remote Desktop Protocol Client to Virtual Connection Secure Moved desktop to the Data Center Desktops continue to cross Microsoft Active Directory communicate vCenter View Connection Server View Security Server DMZ HTTPS Secure Tunnel View Client 6 View Virtual Desktop Access 7 Physical Security Challenges 8 Challenges with Firewalling Typical Desktops Distributed and mobile model make protection of physical desktops very problematic • Very Rare to See Real Segmentation of Desktops • Requires Complicated physical or VLAN based rule sets are necessary for network based firewalling • Laptops or other mobile devices may connect into different network segments • Port based rules and policies very difficult to manage • Endpoint based firewalls are very difficult to manage and don’t scale • Requires individual rule sets for every desktop • As new desktops come online, they must be configured with specific rule sets • What happens when a user connects remotely • Access rights must be set for each user or type of user logging in • This is in addition to endpoint based rules What can we learn by what we do with the datacenter and how we firewall and protect the datacenter? 9 Data Center Needs to Be Secured At Different Levels Perimeter Security • Sprawl: hardware, FW rules, VLANs Perimeter security device(s) at the edge • •Rigid FW rules Firewall, VPN, Intrusion Prevention • •Performance bottlenecks • Load balancers Cost & Complexity KeepAtthe bad guys out the vDC Edge • VLAN or subnet based policies • Interior or Web application Firewalls • DLP, application identity aware policies Segmentation of applications, servers Internal Security VLAN 1 VLANs End Point Security • Desktop AV agents, • Host based intrusion • DLP agents for privacy End Point Protection Enterprise Security Today – Not Virtualized, Not Cloud Ready Enterprise VDC Users DMZ Web Servers Apps / DB Tier Sites Perimeter/DMZ - Threat Mitigation - Perimeter security products w/ FW/ VPN/ IPS - Hardware Sprawl, Expensive Interior security - Segmentation of applications and Server -VLAN or subnet based policies -VLAN Sprawl, Complex Confidential Endpoint security - Protecting the Endpoint -AV, HIPS agent based security - Agent Sprawl, Cumbersome Next Gen: Virtualized and Virtualization Aware Security Controls Enterprise VDC Users Sites DMZ Web Servers Apps / DB Tier vShield Product Overview vShield Product Family Securing the Private Cloud End to End: from the Edge to the Endpoint vShield Edge Edge Secure the edge of the virtual datacenter DMZ Application 1 vShield App Security Zone - Create segmentation between workloads - Sensitive data discovery vShield Endpoint Endpoint = VM Anti-virus processing Virtual Desktops vShield Manager Endpoint = VM Centralized Management 14 © 2009 VMware Inc. All rights reserved vShield App Better, faster protection • vNIC level protection – eliminates VLAN blind spots, firewall chokepoints and L2 attacks • High performance distributed enforcement – lowers firewall and VLAN capital investment costs Simpler, easer to operate • Dramatically reduced number of VLANs – removes VLAN complexity • Container & Security Group based policies are “change aware” and easy to understand • Dramatically smaller number of rules reduces chance for policy configuration errors • VC integrated and manageable by REST APIs for script and 3rd party automation Improved visibility, control and compliance • Application aware NetFlow visibility • Automated log collection with syslog and VC integration 16 vShield Data Security – September 2011 Overview New More than 80 pre-defined templates for country/industry specific regulations Accurately discover and report sensitive data in unstructured files with analysis engine Segment off VMs with sensitive data in separate trust zones Benefits ! ! ! Cloud Infrastructure (vSphere, vCenter, vShield, vCloud Director) 17 Quickly identify sensitive data exposures Reduce risk of non-compliance and reputation damage Improve performance by offloading data discovery functions to a virtual appliance EPSEC 2.0 Enables Anti-virus and Data Security Solutions vSEP virtual appliance for data security What’s the same • vShield Endpoint Virtual Appliance (vSEP-VA) • Thin Agent • vShield Endpoint ESX hypervisor module New Features to support data security • Support for two or more vSEP-VAs (allows antivirus and data security to run on the same host) • A vSEP-VA for data security, provided by vShield End user packaging • vShield App with Data Security (confirmed) • vShield Data Security (planning stages) • Both require vShield Endpoint 18 Security Zones What do we use security zones for? • Usual implementation for Servers, multitier applications, and regulated systems 19 Desktop Security Zones With this model we can secure our View Desktops in a way that we can’t do with physical New Concept: Desktop Security Zones • Liam will discuss how he accomplished this with vShield App 1.0 • I’ll discuss how vShield App 5.0 can improve the model as well as additional capabilities with other vShield products User A Desktops 20 User B Desktops Browsing Desktops National Jewish Health View Implementation Clinical Desktop 21 © 2009 VMware Inc. All rights reserved Use Case 1: Light Clinical Users Non-persistent desktop pool • Dedicated assignment • Refreshes OS disk on logout USB redirect • For spirometry equipment used for pulmanary function tests (PFTs) Multimedia redirect • For accessing medical data provided by the patient Access to specific web sites, not the entire internet Deployed mostly in clinical areas 23 Use Case 2: Heavy Clinical Users Persistent Desktop • Dedicated assignment • All customizations are saved • Periodic snapshots for quick recovery No USB redirect No multimedia redirect Access to any web site Deployed mostly in physician and clinical manager offices, but also accessible in clinical areas. 24 VCenter Layout 25 Desktop Pools and Entitlement 26 App Firewall Rules (Network) 27 App Firewall Rules (View) 28 App Firewall Rules (Applications) 29 App Firewall Rules (Web/Email) 30 App Firewall Rules (Default Deny) 31 How Can vShield App 5 Improve Upon This? 32 Application Groups and System Groups vShield 5 can now create custom application groups and system groupings • We can make a group here for all of the DC’s • We can make 2 application groups • 1 for TCP applications and 1 for UDP applications 27 Rules below can be cut down to 3 rules! • 1 each for Any to DCs – TCP and UDP Apps • 1 for ANY – ANY – UDP Apps (DHCP and NBDG Broadcast) 33 vShield App 5 Improvements Nested vCenter Objects • vShield 5 can now use nest vCenter Objects • We can create a parent resource pool call “View Desktops” • This can bring this rule set down to 3 rules. • We can then create an application grouping for the View related protocols • PCoIP, JMS, RDP, etc… • This can bring this rule set down to 3 rules. • 1 for View TCP Rules • 1 for View UDP Rules • 1 for USB Redirection • These deny rules be cut down from 4 to 2 rules. 34 vShield App 5 Improvements Layer 2 Firewalling • Issue with large flat networks is that broadcast storms can be an issue • vShield can now do layer 2 firewalling to contain broadcast storms • Not necessary here at this point, but if the desktop pool gets large enough it may make sense 35 What Else Can We do Here? vShield Edge and/or App • View Manager Protection • Management Network Protection • Server Zone Protection vShield Endpoint • Leverage partner solution for offloaded AV vShield Data Security • In this medical use case, this is a natural solution for scanning for HIPAA data in an unstructured format on users desktops • If discovered, vShield App can be used to quarantine or just add additional protections to those specific desktops 36 Questions???? 37