Most of the virtual desktop infrastructure technologies available are rooted in security products built for traditional
desktops -- albeit with a few twists.
Here's a look at tools for patch management, application control, and antivirus and firewall protection in virtualized environments.
VMware offers Update Manager to help administrators assess patches and deploy them to virtual guest images. While this product can be used to patch the master virtual desktop infrastructure (VDI) image, it can also be used to scan and patch offline images, or those that aren't currently turned on. This may be a valuable tool for administrators that have a lot of master images -- not all of which may be currently turned on.
Microsoft says its Offline Virtual Machine Servicing Tool can be used to patch offline images. Instead of scanning and patching offline images, as the name suggests, it moves the images to a private network, boots them up and lets them do their Windows Server Update Services patch process. The tool then shuts them down, saves them and moves them back to the production library.
Shavlik Technologies sells a product for VMware images that doesn't require Update Manager. Shavlik NetChk Protect includes the ability to scan ESX and VI Servers and assess and deploy patches to images found on those servers, whether online or offline at the time of the scan.
TriCerat offers an application control system that can help you lock down the VDI desktop, including the applications that are allowed to execute. Its software is available for Microsoft, VMware and Citrix VDI implementations.
Antivirus and firewall
Many security vendors have announced support for VMware's VMsafe program. The VMsafe application programming interfaces enable security vendors to build products that live on one Windows virtual machine (VM) and monitor CPU, disk, network and memory on other VM images on the same server. This provides centralized antivirus and firewall support for VDI images without requiring any agent on the guest image. Administrators who still want protection on the desktop should consider a free lightweight cloud-based antivirus service like Immunet Protect().
Catbird is a VMsafe vendor that has focused on security products for the virtual world. Catbird's virtual appliance provides intrusion detection and prevention; firewall services; and policy, compliance and vulnerability scanning. This is comprehensive set of security services for VDI implementations that don't require security software to be installed or managed on each user's desktop.
Lastly, don't forget to secure your hypervisor servers themselves. For VMware implementations, check out the free host security assessment solutions from Tripwire and EMC. These tools perform assessments and provide remediation suggestions as per VMware's recommended best practices for ESX Server security configuration. For Microsoft Hyper-V, review the Hyper-V Security Guide Solution Accelerator. By securing the hypervisor, you can ensure that your VDI images remain intact.
ABOUT THE AUTHOR:
Eric Schultze is an independent security consultant who most recently designed Microsoft patch management solutions at Shavlik Technologies. Prior to Shavlik, Schultze worked at Microsoft, where he helped manage the security bulletin and patch-release process. Schultze likes to forget that he used to work as an internal auditor on Wall Street.