Applying the Power of Virtual Desktops Ask who has virtualization deployed? What kind? Do we need a intro to virtualization? Conrado Wang Ke Cheng de Niemeyer <chengw (at) sacredheart (dot) edu> Information Security Officer, Sacred Heart University

Virtualization Advantages “Cheap”, fast, easy to setup Application isolation Template Deployment Disaster Recovery High Availability Forensic Analysis w/P2V & in place with memory snapshots Honeypotting

Virtualization Disadvantages Using a template image One vulnerability is shared by all Same admin/root passwords??!! Possibly sequential IP range Single file Servers & Workstations Just copy one file and you’re done! Poor multimedia support Many eggs in fewer baskets Virtual Machine Sprawl

Virtualization Vulnerabilities Guest to Guest Attacks Guest to Host Attacks Guest Client Vulnerabilities Management Console/Host OS Vulnerabilities Hypervisor Vulnerabilities Not well developed and widespread, YET…

VM Security Best Practices Security Best Practices (Firewalls, IPS, Patching, Patching, Patching, Patching) Secure your VMs as you would physical machines Secure the Network Use Separate Private backup and SAN network Use Separate Private Management Console network Favor Type 1 Hypervisors for Production and Testing Servers VMWare ESX Server, Citrix XenServer, MS Hyper-V, etc. Favor Type 2 use in Security applications Disable Hardware Acceleration Use QEmu (full emulation mode w/out kqemu) Disable all sharing features Favor Type 2 for Development environments Run different security zones VMs on separate physical hosts Use separate physical switches or VLANs in physical switches Run different Management stations Disable/remove unnecessary virtual hardware

Monitoring in a vSwitch

VMWare ESX Specific VMWare Update (ESX 3.5 & VC 2.5) Fix maximum size and rotation for Log Files Use Resource Management Secure the VI Console Access Verify the ESX Console Firewall rules Use SSL Certificates Encrypt Access to Virtual Center Secure Console’s Linux environment

Virtualization Applications Setting up Development Environments Setting up Testing Environments Setting up Research Environments Honeypotting Consolidate Physical Servers Virtual Secure Desktops… Provide a desktop environment for users Quickly deployed Secured Easily maintained Provide access from those environments to all work tools, systems, and services

Virtual World at Sacred Heart Univ VMware VI3 & vSphere 4 65 Virtual Servers 255 Virtual Desktops Running on 15 Physical blade servers Virtual Desktop Infrastructure (VDI) Secure Desktop Virtual HDD Streaming Thin Clients in our Labs Virtual Test Environments

Secure Desktop (VDI) Architecture

Secure Gateway Architecture

HDD Streaming Architecture

Secure Desktop Backend at SHU Hardware Software HP c7000 Blade Enclosure HP BL460c 2 x Quad Core 2.3Ghz (Intel E5450) 32 GB RAM 4 x 1Gb Ethernet (on 2 separate boards) Netapp 3040 Filers 1TB for VM and vDisk Images 12TB for User/Department Data NFS & iSCSI Cisco Catalyst 3750 Switches 1Gb Ethernet (Copper) 4 x 10Gb Uplink VMware VI3 Quest vWorkspace 7.0 SSL Gateway Connection Broker Citrix Provisioning Server 5.1 PXE Boot HDD Streaming Microsoft Windows XP sp3 Yes it’s Windows 7 Ready  NetApp FlexClone

Secure Desktop Advantages Low learning curve for users Secured access to sensitive data Business data vs. User data Fast Deployment & Scalability Stand new VMs in under 2mins Policy Enforcement Local administrator privileges Anywhere, anytime access Image management Patch 1 image, update everyone Currently ERP (Datatel Colleague R17, R18) Registrar’s Human Resources Business Office Admissions (Recruitment Plus) Financial Aid (PowerFAIDS, EDConnect) Institutional Advancement (Raiser’s Edge) Health Systems (Titanium) Public Safety (ARMS) ImageNow Document Imaging w/USB scanners

Secure Desktop Disadvantages Ok Multimedia Support Now w/Flash Video ACL/Firewall Rule Maintenance Increased Complexity SSL Gateway Connection Broker Provisioning Server ESX Servers SAN & Blade Infrastructure “Quality of Life” Issues Cannot browse the web Cannot persist software changes Cannot connect certain USB devices Coming Soon Cannot access unsafe shares Cannot copy & paste to/from client Cannot connect any USB devices except sanctioned

Physical vs. Virtual Hardware Dell OptiPlex 780 Intel Core2 2.4Ghz 4GB RAM 160GB HDD Integrated Graphics 1Gb Ethernet ~$1,000 VMWare ESX 3.5 Virtual Dual to Quad Core 2.3Ghz 512MB RAM 1MB HDD RDP Graphics 1Gb Ethernet ~$290 w/existing hardware

Getting Buy-in Explain that security is important and they should just listen to IT… (HA! Just kidding… ) Initial deployment for test environments No other alternatives with new version of software Anywhere Anytime Access Ability to access legacy environments with new simultaneously Make no effort to fix the fact that VPN sucks (at least PPTP does…)

New Developments Embedded Hypervisors VMSafe VDI SAN Snapshot Clones ESXi, XenServer OEM, etc. VMSafe VDI SAN Snapshot Clones Netapp FlexClone Sophisticated Virtual Machine Detection

Demo https://securedesk.sacredheart.edu/

Resources, Q & A http://www.cisecurity.org/ http://www.securityfocus.com/ http://www.vmware.com/resources/techresources/c at/91 http://www.citrix.com/ http://www.provisionnetworks.com/