Secure Distributed Desktops using NSX for Horizon with Sphere3D Appliances
After last week’s Black hat event in Las Vegas (https://www.blackhat.com/) I can say the landscape is changing and the securing of east and west traffic in VDI should be on this year’s Christmas list or you may be a project Sauron away from your next exploit. (http://www.bbc.com/news/technology-37021957).
Distributed Security for Distributed Virtual Desktops
We recently introduced the capabilities of decentralized VDI with centralized management allowing users the best user experience with actual desktop resilience. Distributed Desktop Hyperconvergence appliances (http://sphere3d.com/v3-hyperconverged-solutions/) come loaded with a prebuilt vSphere 6 stack to support Horizon and Desktop Orchestration with DCO 2.5.11 (http://sphere3d.com/desktop-orchestrator-software/and how moving the virtual desktop compute out to the edge is the way we are able to reduce the cost of the virtual desktop against a physical desktop but still retain the “single pane of glass” approach to the distributed VDI architecture. This month I want to talk about another important aspect about the distributed desktop architecture and that’s the Network services. The recent exploits demonstrated at 19th annual Blackhat USA showed increasing complexity of hackers to leverage machine to machine communication and compromise desktops using malware and ransomware for desktop to desktop or desktop to application server hacks.
As a Consultant where I was building VDI solutions for customers I saw the rise of east and west traffic for VDI defined as, desktop to desktop and desktop to application traffic vulnerabilities in virtualization as we started building out VLAN’s in the datacenter to support centralized compute VDI. Logically as we are bringing the desktops into the datacenter we are creating increased risk and exposure from Zero-day infection timelines to ransomware as we start centralizing these End users as well as complicating the Datacenter networking trying to implement compliancy and regulatory provisions over the desktop domain and the server domain. This was of course just one of many discussions when you talk about security and the desktop as an example with the recent loss of windows secure boot gold key allows back door exploits that are lurking http://appleinsider.com/articles/16/08/10/oops-microsoft-leaks-its-golden-key-unlocking-windows-secure-boot-and-exposing-the-danger-of-backdoors.
The Distributed Desktop Hyperconvergence architecture is designed to help reduce these risks by keeping the Desktop compute out at the edges instead of the datacenter to enhance this capability leveraging NSX for Horizon (https://www.vmware.com/products/horizon/horizon-nsx.html) and decentralized compute appliances as well as create new network services that help reduce small business to mid-enterprise WAN connection charges to possibly eliminating the cost all together leveraging L2/L3 Tunnels. As well as provide Desktop failover assuring persistent protection and securing of the network requirements as they fail or move from appliance to appliance.
What’s NSX for Horizon?
VMware NSX™ for Horizon® brings speed and simplicity to VDI networking. Administrators can set policies that dynamically adapt to the end user’s computing environment, with network security services that map to the user based on role, logical grouping, desktop operating system, and more—independent of the underlying network infrastructure. Centrally administered policy is automatically attached to each desktop VM as soon as the desktop is created, so organizations can scale with confidence, with security that persistently follows the virtual desktop across multiple V3 Desktop appliances.
Sphere 3D V3 Appliances and Network virtualization
Leveraging the portfolio of appliances, I have created a reference Architecture of how the Sphere 3D EUC Nodes create a complete multi-site strategy for the small to the large. First let’s talk about the rationalized compute platform that is laid on all V3 appliances. This is the vSphere 6 Hypervisor based on a prescribed BOML that has loaded Drivers and VIBs to support GPU’s, Networking and Advanced PCI technologies. Once turned on it leverages DCO to support desktop orchestration and automation for Horizon to deploy desktops. This deployment could be with an EUC Node (2U) Hosted Desktop or our (1U) Flex Node for Offline desktops or Horizon Flex. Flex Nodes are built as a building block for the V3 DDH providing management functions as well for small to medium vCenter and View or for secure environments to support distributed functionality like NSX Manager, Service composer and Controller Clusters. NSX for Horizon once deployed will enable DFW and DRL on the (2U) EUC Nodes. Below or Attached is an architecture diagram to illustrate how we would deploy a Multi-site architecture with minimal requirement of an Internet connection to connect 2 Branch offices at L2VPN (software VPN to Software VPN) or up to 10 Branches using L3 (Hardware based VPN to NSX) Edge Services.
DCO and NSX
DCO and VMware NSX for Horizon improves desktop virtualization security and helps address east-west threats by enabling administrators to define policy centrally. That policy is then distributed to the hypervisor layer within every V3 appliance, and automatically attached to each virtual desktop as soon as the desktop is created. To secure virtual desktops and adjacent workloads within the data center, VMware NSX implements “micro segmentation,” giving each desktop its own perimeter defense. This “shrink-wrapped security” uses VMware NSX distributed virtual firewalling capability to police traffic to and from each VM, eliminating unauthorized access between desktops and adjacent workloads. When DCO moves the virtual desktop from one appliance to the next, or across different sites, policy will automatically follow it.
The example presented in the architecture of a main branch needing to connect to two other branches. Using Business Cable and a NSX Edge Services on the V3 Desktop appliance you can create a transport layer Site to Site VPN and leverage the multiple appliances as one logical network. This would usually involve having to coordinate and pay for a MPLS and a PVC monthly cost on top of the service costs. IT can now setup DFW rules and implement Multi-tiered information access based on compliancy for Site one and it get replicated out via the controllers at the main office to the edge services on all the appliances. Now control of east to west traffic and traditional North South traffic are now under simplified control. Integration of the major third parties like trend Deep inspection into NSX allow for us to provide a single centralized approach to image management and maintaining compliancy when enforcing polices. This allows IT to respond to threats verses reacting to contain or fear of contamination once exposed if a single appliance gets compromised.
Secured Distributed Desktops
Understanding that an ATP (Advanced Threat Protection) could be resident as we speak on any number of your desktops and that the level of cyber-attacks isn’t decreasing. Desktop security is an inevitability that IT has to respond to not react to. You can find most anti-virus, anti- malware, deroot kit…etc. only do 80 percent of the job not because of failure but because of human interaction and intent. NSX allows for you to create true micro segmentation to help you respond to the threat verse just react to the threats of today.
Implementing DDH with NSX is the next level of desktop security for End User Computing.
- Providing Site to Site failover for Persistent Virtual Desktops
- Providing Desktop to Desktop security form internal threats or compromised desktops.
- Providing Desktop to End Application server security
- Creating a security services offload capabilities like Load Balancing, End-Point Protection or Firewalls
- Providing Automation and Orchestration for desktop management and recovery
- Reducing the cost of remote and branch office desktop and infrastructure management
Sphere 3D Elite and Elite Pro partners
Finding the talent and capabilities to deliver this business outcome is key to the mission with end point protection. We have worked to build our portfolio of partners to support advanced designs with virtual desktops supporting both knowledge worker, business graphics and professional graphics users. Our Elite and Elite Pro have experience in delivering End User Computing solutions that incorporate a company’s unique needs with our scalable platform to provide a next generation desktop platform that is truly taking advantage of technology for today and building for tomorrow. Contact Sales@sphere3D.com if you want to know more of find the local resources to help understand what’s involved with a Distributed Desktop hyperconvergence solution.
Editorial Note: I will be out at VMworld 2016 so if you see me stop me and say hi!