SEC1747
Desktop Security Zones
with VMware View and vShield App:
A Reference Architecture Review
Name, Title, Company
Disclaimer
 This session may contain product features that are
currently under development.
 This session/overview of the new technology represents
no commitment from VMware to deliver these features in
any generally available product.
 Features are subject to change, and must not be included in
contracts, purchase orders, or sales agreements of any kind.
 Technical feasibility and market demand will affect final delivery.
 Pricing and packaging for any new technologies or features
discussed or presented have not been determined.
2
Agenda
 Desktop Security Challenges
 General Data Center Security Challenges
 vShield Products Overview
 National Jewish Health Reference Architecture
 How vShield 5.0 Will Improve Reference Architecture
 Q&A
3
Desktop Security Challenges
 Desktops traditionally existed on the Edge
 Required agent based firewalls, filters and protection
 Day Zero attacks not always addressed
 Reaction only as fast as update distribution
 Not cost effective to make the entire network a firewall
 Traditional Desktop admins not firewall savvy
4
Security Enhancements from VMware
 VMware View moves Desktop to Data Center
 VMware View Composer
• Single Image Management
• Centralized updates
 Thinapp
• Centralized app management
• No more Local Admin
 vShield Endpoint
• Host based Virus Protection
• Always on protection
 vShield App
• Client to Client firewall rules
• Client to server firewall rules
5
View Virtual Desktop Access
Centralized
Virtual Desktops
Remote Desktop
Protocol
 Client to Virtual Connection Secure
 Moved desktop to the Data Center
 Desktops continue to cross
Microsoft
Active Directory
communicate
vCenter
View Connection
Server
View Security
Server
DMZ
HTTPS Secure
Tunnel
View Client
6
View Virtual Desktop Access
7
Physical Security Challenges
8
Challenges with Firewalling Typical Desktops
 Distributed and mobile model make protection of physical
desktops very problematic
• Very Rare to See Real Segmentation of Desktops
• Requires Complicated physical or VLAN based rule sets are necessary for network
based firewalling
• Laptops or other mobile devices may connect into different network segments
• Port based rules and policies very difficult to manage
• Endpoint based firewalls are very difficult to manage and don’t scale
• Requires individual rule sets for every desktop
• As new desktops come online, they must be configured with specific rule sets
• What happens when a user connects remotely
• Access rights must be set for each user or type of user logging in
• This is in addition to endpoint based rules
 What can we learn by what we do with the datacenter and how we
firewall and protect the datacenter?
9
Data Center Needs to Be Secured At Different Levels
Perimeter Security
• Sprawl: hardware, FW rules, VLANs
Perimeter
security device(s) at the edge
• •Rigid
FW rules
Firewall, VPN,
Intrusion Prevention
• •Performance
bottlenecks
• Load balancers
Cost & Complexity
KeepAtthe
bad
guys out
the vDC
Edge
• VLAN or subnet based policies
• Interior or Web application Firewalls
• DLP, application identity aware policies
Segmentation of
applications, servers
Internal Security
VLAN 1
VLANs
End Point Security
• Desktop AV agents,
• Host based intrusion
• DLP agents for privacy
End Point Protection
Enterprise Security Today – Not Virtualized, Not Cloud Ready
Enterprise VDC
Users
DMZ
Web Servers
Apps / DB Tier
Sites
Perimeter/DMZ
- Threat Mitigation
- Perimeter security products
w/ FW/ VPN/ IPS
- Hardware Sprawl,
Expensive
Interior security
- Segmentation of
applications and Server
-VLAN or subnet based
policies
-VLAN Sprawl, Complex
Confidential
Endpoint security
- Protecting the Endpoint
-AV, HIPS agent based
security
- Agent Sprawl,
Cumbersome
Next Gen: Virtualized and Virtualization Aware Security Controls
Enterprise VDC
Users
Sites
DMZ
Web Servers
Apps / DB Tier
vShield Product Overview
vShield Product Family
Securing the Private Cloud End to End: from the Edge to the Endpoint
vShield Edge
Edge
Secure the edge of
the virtual datacenter
DMZ
Application 1
vShield App
Security Zone
- Create segmentation
between workloads
- Sensitive data discovery
vShield Endpoint
Endpoint = VM
Anti-virus processing
Virtual Desktops
vShield Manager
Endpoint = VM
Centralized Management
14
© 2009 VMware Inc. All rights reserved
vShield App
Better, faster protection
• vNIC level protection – eliminates VLAN blind spots, firewall chokepoints and L2 attacks
• High performance distributed enforcement – lowers firewall and VLAN capital investment costs
Simpler, easer to operate
• Dramatically reduced number of VLANs – removes VLAN complexity
• Container & Security Group based policies are “change aware” and easy to understand
• Dramatically smaller number of rules reduces chance for policy configuration errors
• VC integrated and manageable by REST APIs for script and 3rd party automation
Improved visibility, control and compliance
• Application aware NetFlow visibility
• Automated log collection with syslog and VC integration
16
vShield Data Security – September 2011
Overview
New
 More than 80 pre-defined templates for
country/industry specific regulations
 Accurately discover and report sensitive
data in unstructured files with analysis
engine
 Segment off VMs with sensitive data in
separate trust zones
Benefits
!
!
!
Cloud Infrastructure
(vSphere, vCenter, vShield, vCloud Director)
17
 Quickly identify sensitive data exposures
 Reduce risk of non-compliance and
reputation damage
 Improve performance by offloading data
discovery functions to a virtual appliance
EPSEC 2.0 Enables Anti-virus and Data Security Solutions
vSEP virtual
appliance for
data security
 What’s the same
• vShield Endpoint Virtual Appliance (vSEP-VA)
• Thin Agent
• vShield Endpoint ESX hypervisor module
 New Features to support data security
• Support for two or more vSEP-VAs (allows antivirus and data security to run on the same host)
• A vSEP-VA for data security, provided by
vShield
 End user packaging
• vShield App with Data Security (confirmed)
• vShield Data Security (planning stages)
• Both require vShield Endpoint
18
Security Zones
 What do we use security zones for?
• Usual implementation for Servers, multitier applications, and regulated systems
19
Desktop Security Zones
 With this model we can secure our View Desktops in a way that
we can’t do with physical
 New Concept: Desktop Security Zones
• Liam will discuss how he accomplished this with vShield App 1.0
• I’ll discuss how vShield App 5.0 can improve the model as well as additional
capabilities with other vShield products
User A
Desktops
20
User B
Desktops
Browsing
Desktops
National Jewish Health
View Implementation
Clinical Desktop
21
© 2009 VMware Inc. All rights reserved
Use Case 1: Light Clinical Users
 Non-persistent desktop pool
• Dedicated assignment
• Refreshes OS disk on logout
 USB redirect
• For spirometry equipment used for pulmanary function tests (PFTs)
 Multimedia redirect
• For accessing medical data provided by the patient
 Access to specific web sites, not the entire internet
 Deployed mostly in clinical areas
23
Use Case 2: Heavy Clinical Users
 Persistent Desktop
• Dedicated assignment
• All customizations are saved
• Periodic snapshots for quick recovery




No USB redirect
No multimedia redirect
Access to any web site
Deployed mostly in physician and clinical manager offices,
but also accessible in clinical areas.
24
VCenter Layout
25
Desktop Pools and Entitlement
26
App Firewall Rules (Network)
27
App Firewall Rules (View)
28
App Firewall Rules (Applications)
29
App Firewall Rules (Web/Email)
30
App Firewall Rules (Default Deny)
31
How Can vShield App 5 Improve Upon This?
32
Application Groups and System Groups
 vShield 5 can now create custom application groups and system groupings
• We can make a group here for all of the DC’s
• We can make 2 application groups
• 1 for TCP applications and 1 for UDP applications
 27 Rules below can be cut down to 3 rules!
• 1 each for Any to DCs –
TCP and UDP Apps
• 1 for ANY – ANY – UDP Apps
(DHCP and NBDG Broadcast)
33
vShield App 5 Improvements
 Nested vCenter Objects
• vShield 5 can now use nest vCenter Objects
• We can create a parent resource pool call “View Desktops”
• This can bring this rule set down to 3 rules.
• We can then create an application grouping for the View related protocols
• PCoIP, JMS, RDP, etc…
• This can bring this rule set down to 3 rules.
• 1 for View TCP Rules
• 1 for View UDP Rules
• 1 for USB Redirection
• These deny rules be cut down from 4 to 2 rules.
34
vShield App 5 Improvements
 Layer 2 Firewalling
• Issue with large flat networks is that broadcast storms can be an issue
• vShield can now do layer 2 firewalling to contain broadcast storms
• Not necessary here at this point, but if the desktop pool gets large enough it
may make sense
35
What Else Can We do Here?
 vShield Edge and/or App
• View Manager Protection
• Management Network Protection
• Server Zone Protection
 vShield Endpoint
• Leverage partner solution for offloaded AV
 vShield Data Security
• In this medical use case, this is a natural solution for scanning for HIPAA
data in an unstructured format on users desktops
• If discovered, vShield App can be used to quarantine or just add additional
protections to those specific desktops
36
Questions????
37