Multi-Layered Internet Separation: A New Approach for Endpoint Security & User Experience

Oct 3, 2017
Barak Nissim


Barak Nissim is a senior practice systems engineer for VMware EMEA End-User Computing.

Share This Post On

Rising cybersecurity threats and massive data breaches, such as WannaCry, force more and more organizations to adopt stricter security policies to minimize risks. All industries are under the same threat, from government and local authorities to banking and finance, including technology companies with patents and trade secrets.

“Ransomware growth will plateau in 2017, but attack methods and targets will diversify.”
The Next Tier: Trend Micro Security Predictions for 2017

Cyber attackers do not care who users are. They just want access to data and assets.

“Attacks will come from all directions and leverage both east-west and north-south attack vectors.”
McAfee Labs 2017 Threats Predictions


A recent study, Kaspersky Security Bulletin 2016, revealed that almost 80% of attacks on users stem from a malicious website. Image Source: Kaspersky Lab.

Almost 80% of attacks on users stem from malicious URLs.
Kaspersky Security Bulletin 2016


The same study reveals that 50% of exploits are distributed through browsers. Image Source: Kaspersky Lab.

50% of exploits used in cyber attacks are distributed through browsers.
Kaspersky Security Bulletin 2016

To combat this rising threat of user-downloaded malware, “internet separation” is fast-becoming the go-to methodology for many companies across the globe.

What Is Internet Separation?

Internet separation is an IT strategy that physically separates networks to protect the entire endpoint ecosystem. This strategy is commonly called “creating an air gap” or enabling “secure browsing.”

[Read more at CIO Vantage: Security Through Internet Separation]

Most organizations today choose:

  • Physical internet separation.
  • Proxy-enabled internet access patches with scanning and other defenses.
  • Proxy-enabled connections where the web traffic flows through multiple filtering and protection engines—the physical endpoint can reach the internet directly.

The physical internet separation approach can heighten security, but user experience is often negatively impacted. Users must learn how to use multiple networks and potentially move from one office building to another to work. This often leads to increased training costs and reduced productivity. For IT, physical internet separation can double desktop capital costs and operational investments. Users must have two computers: one on the internet-accessible network and another on a non-internet accessible network.

The proxy-enabled approach does a better job at user experience. On the security level, however, one NIC/IP/OS can be attacked or misused, leading to malware spreading across all the devices in the endpoint ecosystem.

How can IT provide better security posture for their organization and give users a great user experience?

Multi-Layered Internet Separation: A New Approach for Better Security & User Experience

To help organizations design and deploy a cohesive solution with advanced security features and great user experiences, VMware developed a new approach: multi-layered internet separation. This comprehensive approach increases end-user productivity and creates internet anonymity by leveraging best-in-class security attributes across all layers of the compute and infrastructure stack—from networks to applications.

Using Horizon, SDDC and NSX, IT can deliver stateless virtual desktops and published applications with network policies that secure the environment. This innovative solution virtually eliminates the costs needed for multiple desktops per user and significantly reduces the complexities of managing multiple physical networks. Users benefit from a superior user experience with strong IT security and governance.

Let’s dive deeper into key concepts of each layer in this innovative, new security stack.

A Layered Approach to Internet Separation & Endpoint Security


A stateless virtual desktop model can also help reduce the surface area for any potential malware attacks. Imagine a virtual desktop that is created when a user logs on and destroyed when that user logs off. IT can set up a pool of virtual desktops that fit this model, including pools that can access the internet and pools that cannot. Virtual desktops in each pool only get created once a user logs into a specific pool.

With the Just-in-Time Management Platform (JMP) platform that’s built into Horizon, the ability for apps and user environment settings to get injected at log in and removed at log off provides a secure, stateless desktop option that’s tailored for personal and exceptional end-user experiences.

Layer 1: Isolated Hardened Virtual Desktop Infrastructure

Based on VMware vSphere, enabling a secure web gateway in the first layer helps ensure hardening guides, limit connectivity and separate user clusters from management.

Layer 2: Virtualization Services Networking & Security

Micro-segmentation is a very powerful concept that allows zero-trust network for a virtualized environment. Controlling each virtual machine (VM) on the virtualized Network Interface Card (vNIC) level allows IT to gain full visibility into network traffic and define policies to better manage these connections. Virtualization-aware antivirus and user-based firewalls make NSX the cornerstone of this layered solution. Additionally, third-party solutions can be integrated to extend functionality, such as data loss prevention (DLP), intrusion prevention and detection systems (IPDS), remediation and other advanced security capabilities.

Layer 3: Stateless Operating System (OS)

VMware Instant Clone Technology is a new approach to creating desktops and RDSH servers. Admins can create a VM in seconds leveraging Instant Clone Technology, creating instant, in-memory, non-persistent clones. There is no need to pre-deploy consuming resources that act as an attack surface. Instead, IT can create resources on demand and delete afterwards for maximum security and efficiency.

[Read more at the VMware EUC Blog: Bulletproof RDSH]

Layer 4: Application & User Protection

JMP is built on Instant Clone Technology, VMware App Volumes and VMware User Environment Manager. Technology in layer four powers applications and customization.

App Volumes delivers applications to desktops enabled by application layering technologies. App Volumes AppStacks are read-only and cannot be manipulated by attackers to plant malicious code. This can be achieved with VMware ThinApp, as well.

User Environment Manager controls and manages all aspects of application configuration and personalization. IT can predefine and enforce application configuration, block applications and control privilege elevation for admin use. Smart Policies simplify desktop security, evaluating users’ context on login/connect even while in session.

[Watch and learn more: VMware JMP Video]

Layer 5: Content Disarmament & File Sanitation

Content consumption is an important piece of the multi-layered approach to internet separation. Users expect to move data inside the organization in order to continue consuming internal resources. VMware Content Locker uses ICAP features (or other third-party vendors can be used here).

[Read more from VMware AirWatch: Content Locker Secures Corporate Data for Mobile Workforce]

Layer 6: Secure Web Gateway Solutions

Customers can choose any third-party, secure gateway solution to ride on top of the multi-layered approach as another in-line security engine (for web page scanning, site ranking and other functions).


VMware is the only vendor that can provide customers with true software-defined internet separation.

In a world where cyber threats are the norm on a day-to-day basis, organizations must equip themselves with solutions that prevent and isolate attacks, without incurring high costs. Some organizations that are mandating internet separation as a means of controlling cybersecurity threats are turning to physical internet separation or air gap networks. Complexity, high costs and risk in deploying and maintaining air gap networks are the barriers that prevent organizations from moving forward.

A better approach exists by combining Horizon, NSX for Horizon and VMware Identity Manager. IT can strengthen the organization’s security posture, improve operational efficiencies, reduce costs and increase employee productivity by delivering on the promise of a digital workspace to their employees.

Digital transformation is here, and as organizations look to fight against cybersecurity threats, they must embrace new technologies with a modern approach to combat cybercriminals.

Other Sources:

468 ad