Transcript vShield App - Amazon Web Services
SEC1747
Desktop Security Zones with VMware View and vShield App: A Reference Architecture Review
Name, Title,
Company
Disclaimer
This session may contain product features that are currently under development.
This session/overview of the new technology represents no commitment from VMware to deliver these features in any generally available product.
Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new technologies or features discussed or presented have not been determined.
2
Agenda
Desktop Security Challenges
General Data Center Security Challenges
vShield Products Overview
National Jewish Health Reference Architecture
How vShield 5.0 Will Improve Reference Architecture
Q&A
3
Desktop Security Challenges
Desktops traditionally existed on the Edge
Required agent based firewalls, filters and protection
Day Zero attacks not always addressed
Reaction only as fast as update distribution
Not cost effective to make the entire network a firewall
Traditional Desktop admins not firewall savvy
4
Security Enhancements from VMware
VMware View moves Desktop to Data Center
VMware View Composer
• Single Image Management • Centralized updates
Thinapp
• Centralized app management • No more Local Admin
vShield Endpoint
• Host based Virus Protection • Always on protection
vShield App
• Client to Client firewall rules • Client to server firewall rules 5
View Virtual Desktop Access Remote Desktop Protocol
Client to Virtual Connection Secure
Moved desktop to the Data Center
Desktops continue to cross communicate View Client DMZ HTTPS Secure Tunnel View Security Server View Connection Server Centralized Virtual Desktops Microsoft Active Directory vCenter
6
View Virtual Desktop Access
7
8
Physical Security Challenges
Challenges with Firewalling Typical Desktops
Distributed and mobile model make protection of physical desktops very problematic
• Very Rare to See Real Segmentation of Desktops • Requires Complicated physical or VLAN based rule sets are necessary for network based firewalling • Laptops or other mobile devices may connect into different network segments • Port based rules and policies very difficult to manage • Endpoint based firewalls are very difficult to manage and don’t scale • Requires individual rule sets for every desktop • As new desktops come online, they must be configured with specific rule sets • What happens when a user connects remotely • Access rights must be set for each user or type of user logging in • This is in addition to endpoint based rules
What can we learn by what we do with the datacenter and how we firewall and protect the datacenter?
9
Data Center Needs to Be Secured At Different Levels
Perimeter Security • Sprawl: hardware, FW rules, VLANs • Load balancers
Cost & Complexity Keep the bad guys out
Internal Security
VLAN
1
VLANs
• VLAN or subnet based policies • Interior or Web application Firewalls • DLP, application identity aware policies
Segmentation of applications, servers
End Point Security • Desktop AV agents, • Host based intrusion • DLP agents for privacy
End Point Protection
Enterprise Security Today – Not Virtualized, Not Cloud Ready Users DMZ
Enterprise VDC
Web Servers Apps / DB Tier Sites Perimeter/DMZ
- Threat Mitigation - Perimeter security products w/ FW/ VPN/ IPS - Hardware Sprawl, Expensive
Interior security
- Segmentation of applications and Server -VLAN or subnet based policies -VLAN Sprawl, Complex
Endpoint security
- Protecting the Endpoint -AV, HIPS agent based security - Agent Sprawl, Cumbersome Confidential
Next Gen: Virtualized and Virtualization Aware Security Controls Users DMZ
Enterprise VDC
Web Servers Apps / DB Tier Sites
vShield Product Overview
vShield Product Family Securing the Private Cloud End to End: from the Edge to the Endpoint vShield App vShield Edge
Edge Secure the edge of the virtual datacenter between workloads - Sensitive data discovery
vShield Endpoint
Endpoint = VM Anti-virus processing
DMZ Application 1 Virtual Desktops vShield Manager
Endpoint = VM Centralized Management 14
© 2009 VMware Inc. All rights reserved
vShield App
16 • •
Better, faster protection
vNIC level protection – eliminates VLAN blind spots, firewall chokepoints and L2 attacks High performance distributed enforcement – lowers firewall and VLAN capital investment costs • • • •
Simpler, easer to operate
Dramatically reduced number of VLANs – removes VLAN complexity Container & Security Group based policies are “change aware” and easy to understand Dramatically smaller number of rules reduces chance for policy configuration errors VC integrated and manageable by REST APIs for script and 3 rd party automation • •
Improved visibility, control and compliance
Application aware NetFlow visibility Automated log collection with syslog and VC integration
17
vShield Data Security – September 2011 !
!
New !
Cloud Infrastructure
(vSphere, vCenter, vShield, vCloud Director)
Overview
More than 80 pre-defined templates for country/industry specific regulations Accurately discover and report sensitive data in unstructured files with analysis engine Segment off VMs with sensitive data in separate trust zones
Benefits
Quickly identify sensitive data exposures Reduce risk of non-compliance and reputation damage Improve performance by offloading data discovery functions to a virtual appliance
EPSEC 2.0 Enables Anti-virus and Data Security Solutions
vSEP virtual appliance for data security •
What’s the same
vShield Endpoint Virtual Appliance (vSEP-VA) • Thin Agent • vShield Endpoint ESX hypervisor module
New Features to support data security
• Support for two or more vSEP-VAs (allows anti virus and data security to run on the same host) • A vSEP-VA for data security, provided by vShield
End user packaging
• vShield App with Data Security (confirmed) • vShield Data Security (planning stages) • Both require vShield Endpoint 18
Security Zones
What do we use security zones for?
• Usual implementation for Servers, multitier applications, and regulated systems 19
Desktop Security Zones
With this model we can secure our View Desktops in a way that we can’t do with physical
New Concept: Desktop Security Zones
• Liam will discuss how he accomplished this with vShield App 1.0
• I’ll discuss how vShield App 5.0 can improve the model as well as additional capabilities with other vShield products
User A Desktops User B Desktops Browsing Desktops
20
21
National Jewish Health View Implementation
Clinical Desktop
© 2009 VMware Inc. All rights reserved
Use Case 1: Light Clinical Users
Non-persistent desktop pool
• Dedicated assignment • Refreshes OS disk on logout
USB redirect
• For spirometry equipment used for pulmanary function tests (PFTs)
Multimedia redirect
• For accessing medical data provided by the patient
Access to specific web sites, not the entire internet
Deployed mostly in clinical areas
23
Use Case 2: Heavy Clinical Users
Persistent Desktop
• Dedicated assignment • All customizations are saved • Periodic snapshots for quick recovery
No USB redirect
No multimedia redirect
Access to any web site
Deployed mostly in physician and clinical manager offices, but also accessible in clinical areas.
24
VCenter Layout
25
Desktop Pools and Entitlement
26
App Firewall Rules (Network)
27
App Firewall Rules (View)
28
App Firewall Rules (Applications)
29
App Firewall Rules (Web/Email)
30
App Firewall Rules (Default Deny)
31
32
How Can vShield App 5 Improve Upon This?
Application Groups and System Groups
vShield 5 can now create custom application groups and system groupings
• • We can make a group here for all of the DC’s We can make 2 application groups • 1 for TCP applications and 1 for UDP applications
27 Rules below can be cut down to 3 rules!
• • 1 each for Any to DCs – TCP and UDP Apps 1 for ANY – ANY – UDP Apps (DHCP and NBDG Broadcast) 33
vShield App 5 Improvements
Nested vCenter Objects
• vShield 5 can now use nest vCenter Objects • • • We can create a parent resource pool call “View Desktops” This can bring this rule set down to 3 rules.
We can then create an application grouping for the View related protocols • PCoIP, JMS, RDP, etc… • This can bring this rule set down to 3 rules. • • • 1 for View TCP Rules 1 for View UDP Rules 1 for USB Redirection • These deny rules be cut down from 4 to 2 rules.
34
vShield App 5 Improvements
Layer 2 Firewalling
• Issue with large flat networks is that broadcast storms can be an issue • vShield can now do layer 2 firewalling to contain broadcast storms • Not necessary here at this point, but if the desktop pool gets large enough it may make sense 35
What Else Can We do Here?
vShield Edge and/or App
• View Manager Protection • Management Network Protection • Server Zone Protection
vShield Endpoint
• Leverage partner solution for offloaded AV
vShield Data Security
• In this medical use case, this is a natural solution for scanning for HIPAA data in an unstructured format on users desktops • If discovered, vShield App can be used to quarantine or just add additional protections to those specific desktops 36
37