1 / 37

SEC1747 Desktop Security Zones with VMware View and vShield App: A Reference Architecture Review

SEC1747 Desktop Security Zones with VMware View and vShield App: A Reference Architecture Review. Name, Title, Company. Disclaimer. This session may contain product features that are currently under development.

kedma
Download Presentation

SEC1747 Desktop Security Zones with VMware View and vShield App: A Reference Architecture Review

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SEC1747Desktop Security Zones with VMware View and vShield App: A Reference Architecture Review Name, Title, Company

  2. Disclaimer • This session may contain product features that are currently under development. • This session/overview of the new technology represents no commitment from VMware to deliver these features in any generally available product. • Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. • Technical feasibility and market demand will affect final delivery. • Pricing and packaging for any new technologies or features discussed or presented have not been determined.

  3. Agenda • Desktop Security Challenges • General Data Center Security Challenges • vShield Products Overview • National Jewish Health Reference Architecture • How vShield 5.0 Will Improve Reference Architecture • Q&A

  4. Desktop Security Challenges • Desktops traditionally existed on the Edge • Required agent based firewalls, filters and protection • Day Zero attacks not always addressed • Reaction only as fast as update distribution • Not cost effective to make the entire network a firewall • Traditional Desktop admins not firewall savvy

  5. Security Enhancements from VMware • VMware View moves Desktop to Data Center • VMware View Composer • Single Image Management • Centralized updates • Thinapp • Centralized app management • No more Local Admin • vShield Endpoint • Host based Virus Protection • Always on protection • vShield App • Client to Client firewall rules • Client to server firewall rules

  6. View Virtual Desktop Access • Client to Virtual Connection Secure • Moved desktop to the Data Center • Desktops continue to cross communicate CentralizedVirtual Desktops Remote Desktop Protocol MicrosoftActive Directory vCenter View Connection Server View Security Server DMZ HTTPS Secure Tunnel View Client

  7. View Virtual Desktop Access

  8. Physical Security Challenges

  9. Challenges with Firewalling Typical Desktops • Distributed and mobile model make protection of physical desktops very problematic • Very Rare to See Real Segmentation of Desktops • Requires Complicated physical or VLAN based rule sets are necessary for network based firewalling • Laptops or other mobile devices may connect into different network segments • Port based rules and policies very difficult to manage • Endpoint based firewalls are very difficult to manage and don’t scale • Requires individual rule sets for every desktop • As new desktops come online, they must be configured with specific rule sets • What happens when a user connects remotely • Access rights must be set for each user or type of user logging in • This is in addition to endpoint based rules • What can we learn by what we do with the datacenter and how we firewall and protect the datacenter?

  10. Data Center Needs to Be Secured At Different Levels • Sprawl: hardware, FW rules, VLANs • Rigid FW rules • Performance bottlenecks Cost & Complexity At the vDC Edge • Perimeter security device(s) at the edge • Firewall, VPN, Intrusion Prevention • Load balancers Perimeter Security Keep the bad guys out Internal Security VLAN 1 • VLAN or subnet based policies • Interior or Web application Firewalls • DLP, application identity aware policies Segmentation of applications, servers VLANs End Point Security • Desktop AV agents, • Host based intrusion • DLP agents for privacy End Point Protection

  11. Enterprise Security Today – Not Virtualized, Not Cloud Ready Enterprise VDC DMZ Web Servers Apps / DB Tier Users Sites • Perimeter/DMZ • Threat Mitigation • Perimeter security products w/ FW/ VPN/ IPS • Hardware Sprawl, Expensive • Interior security • Segmentation of applications and Server • VLAN or subnet based policies • VLAN Sprawl, Complex • Endpoint security • Protecting the Endpoint • AV, HIPS agent based security • Agent Sprawl, Cumbersome

  12. Next Gen: Virtualized and Virtualization Aware Security Controls Enterprise VDC DMZ Web Servers Users Apps / DB Tier Sites

  13. vShield Product Overview

  14. vShield Product Family Securing the Private Cloud End to End: from the Edge to the Endpoint vShield App Security Zone Endpoint = VM Edge vShield Edge vShield Endpoint vShield Manager Endpoint = VM - Create segmentation between workloads - Sensitive data discovery Secure the edge of the virtual datacenter Anti-virus processing Centralized Management DMZ Application 1 Virtual Desktops VMware vSphere VMware vSphere

  15. vShield App VMware introspection technology makes vShield App network topology agnostic, simplifying VLAN and firewall policies while providing added assurance at the most granular network level • Better, faster protection • vNIC level protection – eliminates VLAN blind spots, firewall chokepoints and L2 attacks • High performance distributed enforcement – lowers firewall and VLAN capital investment costs • Simpler, easer to operate • Dramatically reduced number of VLANs – removes VLAN complexity • Container & Security Group based policies are “change aware” and easy to understand • Dramatically smaller number of rules reduces chance for policy configuration errors • VC integrated and manageable by REST APIs for script and 3rd party automation • Improved visibility, control and compliance • Application aware NetFlow visibility • Automated log collection with syslog and VC integration

  16. vShield Data Security – September 2011 New ! ! ! Overview • More than 80 pre-defined templates for country/industry specific regulations • Accurately discover and report sensitive data in unstructured files with analysis engine • Segment off VMs with sensitive data in separate trust zones Benefits • Quickly identify sensitive data exposures • Reduce risk of non-compliance and reputation damage • Improve performance by offloading data discovery functions to a virtual appliance Cloud Infrastructure(vSphere, vCenter, vShield, vCloud Director)

  17. EPSEC 2.0 Enables Anti-virus and Data Security Solutions vSEP virtual appliance for data security • What’s the same • vShield Endpoint Virtual Appliance (vSEP-VA) • Thin Agent • vShield Endpoint ESX hypervisor module • New Features to support data security • Support for two or more vSEP-VAs (allows anti-virus and data security to run on the same host) • A vSEP-VA for data security, provided by vShield • End user packaging • vShield App with Data Security (confirmed) • vShield Data Security (planning stages) • Both require vShield Endpoint

  18. Security Zones • What do we use security zones for? • Usual implementation for Servers, multitier applications, and regulated systems

  19. Desktop Security Zones • With this model we can secure our View Desktops in a way that we can’t do with physical • New Concept: Desktop Security Zones • Liam will discuss how he accomplished this with vShield App 1.0 • I’ll discuss how vShield App 5.0 can improve the model as well as additional capabilities with other vShield products Browsing Desktops User A Desktops User B Desktops

  20. National Jewish Health View Implementation Clinical Desktop

  21. Use Case 1: Light Clinical Users • Non-persistent desktop pool • Dedicated assignment • Refreshes OS disk on logout • USB redirect • For spirometry equipment used for pulmanary function tests (PFTs) • Multimedia redirect • For accessing medical data provided by the patient • Access to specific web sites, not the entire internet • Deployed mostly in clinical areas

  22. Use Case 2: Heavy Clinical Users • Persistent Desktop • Dedicated assignment • All customizations are saved • Periodic snapshots for quick recovery • No USB redirect • No multimedia redirect • Access to any web site • Deployed mostly in physician and clinical manager offices, but also accessible in clinical areas.

  23. VCenter Layout

  24. Desktop Pools and Entitlement

  25. App Firewall Rules (Network)

  26. App Firewall Rules (View)

  27. App Firewall Rules (Applications)

  28. App Firewall Rules (Web/Email)

  29. App Firewall Rules (Default Deny)

  30. How Can vShield App 5 Improve Upon This?

  31. Application Groups and System Groups • vShield 5 can now create custom application groups and system groupings • We can make a group here for all of the DC’s • We can make 2 application groups • 1 for TCP applications and 1 for UDP applications • 27 Rules below can be cut down to 3 rules! • 1 each for Any to DCs – TCP and UDP Apps • 1 for ANY – ANY – UDP Apps (DHCP and NBDG Broadcast)

  32. vShield App 5 Improvements • Nested vCenter Objects • vShield 5 can now use nest vCenter Objects • We can create a parent resource pool call “View Desktops” • This can bring this rule set down to 3 rules. • We can then create an application grouping for the View related protocols • PCoIP, JMS, RDP, etc… • This can bring this rule set down to 3 rules. • 1 for View TCP Rules • 1 for View UDP Rules • 1 for USB Redirection • These deny rules be cut down from 4 to 2 rules.

  33. vShield App 5 Improvements • Layer 2 Firewalling • Issue with large flat networks is that broadcast storms can be an issue • vShield can now do layer 2 firewalling to contain broadcast storms • Not necessary here at this point, but if the desktop pool gets large enough it may make sense

  34. What Else Can We do Here? • vShield Edge and/or App • View Manager Protection • Management Network Protection • Server Zone Protection • vShield Endpoint • Leverage partner solution for offloaded AV • vShield Data Security • In this medical use case, this is a natural solution for scanning for HIPAA data in an unstructured format on users desktops • If discovered, vShield App can be used to quarantine or just add additional protections to those specific desktops

  35. Questions????

More Related