February 5, 2012

You are here: Home / VMware / VMworld 2010 / SE7811 – VMware View Security Architecture and Best Practices

SE7811 – VMware View Security Architecture and Best Practices

August 30, 2010 By 2 Comments

My second session of the day dove into VMware View.  I wanted to attend a number of View sessions as I was interested in what was going to be new in 4.5  A few of the things mentioned early on in the session were:

  • Kiosk Mode: no user authentication, access is based on device MAC address
  • Delegated role-based access control
  • Smart card authentication for PCoIP
  • Online certificate status protocol support
  • vShield Endpoint

Some best practices that were mentioned for security in a View deployment:

  • Harden virtual desktops (no surprise)
    • Set refresh intervals
    • Patch base OS
    • View agent: If in a high security environment, you may want to disable USB redirection, drive redirection, clipboard redirection and/or printer redirection
  • Harden Connection Server, Security Server, and Replica Server
    • Standard Windows and database hardening:
    • Password policy
    • Patching
    • Disabling unneeded services and network protocols (only IPv4 is needed)
    • Changing default certificates (a self-signed certificate is installed by default) with a SSL certificate signed by a recognized CA
    • Disable unneeded ciphers

One thing to note is View 4.5 changes TCP and UDP ports from 50002 to 4172.

Things to consider when deploying:

  • Proper authentication methods
  • Use of a security server or VPN for remote access (PCoIP would use VPN access)
  • Firewall requirements
  • Setup administrative role-based access controls
  • User entitlements
  • Desktop zoning considerations

Role Based Access Control:

  • Limit the root admin role to a small number
  • For large deployments organize pools into folders and delegate admin roles to the folders by geographic region, business unit, function or compliance requirement

Make sure to set appropriate entitlements for users, different types of users will likely have different desktops eg: internal, remote, contractor, suppliers, compliancy (HIPAA, PCI).  Based on the entitlements assigned zone desktops and restrict access to resources accordingly, for example high risk activity desktops that can only browse the web and email or internal only desktops.

Also covered was vShield – vShield is actually 3 products that consist of:

  • vShield Endpoint
    • This is the AV engine which allows you to take the engine out of the VM and do the scans from a central AV server.
    • Can yield a 95%+ reduction in guest footprint and is included with VMware View Premier.  Endpoint is what solves the issue of worrying about staggering Anti Virus scans or Anti Virus definition updates.
  • vShield App
    • This is the vNIC level firewall, you can create firewall rules right at the vNIC level.
    • You could, for example, create a rule that would disallow all VM to VM connectivity so that if one users VM was infected, it would not affect other users on the network.
  • vShield Edge
    • This is similar to a layer 3 edge firewall for creating multiple virtual datacenters.

Popularity: 4% [?]

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Filed Under: VMworld 2010 Tagged With: , ,

About mike
I am currently a Consulting Architect working for Nexus Information Systems in the Twin Cities, MN area. My professional summary is available via my LinkedIn page. I can be contacted by the Contact Me link at the top of the site. I also spend (too much) time on Twitter so feel free to follow or send me a tweet.