DATA DISCOVERABILITY: Using VMware View 5.3 to create a secured data access platform Kim Bottu...
-
Upload
nickolas-houston -
Category
Documents
-
view
227 -
download
2
Transcript of DATA DISCOVERABILITY: Using VMware View 5.3 to create a secured data access platform Kim Bottu...
DATA DISCOVERABILITY: Using VMware View 5.3 to create a secured data access platform
Kim Bottu VSPHERE 5.5
VIEW 5.3
About me 6 years of experience with VMware products
Virtualization Engineer - 3 years
Top 10 ranked Big Law Firm in the world with offices around the world.
International
Corporate law
Anti-Trust
Litigation
Document securityTo me, document security was mostly about logical security:
NAS Shares Folder permissions Active directory File permissions Specific applications
This fits the needs of most national local companies.
DATA DISCOVERABILITY
Problem:
Lots of big international clients / EU and non-EU
Which lawyers review the data?
What happens when a judge outside of the EU wants to impound EU data?
Worries about data discoverability
Specific need: Make data less discoverable from outside of the EU. Protect EU data better.
DATA DISCOVERABILITY
Risk: Trust
International teams (root accounts) 1 Domain (Enterprise administration) Can anyone outside of EU be pressured to copy data?
Presentation Layer VMware View to present the EU data globally to all of the firm.
VMware View advantages:
Desktop security
Seperate domain
VMware view Client
Web Access (Blast)
Thin clients
Storage
Relies on GPO to enforce policies
local GPOs
Domain GPOs.
View GPO
THE VDI NETWORK DESIGNTo keep things simple, a two region model.
Inside of the EU
Outside of the EU
2 VDI Pool model
Inside of the EU EU-Pool
Outside of the EU US-Pool
Each VDI pool would use its own Network in the DMZ (VLAN)
Inside of the EU DMZ Network 1
Outside of the EU DMZ Network 2
THE VDI NETWORK DESIGN2 user groups in a new AD domain:
EU-Users
US-Users
The AD groups authenticate the VDI Pool:
EU-Pool EU-Users
US-Pool US-Users
Access to data
Can be restricted per pool
THE VDI NETWORK DESIGN
How do you restrict access for a region
There are still several security considerations with this setup though.
THE VDI NETWORK DESIGNRestricting VDI management access
https://connectionbroker.mydomain/admin
No direct connection to the VDI connection brokers
VDI security server (gateway)
DMZ
The gateway creates a tunnel to the connection brokers
DNS entry added office network
So what does this look like?
THE VDI NETWORK DESIGNTo install and configure the security server, setup a pairing password on the VDI connection brokers and run the installer on the security server.
THE VDI NETWORK DESIGN
FYI: make sure the windows FW is enabled or you will not be able to pair the security server with the VDI connection brokers.
THE VDI NETWORK DESIGNThis was not enough.
Risk: users in the same pool can see data of other users on the same network.
This is a concern because:
Different shares
Different share access per user
AD authentication for shares = Logical separation
Private VLANS - distributed virtual switch - Enterprise Plus licensing.
There are 3 types of Private VLANs:
Promiscuous – VMs talk to all
Community – VMs talk to your neighbors and promiscuous
Isolated – VMs talk to promiscuous only
THE VDI NETWORK DESIGN
The promiscuous PVLAN =ADMIN VDI desktops
Access to Administrative tasks outside of local office in EU.
The community PVLAN. Most pools
No risk because of template and GPO setup
Isolated PVLAN: Specific cases
THE VDI NETWORK DESIGNHow do you create a PVLAN?
Choose a primary network, add secondary networks and select the type.
Add the PVLAN port groups to the dVS.
THE VDI NETWORK DESIGN The advantages of this kind of network setup are:
Disable pools or connection servers = No impact to other regions.
Traveling poses no risk (Users and Admin)
Less dependent on physical network devices.
In one word: granularity.
The next slide will give you a better idea what the network setup looks like.
THE VDI CONNECTION POOL SETTINGSUsers change all the time:
Pool settings
Floating
Automated
Is this secure?
a. Automated Forced logoff
b. Forced refresh or deletion of desktop.
a. Original intention: desktops grow
b. Security intention: They reduce the risks of installable Trojans which might require a reboot. Once a user logs off, the VM is either deleted or refreshed.
c. Disposable disks.
THE VDI CONNECTION POOL SETTINGSDifferent access rights in the same region.
a. Printing from VDI to the desktop
b. Copy paste from VDI to the desktop
c. Copy paste from the desktop to VDI
d. People forced to use a Wyse Terminal
Multiple VDI pools.
e. Different template per VDI pool
f. A PVLAN has been assigned to each template
g. Different view agent installation settings
h. Different GPOs
What does this look like?
THE VDI CLIENT DESIGNHide your desktop resources:
a. Disable the Function Discovery Resource Publication service in the templates:
b. Do not add the VDI user group to the local administrator group. Users should not be able to modify the VM.
GPO SETTINGS AND PERSONAThings which annoyed me.
PCOIP Clipboard redirection!
Computer Configuration
GPO SETTINGS AND PERSONAThings which annoyed me.
RDP Printer redirection
User Configuration
RDP VDI GPO setting:
GPO SETTINGS: INTERNET ACCESSInternet access is pretty critical. You do not want people to be able to upload documents to another site, or to email documents.
Virtual proxy server in the DMZ
Force the proxy server through GPO.
VDI: APPLICATION SECURITYMost applications are embedded in the golden image
Not everyone needs the same applications.
How do you handle application distribution?
ThinApp
Application distribution through VDI Admin portal.
Users need no rights to install.
No other admin teams involved to push applications.
Not all users need the same programs
VPN tunnels, scripting tools
In combination with a floating desktop pool, this makes sure that applications can be added and removed on a whim.
SO HOW DO YOU KNOW WHEN..How do we test if everything is secured according our needs?
Test access from different regions.
Test credential access.
Are local admins disabled?
So the last question probably is how we handle client data? How can we make sure that no one has access to data he or she should not have access to?
No NAS AD account to access all shares.
Different share per client.
Only one AD security group per share.
No rights to map shares – Shares mapped by logon script
GPOs make sure that users cannot copy data or can access other NAS shares.