SEC1747

Desktop Security Zones with VMware View and vShield App: A Reference Architecture Review

Name, Title,

Company

Disclaimer



This session may contain product features that are currently under development.



This session/overview of the new technology represents no commitment from VMware to deliver these features in any generally available product.



Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.



Technical feasibility and market demand will affect final delivery.



Pricing and packaging for any new technologies or features discussed or presented have not been determined.

2

Agenda



Desktop Security Challenges



General Data Center Security Challenges



vShield Products Overview



National Jewish Health Reference Architecture



How vShield 5.0 Will Improve Reference Architecture



Q&A

3

Desktop Security Challenges



Desktops traditionally existed on the Edge



Required agent based firewalls, filters and protection



Day Zero attacks not always addressed



Reaction only as fast as update distribution



Not cost effective to make the entire network a firewall



Traditional Desktop admins not firewall savvy

4

Security Enhancements from VMware



VMware View moves Desktop to Data Center



VMware View Composer

• Single Image Management • Centralized updates 

Thinapp

• Centralized app management • No more Local Admin 

vShield Endpoint

• Host based Virus Protection • Always on protection 

vShield App

• Client to Client firewall rules • Client to server firewall rules 5

View Virtual Desktop Access Remote Desktop Protocol



Client to Virtual Connection Secure



Moved desktop to the Data Center



Desktops continue to cross communicate View Client DMZ HTTPS Secure Tunnel View Security Server View Connection Server Centralized Virtual Desktops Microsoft Active Directory vCenter

6

View Virtual Desktop Access

7

8

Physical Security Challenges

Challenges with Firewalling Typical Desktops



Distributed and mobile model make protection of physical desktops very problematic

• Very Rare to See Real Segmentation of Desktops • Requires Complicated physical or VLAN based rule sets are necessary for network based firewalling • Laptops or other mobile devices may connect into different network segments • Port based rules and policies very difficult to manage • Endpoint based firewalls are very difficult to manage and don’t scale • Requires individual rule sets for every desktop • As new desktops come online, they must be configured with specific rule sets • What happens when a user connects remotely • Access rights must be set for each user or type of user logging in • This is in addition to endpoint based rules 

What can we learn by what we do with the datacenter and how we firewall and protect the datacenter?

9

Data Center Needs to Be Secured At Different Levels

Perimeter Security • Sprawl: hardware, FW rules, VLANs • Load balancers

Cost & Complexity Keep the bad guys out

Internal Security

VLAN

1

VLANs

• VLAN or subnet based policies • Interior or Web application Firewalls • DLP, application identity aware policies

Segmentation of applications, servers

End Point Security • Desktop AV agents, • Host based intrusion • DLP agents for privacy

End Point Protection

Enterprise Security Today – Not Virtualized, Not Cloud Ready Users DMZ

Enterprise VDC

Web Servers Apps / DB Tier Sites Perimeter/DMZ

- Threat Mitigation - Perimeter security products w/ FW/ VPN/ IPS - Hardware Sprawl, Expensive

Interior security

- Segmentation of applications and Server -VLAN or subnet based policies -VLAN Sprawl, Complex

Endpoint security

- Protecting the Endpoint -AV, HIPS agent based security - Agent Sprawl, Cumbersome Confidential

Next Gen: Virtualized and Virtualization Aware Security Controls Users DMZ

Enterprise VDC

Web Servers Apps / DB Tier Sites

vShield Product Overview

vShield Product Family Securing the Private Cloud End to End: from the Edge to the Endpoint vShield App vShield Edge

Edge Secure the edge of the virtual datacenter between workloads - Sensitive data discovery

vShield Endpoint

Endpoint = VM Anti-virus processing

DMZ Application 1 Virtual Desktops vShield Manager

Endpoint = VM Centralized Management 14

© 2009 VMware Inc. All rights reserved

vShield App

16 • •

Better, faster protection

vNIC level protection – eliminates VLAN blind spots, firewall chokepoints and L2 attacks High performance distributed enforcement – lowers firewall and VLAN capital investment costs • • • •

Simpler, easer to operate

Dramatically reduced number of VLANs – removes VLAN complexity Container & Security Group based policies are “change aware” and easy to understand Dramatically smaller number of rules reduces chance for policy configuration errors VC integrated and manageable by REST APIs for script and 3 rd party automation • •

Improved visibility, control and compliance

Application aware NetFlow visibility Automated log collection with syslog and VC integration

17

vShield Data Security – September 2011 !

!

New !

Cloud Infrastructure

(vSphere, vCenter, vShield, vCloud Director)

Overview

   More than 80 pre-defined templates for country/industry specific regulations Accurately discover and report sensitive data in unstructured files with analysis engine Segment off VMs with sensitive data in separate trust zones

Benefits

   Quickly identify sensitive data exposures Reduce risk of non-compliance and reputation damage Improve performance by offloading data discovery functions to a virtual appliance

EPSEC 2.0 Enables Anti-virus and Data Security Solutions

vSEP virtual appliance for data security  •

What’s the same

vShield Endpoint Virtual Appliance (vSEP-VA) • Thin Agent • vShield Endpoint ESX hypervisor module 

New Features to support data security

• Support for two or more vSEP-VAs (allows anti virus and data security to run on the same host) • A vSEP-VA for data security, provided by vShield 

End user packaging

• vShield App with Data Security (confirmed) • vShield Data Security (planning stages) • Both require vShield Endpoint 18

Security Zones



What do we use security zones for?

• Usual implementation for Servers, multitier applications, and regulated systems 19

Desktop Security Zones



With this model we can secure our View Desktops in a way that we can’t do with physical



New Concept: Desktop Security Zones

• Liam will discuss how he accomplished this with vShield App 1.0

• I’ll discuss how vShield App 5.0 can improve the model as well as additional capabilities with other vShield products

User A Desktops User B Desktops Browsing Desktops

20

21

National Jewish Health View Implementation

Clinical Desktop

© 2009 VMware Inc. All rights reserved

Use Case 1: Light Clinical Users



Non-persistent desktop pool

• Dedicated assignment • Refreshes OS disk on logout 

USB redirect

• For spirometry equipment used for pulmanary function tests (PFTs) 

Multimedia redirect

• For accessing medical data provided by the patient 

Access to specific web sites, not the entire internet



Deployed mostly in clinical areas

23

Use Case 2: Heavy Clinical Users



Persistent Desktop

• Dedicated assignment • All customizations are saved • Periodic snapshots for quick recovery 

No USB redirect



No multimedia redirect



Access to any web site



Deployed mostly in physician and clinical manager offices, but also accessible in clinical areas.

24

VCenter Layout

25

Desktop Pools and Entitlement

26

App Firewall Rules (Network)

27

App Firewall Rules (View)

28

App Firewall Rules (Applications)

29

App Firewall Rules (Web/Email)

30

App Firewall Rules (Default Deny)

31

32

How Can vShield App 5 Improve Upon This?

Application Groups and System Groups



vShield 5 can now create custom application groups and system groupings

• • We can make a group here for all of the DC’s We can make 2 application groups • 1 for TCP applications and 1 for UDP applications 

27 Rules below can be cut down to 3 rules!

• • 1 each for Any to DCs – TCP and UDP Apps 1 for ANY – ANY – UDP Apps (DHCP and NBDG Broadcast) 33

vShield App 5 Improvements



Nested vCenter Objects

• vShield 5 can now use nest vCenter Objects • • • We can create a parent resource pool call “View Desktops” This can bring this rule set down to 3 rules.

We can then create an application grouping for the View related protocols • PCoIP, JMS, RDP, etc… • This can bring this rule set down to 3 rules. • • • 1 for View TCP Rules 1 for View UDP Rules 1 for USB Redirection • These deny rules be cut down from 4 to 2 rules.

34

vShield App 5 Improvements



Layer 2 Firewalling

• Issue with large flat networks is that broadcast storms can be an issue • vShield can now do layer 2 firewalling to contain broadcast storms • Not necessary here at this point, but if the desktop pool gets large enough it may make sense 35

What Else Can We do Here?



vShield Edge and/or App

• View Manager Protection • Management Network Protection • Server Zone Protection 

vShield Endpoint

• Leverage partner solution for offloaded AV 

vShield Data Security

• In this medical use case, this is a natural solution for scanning for HIPAA data in an unstructured format on users desktops • If discovered, vShield App can be used to quarantine or just add additional protections to those specific desktops 36

37

Questions????