1. Applying the Power of Virtual Desktops
Ask who has virtualization deployed? What kind?
Do we need a intro to virtualization?
Conrado Wang Ke Cheng de Niemeyer <chengw (at) sacredheart (dot) edu>
Information Security Officer, Sacred Heart University

2. Virtualization Advantages
“Cheap”, fast, easy to setup Application isolation
Template Deployment
Disaster Recovery
High Availability
Forensic Analysis w/P2V & in place with memory snapshots
Honeypotting

3. Virtualization Disadvantages
Using a template image
One vulnerability is shared by all
Same admin/root passwords??!!
Possibly sequential IP range
Single file Servers & Workstations
Just copy one file and you’re done!
Poor multimedia support
Many eggs in fewer baskets
Virtual Machine Sprawl

4. Virtualization Vulnerabilities
Guest to Guest Attacks
Guest to Host Attacks
Guest Client Vulnerabilities
Management Console/Host OS Vulnerabilities
Hypervisor Vulnerabilities
Not well developed and widespread, YET…

5. VM Security Best Practices
Security Best Practices (Firewalls, IPS, Patching, Patching, Patching, Patching)
Secure your VMs as you would physical machines
Secure the Network
Use Separate Private backup and SAN network
Use Separate Private Management Console network
Favor Type 1 Hypervisors for Production and Testing Servers
VMWare ESX Server, Citrix XenServer, MS Hyper-V, etc.
Favor Type 2 use in Security applications
Disable Hardware Acceleration
Use QEmu (full emulation mode w/out kqemu)
Disable all sharing features
Favor Type 2 for Development environments
Run different security zones VMs on separate physical hosts
Use separate physical switches or VLANs in physical switches
Run different Management stations
Disable/remove unnecessary virtual hardware

6. Monitoring in a vSwitch

7. VMWare ESX Specific VMWare Update (ESX 3.5 & VC 2.5)
Fix maximum size and rotation for Log Files
Use Resource Management
Secure the VI Console Access
Verify the ESX Console Firewall rules
Use SSL Certificates Encrypt Access to Virtual Center
Secure Console’s Linux environment

8. Virtualization Applications
Setting up Development Environments
Setting up Testing Environments
Setting up Research Environments
Honeypotting
Consolidate Physical Servers
Virtual Secure Desktops…
Provide a desktop environment for users
Quickly deployed
Secured
Easily maintained
Provide access from those environments to all work tools, systems, and services

9. Virtual World at Sacred Heart Univ
VMware VI3 & vSphere 4
65 Virtual Servers
255 Virtual Desktops
Running on 15 Physical blade servers
Virtual Desktop Infrastructure (VDI)
Secure Desktop
Virtual HDD Streaming
Thin Clients in our Labs
Virtual Test Environments

10. Secure Desktop (VDI) Architecture

11. Secure Gateway Architecture

12. HDD Streaming Architecture

13. Secure Desktop Backend at SHU
Hardware
Software
HP c7000 Blade Enclosure
HP BL460c
2 x Quad Core 2.3Ghz (Intel E5450)
32 GB RAM
4 x 1Gb Ethernet (on 2 separate boards)
Netapp 3040 Filers
1TB for VM and vDisk Images
12TB for User/Department Data
NFS & iSCSI
Cisco Catalyst 3750 Switches
1Gb Ethernet (Copper)
4 x 10Gb Uplink
VMware VI3
Quest vWorkspace 7.0
SSL Gateway
Connection Broker
Citrix Provisioning Server 5.1
PXE Boot
HDD Streaming
Microsoft Windows XP sp3
Yes it’s Windows 7 Ready 
NetApp FlexClone

14. Secure Desktop Advantages
Low learning curve for users
Secured access to sensitive data
Business data vs. User data
Fast Deployment & Scalability
Stand new VMs in under 2mins
Policy Enforcement
Local administrator privileges
Anywhere, anytime access
Image management
Patch 1 image, update everyone
Currently
ERP (Datatel Colleague R17, R18)
Registrar’s
Human Resources
Business Office
Admissions (Recruitment Plus)
Financial Aid (PowerFAIDS, EDConnect)
Institutional Advancement (Raiser’s Edge)
Health Systems (Titanium)
Public Safety (ARMS)
ImageNow Document Imaging
w/USB scanners

15. Secure Desktop Disadvantages
Ok Multimedia Support
Now w/Flash Video
ACL/Firewall Rule Maintenance
Increased Complexity
SSL Gateway
Connection Broker
Provisioning Server
ESX Servers
SAN & Blade Infrastructure
“Quality of Life” Issues
Cannot browse the web
Cannot persist software changes
Cannot connect certain USB devices
Coming Soon
Cannot access unsafe shares
Cannot copy & paste to/from client
Cannot connect any USB devices except sanctioned

16. Physical vs. Virtual Hardware
Dell OptiPlex 780
Intel Core2 2.4Ghz
4GB RAM
160GB HDD
Integrated Graphics
1Gb Ethernet
~$1,000
VMWare ESX 3.5
Virtual Dual to Quad Core 2.3Ghz
512MB RAM
1MB HDD
RDP Graphics
1Gb Ethernet
~$290 w/existing hardware

17. Getting Buy-in
Explain that security is important and they should just listen to IT… (HA! Just kidding… )
Initial deployment for test environments
No other alternatives with new version of software
Anywhere Anytime Access
Ability to access legacy environments with new simultaneously
Make no effort to fix the fact that VPN sucks (at least PPTP does…)

18. New Developments Embedded Hypervisors VMSafe VDI SAN Snapshot Clones
ESXi, XenServer OEM, etc.
VMSafe
VDI
SAN Snapshot Clones
Netapp FlexClone
Sophisticated Virtual Machine Detection

19. Demo

20. Resources, Q & A http://www.cisecurity.org/
at/91