Organizations that embark on the journey of building our virtual desktop environments, are taking traditionally external endpoints and bringing them into the data center. These endpoints are now closer and most times, reside on the same networking infrastructure as the backend application servers that they may access. These endpoints run Windows or even Linux desktop operating systems with multiple end-users that can access them. Malicious attacks that would traditionally take place outside the data center should an end-user find their desktop or laptop machine infected, could now take place on their virtual desktops inside the data center. With physical equipment, it’s easy to isolate the physical desktop or laptop and remediate the attack. Securing virtual desktop environments requires a different approach, but not one that’s unattainable. Securing an end user computing deployments is one of the primary security use cases for VMware NSX and can help provide a layered approach to securing virtual desktop workloads in the data center.
The NSX platform covers several business cases for securing an end user computing deployment. Each of these use cases, helps provide a multi-layered approach to ensure end user endpoints are as secure as possible in the data center.
Figure 1 – NSX Security Services for End User Computing Use Cases
Figure 2 – NSX Security Services for End User Computing Use Cases cont.
As we revise the Horizon reference architecture for Horizon 7 as well as the NSX for EUC Design Guide, we’ll be bringing NSX reference architecture decisions into the Horizon 7 architecture to help provide guidance for customers building end user computing environments. Over the next several months, the Horizon 7 reference architecture document will continue to evolve adding more and more NSX features into it including Load Balancing, RDSH, Guest Introspection, and Identity Firewall. There are several enhancements currently and even more coming that will be simplifying NSX deployment with Horizon.
With the latest revision of the Horizon 7 reference architecture, we’re providing guidance around how to secure the East-West traffic within the Horizon deployment. This guidance is all encompassing of an entire Horizon 7 deployment.
Figure 3 – NSX and Horizon Logical Components
Securing East-West traffic between desktop systems is an easy security model to put in place using NSX. However, the VDI desktops or the RDSH systems are not the only systems that comprise a Horizon deployment. There are several Horizon management components that provide the facilities to create and spin up those VDI and RDSH systems. Each of these components communicates over specific ports and protocols. These are outlined in the Horizon 7 Network Ports document. Using the same methodologies for securing VDI and RDSH systems, NSX can provide the same level of micro-segmentation around the Horizon management components.
As part of the process to integrate NSX into the Horizon Reference Architecture, each of the communication ports and protocols were laid out into two separate PowerShell scripts using PowerNSX, to allow customers the ability to insert all the necessary NSX Distributed Firewall rules, Security Groups, and Services into the NSX Manager.
Below is an example output from the script and how the rules and the associated NSX Security Groups and Services would look in the NSX Manager:
Table 1 Horizon 7 Desktops – VDI or RDS Host
Table 2 Horizon 7 Desktops – VDI or RDS Host Services
The services listed below are the breakdowns of each port and protocol specific to the service referenced in the previous table.
For the next part of the series, we will be considering how NSX and RDSH servers can be secured as well as discussion on Load Balancing Horizon with NSX. NSX has several business cases for end user computing deployments. Securing the VDI and RDSH systems along with the Horizon management infrastructure components, provides the most in-depth micro-segmentation policy for Horizon deployments. The script referenced in this post can be downloaded here. The script is not maintained or supported by VMware at this time. It is meant more as a guide and quick start to micro-segmenting a Horizon deployment. Please treat this as such when testing. For full details of the script referenced, head over to the NSX for EUC Design Guide.