Home > Blogs > VMware Consulting Blog > Tag Archives: IT Security

Tag Archives: IT Security

End User Computing 101: Network and Security

By TJ Vatsa, Principal Architect, VMware Professional Services

TJ Vatsa

In my first post on the topic of End User Computing (EUC), I provided a few digestible tidbits around infrastructure, desktop and server power, and storage. In this post, we’ll go a bit further into the infrastructure components that affect user experience and how users interact with the VDI infrastructure. We’ll cover network and security, devices, converged appliances, and desktop as a service.

Let’s look a bit more closely at network and security first.

Network and Security

To ensure acceptable VDI user experience, monitor the bandwidth and latency or jitter of the network. This means performing the appropriate network assessment by deploying monitoring tools to first establish a baseline. Once that’s completed, you’ll need to monitor the network resources against those baselines. As with any network, high latency can negatively affect performance, though some components are more sensitive to high latency than others.

When deploying Horizon View desktops using the PC-over-IP (PCoIP) remote display protocol in a WAN environment, consider the Quality of Service (QOS) aspect. Ensure that the round-trip network latency is less than 250 ms. And know that PCoIP is a real-time protocol, so it operates just like VoIP, IPTV, and other UDP-based streaming protocols.

To make sure that PCoIP is properly delivered, it needs to be tagged in QoS so that it can compete fairly across the network with other real-time protocols. To achieve this objective, PCoIP must be prioritized above other non-critical and latency tolerant protocols (for example, file transfers and print jobs). Failure to tag PCoIP properly in a congested network environment leads to PCoIP packet loss and a poor user experience, as PCoIP adapts down in response. For instance, tag and classify PCoIP as interactive real-time traffic. (Classify PCoIP just below VoIP, but above all other TCP-based traffic.)

For optimizing network bandwidth, ensure that you’ve got a full-duplex end-to-end network link. Consider segmenting PCoIP traffic via IP Quality of Service (QoS) Differentiated Services Code Point (DSCP) or a layer 2 Class of Service (CoS) or virtual LAN (VLAN). While using VPN, ensure that UDP traffic is supported.

Enterprise security for corporate virtual desktops is of paramount importance for the successful rollout of VDI infrastructure. It is highly recommended that an enterprise scale, policy-based management security solution be used to define and enforce security policies within the enterprise.

Based on typical customer requirements, secure access to the VDI infrastructure is provisioned via the following user access modes:

  1. LAN Users: VDI users accessing virtual desktop infrastructure via the corporate LAN network.
  2. VPN Users: VDI users accessing corporate virtual desktop infrastructure via the VPN tunnel.
  3. Public Network Users: VDI users accessing virtual desktop infrastructure via the public network.

Use Case: VDI User Secure Access Modes

Enforcing authentication and authorization policies is a domain by itself, and is influenced by industry verticals. For instance, many hospitals prefer “tap-‘n’-go” solutions to authenticate and authorize their clinical staff to access devices and Electronic Medical Record (EMR) applications. The regulatory compliance perspective should not be ignored either when it comes to industry verticals, such as HIPAA for healthcare industry and PCI for the financial industry.

Note: The scenario depicted below is that of a typical public network user.

Infrastructure scenario

Horizon View infrastructure can be easily optimized to support any combination of secure VDI user access modes.


Based on security policies and regulatory compliance standards that are prevalent within the enterprise, I highly recommended doing a thorough end user devices/endpoints assessment. You’ll want to categorize your users based on desktop communities that support one or more types of endpoints. VMware’s Horizon View client supports a variety of endpoints, whether they’re desktops, laptops, thin clients, zero clients, mobile devices, or tablets that support iOS, Android, Mac OS X, Linux, Windows, HTML Access—just to name a few.

Converged Appliances

The converged appliances industry is rapidly and effectively maturing as more and more customers prefer converged appliances because they enable faster infrastructure deployment times. From an EUC infrastructure perspective, it’s important to evaluate available converged appliance solutions available for your business scenarios.

Vendors are and will be providing customized and optimized solutions for EUC, business continuity and disaster recovery (BCDR) as x-in-a-box, wherein the required infrastructure components, hardware and software have been validated and optimized to cater to specific business scenarios.

Desktop as a Service (DaaS)

Some customers worry about EUC datacenter planning, infrastructure procurement, and deployment.

DaaS scenario

Look to hosted desktop services, such as Horizon DaaS, to address business requirements and use cases that revolve around development, testing, seasonal bursts, and even BCDR. DaaS can even provide a more economical alternative to traditional datacenter deployment. For instance, DaaS reduces your up-front costs and lowers your desktop TCO with predictable cloud economics that enable you to move from CapEx to OpEx in a predictable way.

Plus, users can access Windows desktops and applications from the cloud on any device, including tablets, smartphones, laptops, PCs, thin clients, and zero clients. DaaS solutions like Horizon DaaS desktops can also be tailored to meet the simplest or most demanding workloads, from call center software to CAD and 3D graphics packages.

In these first two posts, we’ve gotten a good handle on infrastructure, devices, and security. In my next post, I’ll cover mobility and BYOD along with applications and image management, and weave it all together with EUC project methodology.

TJ has worked at VMware for the past four years, with over 20 years of experience in the IT industry. At VMware TJ has focused on enterprise architecture and applied his extensive experience to Cloud Computing, Virtual Desktop Infrastructure, SOA planning and implementation, functional/solution architecture, enterprise data services and technical project management.

TJ holds a Bachelor of Engineering degree in Electronics and Communications from Delhi University and has attained multiple industry and professional certifications in enterprise architecture and technology platforms. TJ is a speaker and a panelist at industry conferences such as VMworld, VMware’s PEX (Partner Exchange) and BEAworld. His passion is the real-life application of technology to drive successful user experiences and business outcomes.

Developing Defense in Depth for a Software-Defined Data Center

By Jared SkinnerCloud Management Sales Director – West

The software-defined data center (SDDC) is on the tip of a lot of tongues these days, but the fact is, it’s not yet an end-point solution but rather a constantly evolving strategy. For that reason, I meet many customers who are excited about its potential but still wary of the unknowns—in particular around security.

As we abstract different layers of the technological stack, namely storage and network, we must continue to manage security across the stack through industry best practices and/or regulatory standards. Securing the SDDC begins by reinventing Defense in Depth.

What Is “Defense in Depth”?

I think of Defense in Depth like an onion, where the sweetest part is the center, protected under many layers of security. Continue reading

The Secret to Getting Security to Say ‘Yes’

By Richard Rees, Security & Compliance Architect, VMware Professional Services

My post last week about the NSA and hybrid cloud I shared an important equation from the security world: Trust = Visibility + Control. In other words, if I’m going to trust a third party with my data assets, I need to have more visibility to make me comfortable with less control.

Today I want to highlight the different requirements that security, IT, and business have for building trust, and how improved visibility can help all three build a more successful working relationship.

Let’s start with security, the most risk-averse, and a mindset I have the best insight into. We know that business and IT are frustrated when we say no, but they need to understand our thought process. If security says “no,” and something bad happens, we get to say “I told you so.” If we say “no,” and nothing bad happens, we’re still ok. But every time we say “yes” we take a risk on getting burned. And we’ve been burned plenty before.

The business side has completely different requirements for trust. To them, risk is just the cost of doing business. You acquire a company, it doesn’t perform as you expected, you sell it off again. That’s that. Meanwhile, IT is somewhere in the middle, focused on efficiency and service delivery to the business.

When these different risk tolerances are competing (instead of collaborating), new problems arise, like the precipitous growth of “shadow IT” and the security problems it poses. Continue reading

The Snowden Leak: A Windfall for Hybrid Cloud?

By Richard ReesSecurity & Compliance Architect, VMware Professional Services

Interest in hybrid cloud has risen since Edward Snowden’s leak in May revealing vast surveillance operations by the US government, according to VMware CEO Pat Gelsinger and COO Carl Eschenbach during a VMworld Q&A last week.

That’s not surprising, since hybrid clouds allow businesses to keep their data in their own house and out of the prying eyes of government. That’s undoubtedly attractive for foreign companies doing business with or in the United States, since the US government was revealed to be focusing their monitoring efforts on emails sent to or received from another country.

Even if you aren’t worried about the NSA, I’m guessing you’d prefer the government not to have access to your business’s (or your customers’) information without your knowledge.

Hybrid: The best of both clouds

Enter the hybrid cloud. With a hybrid platform, businesses get the convenience and flexibility of a public cloud, but all access to sensitive data is handled through the organization’s private cloud. Continue reading

Don’t Leave Security Off the Table

By Bill Mansfield, VMWare Professional Services Consultant

I find myself at a large majority of my enterprise customers discussing non-technical issues. Brokering a truce between operational organizations that have evolved in their own silos, and who don’t play well with others.  In the early days of Virtualization, it was difficult to get three key parties in the same room in large shops to hash out architectural requirements and operational process. Networking, Storage, and Virtualization were typically at odds with each other for any number of reasons, and getting everyone to play nice was difficult. These days, it’s primarily Security that’s left out of the room.  A large government customer recently told me flat out “We don’t care about security”, implying that it was another department’s responsibility. Indeed, the SecOps (Security Operations) and SecEngineering (Security Engineering) teams had never been brought into a Virtualization meeting in the 7 years virtualization had been in house.

This segregation of the Security team, whether intentional or not, causes some serious problems during a security incident. Typically SecOps only has a view into the core network infrastructure and some agent based sensors that may or may not make it onto the VMs that are being investigated. Network sensors typically only exist at the edges of the network, and occasionally at the core in larger shops. Any VM to VM traffic may or may not even transit the physical network at any given time.  For a long time, the ability to watch Virtual Switches for data was not available and the Security teams got used to that. These days, all the traditional methods of monitoring and incident investigation are readily available within vSphere. The vSphere 5.1 Distributed Virtual Switch can produce NetFlow data for consumption by any number of tools. RSPAN and ERSPAN can provide full remote network monitoring or recording. Inter VM traffic is no longer invisible to Security tools. Security teams just need to be involved, and need to hook their existing toolset into the Software-defined data center. No need to reinvent the wheel. Sure we can enhance capabilities, but first we need to get the Security teams to the table and allow them to use the tools they already have.

So what are some typical questions from Security Operations about the Software-defined data center? Some of them I can answer, some of them are still works in progress.  All of which deserve their own write-ups.

How do we monitor the network?

  • Port Mirroring has been around for a while, and Netflow, RSPAN and ERSPAN capabilities now allow us to function with a great deal of industry standard tools.

How do we securely log events?

  • SEIM integration is fairly straightforward via Syslog or direct pulls from the relevant vSphere databases.

Where do we put IDS/IPS?

  • Leave the traditional edge monitoring in place, enhance with solutions inside the vSphere stack.
  • vSphere accommodates traditional agent based IPS as well as a good number of agentless solutions via EPSec and NetX API integration.  Most of the major vendors have some amount of integration.

Can you accommodate for segregation of duties?

  • vSphere and vCNS vShield Manager both provide role based segregation and audit capability.

Can you audit against policy?

  • This is a big topic. We can audit host profiles and admin activity in vCenter. We can audit almost anything in vCenter Configuration Manager at all levels of the stack.
  • We can baseline the network traffic of the enterprise with vADP (Application Discovery Planner, not to be confused with our backup API.) We can periodically check for deltas with vADP to find anomalous traffic.

What tools work with VMware to assist with forensics and incident management?

  • Again, this is another big topic. Guests are just data, and a VM doesn’t know when it’s had a snapshot taken. I’ve worked with EnCase, CAINE, BackTrack, and other tools to look at things raw. Procedurally it’s fairly simple. DD off the datastore to run through one of the usual tools and/or run the tool against copies of the VMDKs in question.
  • On the Network side, tie ERSPAN to Wireshark, and use traditional methodology. If you’re feeling clever you can look at live memory by recording a vMotion.

How does legal chain of custody work for forensics on a VM?

  • I’m not a lawyer. I’m not a certified forensic examiner. So, I’ve always had someone from a firm who specializes in forensics like Foundstone with me to handle the paperwork.

Is this a comprehensive list? Not at all. It’s just the beginning. The first step is getting Security to the table, and getting them actively participating in design and operational decisions. With higher and higher consolidation rations it becomes more important than ever to instrument the Virtual Infrastructure. For larger organizations, tools like EMC NetWitness can provide insight into all aspects of software-defined data center. SEIM engines like ArcSight can correlate events and provide an enterprise wide threat dashboard. For small organizations, there’s a large amount of Open Source tools available.

Security professionals, where are you seeing resistance while trying to do your jobs in the software-defined data center? What requirements are you finding most challenging to address? Let us know in the comments below!

Bill Mansfield has worked as a Senior Security Consultant at VMware for the past 6 years. He has extensive knowledge on transitioning traditional security tools into the virtual world.


The Proof is in the Impact

Today’s challenging business environment is a convergence of many changes. In this new business paradigm, IT executives are faced with determining how to best direct their staff, how to redesign IT processes, and how to use technology to grow businesses and/or fundamentally shift business models. Anticipating and staying abreast of these challenges requires thought leadership and seamless technical capabilities.

In this video, Michael Hubbard, Sr. Director of Accelerate and Services Sales for the Americas, discusses the value of gleaning best practices and insights from our consulting experts on virtualization, end user computing, cloud computing and more in this blog. He also shares a customer success story where VMware delivered an impactful, always on point-of-care solution for a major hospital.

Check back soon for more stories, best practices and insights.