Top tools for securing a virtual desktop infrastructure

Most of the virtual desktop infrastructure technologies available are rooted in security products built for traditional desktops -- albeit with a few twists.

Here's a look at tools for patch management, application control, and antivirus and firewall protection in virtualized environments.

Patch management
VMware offers

    Requires Free Membership to View

Update Manager to help administrators assess patches and deploy them to virtual guest images. While this product can be used to patch the master virtual desktop infrastructure (VDI) image, it can also be used to scan and patch offline images, or those that aren't currently turned on. This may be a valuable tool for administrators that have a lot of master images -- not all of which may be currently turned on.

Microsoft says its Offline Virtual Machine Servicing Tool can be used to patch offline images. Instead of scanning and patching offline images, as the name suggests, it moves the images to a private network, boots them up and lets them do their Windows Server Update Services patch process. The tool then shuts them down, saves them and moves them back to the production library.

Shavlik Technologies sells a product for VMware images that doesn't require Update Manager. Shavlik NetChk Protect includes the ability to scan ESX and VI Servers and assess and deploy patches to images found on those servers, whether online or offline at the time of the scan.

Application Control
TriCerat offers an application control system that can help you lock down the VDI desktop, including the applications that are allowed to execute. Its software is available for Microsoft, VMware and Citrix VDI implementations.

Antivirus and firewall
Many security vendors have announced support for VMware's VMsafe program. The VMsafe application programming interfaces enable security vendors to build products that live on one Windows virtual machine (VM) and monitor CPU, disk, network and memory on other VM images on the same server. This provides centralized antivirus and firewall support for VDI images without requiring any agent on the guest image. Administrators who still want protection on the desktop should consider a free lightweight cloud-based antivirus service like Immunet Protect().

Catbird is a VMsafe vendor that has focused on security products for the virtual world. Catbird's virtual appliance provides intrusion detection and prevention; firewall services; and policy, compliance and vulnerability scanning. This is comprehensive set of security services for VDI implementations that don't require security software to be installed or managed on each user's desktop.

Lastly, don't forget to secure your hypervisor servers themselves. For VMware implementations, check out the free host security assessment solutions from Tripwire and EMC. These tools perform assessments and provide remediation suggestions as per VMware's recommended best practices for ESX Server security configuration. For Microsoft Hyper-V, review the Hyper-V Security Guide Solution Accelerator. By securing the hypervisor, you can ensure that your VDI images remain intact.

Eric Schultze
is an independent security consultant who most recently designed Microsoft patch management solutions at Shavlik Technologies. Prior to Shavlik, Schultze worked at Microsoft, where he helped manage the security bulletin and patch-release process. Schultze likes to forget that he used to work as an internal auditor on Wall Street.

This was first published in October 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.