Context: You are considering VDI as a means to present external access to internal resources. This transition will involve replacing Client VPN technology. This document describes security elements of the VMware Horizon platform which should be considered.
Highlighted here are the security related considerations and documentation for the following elements: (1) The Horizon Platform Architecture, (2) Blast Extreme Protocol, (3) Unified Access Gateway and (4) VMware Horizon and VMware NSX
1. Horizon Platform Architecture:
With VMware Horizon, customers can run remote desktops and applications in the data-center and deliver these desktops and applications to employees as a managed service. End-users gain a familiar, personalized environment that they can access from any number of devices anywhere throughout the enterprise or from remote locations.
Desktops and applications can be centralized by integrating with VMware vSphere and virtualizing server, storage, and networking resources. Placing desktop operating systems and applications on a server in the data center provides the following security advantages:
- Access to data can easily be restricted. Sensitive data can be prevented from being copied onto an end-user’s device
- Support for multi-factor and single-sign-on solutions.
- Desktops and applications can be rapidly provisioned to meet demand for scale-up and on-boarding requirements.
- Operating Systems and Applications can be centrally managed for the life-cycle of provisioning, upgrading and patching.
- Integration with VMware solutions such as VMware NSX can be leveraged to further secure internal communications with micro-segmentation policies.
Resources:
· VMware Horizon Architecture Planning: https://docs.vmware.com/en/VMware-Horizon-7/7.2/view-72-architecture-planning.pdf
· VMware Horizon Security Documentation: https://docs.vmware.com/en/VMware-Horizon-7/7.2/view-72-security.pdf
· Network ports used by VMware Horizon: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-horizon-7-end-user-computing-network-ports.pdf
· VMware Horizon Multisite Reference Architecture: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-horizon-7-enterprise-edition-reference-architecture-multi-site.pdf
2. Blast Extreme Protocol:
VMware Blast is a purpose-built display protocol for VDI. It supports a broad range of client devices that are H.264 capable. VMware Blast offers the low CPU consumption for longer battery life on mobile devices. VMware Blast Extreme can compensate for an increase in latency or a reduction in bandwidth and can leverage both TCP and UDP network transports.
Key features of VMware Blast Extreme include the following:
- Users outside the corporate firewall can use this protocol with the corporate virtual private network (VPN), or users can make secure, encrypted connections to a security server or Unified Access Gateway appliance in the corporate DMZ.
- Advanced Encryption Standard (AES) 128-bit encryption is supported and is turned on by default. You can, however, change the encryption key cipher to AES-256.
- Optimization controls for reducing bandwidth usage on the LAN and WAN.
- Copy and paste of text and files may be permitted or denied by policy.
- USB redirection may be permitted or denied by policy.
- USB devices may be filtered by device type for granular control.
- Client Drive Redirection may be permitted or denied by policy.
Resources
· VMware Horizon BLAST protocol: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-horizon-7-view-blast-extreme-display-protocol.pdf
· VMware Horizon Blast deep dive blog: https://blogs.vmware.com/euc/2017/09/deep-dive-horizon-blast-extreme-adaptive-transport.html
3. Unified Access Gateway:
To securely present VMware Horizon desktop and application workloads externally the VMware Unified Access Gateway (UAG) is recommended. UAG is a hardened Linux based virtual security appliance intended for deployment as a virtual machine on a vSphere ESXi hypervisor. UAG is specifically designed to protect remote access to VMware End-user Computing resources such as VMware Horizon virtual desktops and applications. UAG can be described as a layer 7 authenticating reverse proxy for the Horizon display protocol. UAG also can be configured to leverage 3rd party end-point compliance checking tools such as OPSWAT to ensure only trusted devices are permitted to access desktop and application resources.
How Is This Different from a VPN?
A VPN can certainly meet the requirement of ensuring that traffic into the internal network is forwarded only on behalf of a strongly authenticated user. In that respect, Unified Access Gateway and a commercial-grade VPN are similar. There are some considerations, though, that should be pointed out.
Access control management. Unified Access Gateway applies access rules automatically. Unified Access Gateway has the additional benefit that it recognizes not only the user’s entitlements, but also the addressing needed to connect internally, which can change quickly! To some extent, a VPN can do the same, because most VPNs allow an administrator to configure network connection rules for every user or group of users individually. At first, this works well with a VPN, but usually involves significant administrative effort to keep up with the required rules. Quite often this is too much for an administrator to manage, and either too many authorized resources end up blocked, or unauthorized resources end up being allowed. The easy response for a VPN administrator is to allow unchecked access to any resource on the internal network; authenticate to the VPN, and you have complete access to the corporate network as though you were on the internal network. This is easy for the administrator, but usually a concern for corporate security. Not all, but many, VPN administrators will adopt this low-cost operational approach.
User interface. A VPN often requires that the end user first set up the VPN software and authenticate separately before launching the Horizon Client. This may be secure, but users do not like this extra step. Unified Access Gateway does not alter the straightforward Horizon Client user interface at all, and eliminates the extra (VPN) step. The user launches the Horizon Client, and as long as the authentication is successful, they are into their desktop environment, and have precisely controlled access to their desktops and applications.
Performance. Many VPNs are implemented as SSL VPNs. These certainly meet security requirements and, with Transport Layer Security (TLS) enabled, are usually considered secure, but the underlying protocol with SSL/TLS is just TCP-based. With modern video-remoting protocols exploiting connectionless UDP-based transports, the performance benefits can be significantly eroded when forced over a TCP-based transport. Unified Access Gateway is specifically designed to maximize security and maximize performance. It does not have to be a compromise between the two. With Unified Access Gateway, display protocols are secured without requiring additional encapsulation, and so Unified Access Gateway gives the best possible user experience.
Resources:
· VMware Unified Access Gateway Deployment Guide: https://docs.vmware.com/en/Unified-Access-Gateway/3.1/uag-31-deploy-config-guide.pdf
4. VMware Horizon and VMware NSX
VMware NSX enables the creation of entire networks in software and embeds them in the hypervisor layer, abstracted from the underlying physical hardware. All network components can be provisioned in minutes, without the need to modify the application. NSX embeds security functions right into the hypervisor. It delivers micro-segmentation and granular security to the individual workload, enabling a fundamentally more secure data center. Security policies travel with the workloads, independent of where workloads are in the network topology. Tied with VMware Horizon and identity based policy capabilities, this presents a unique opportunity to tightly secure virtual desktops inside the datacenter and control east-west data traffic.
Resources:
· VMware Horizon and VMware NSX: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/horizon/vmware-nsx-with-horizon.pdf