Most of the virtual desktop infrastructure technologies available are rooted in security products built for traditional desktops -- albeit with a few twists.
Here's a look at tools for patch management, application control, and antivirus and firewall protection in virtualized environments.
Patch management
VMware offers
Requires Free Membership to View
When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by IT professionals today working with desktop virtualization technology.
Cathleen A. Gagne, Senior Editorial Director
Update Manager to help administrators assess patches and deploy them to virtual
guest images. While this product can be used to patch the master virtual desktop infrastructure
(VDI) image, it can also be used to scan and patch offline images, or those that aren't currently
turned on. This may be a valuable tool for administrators that have a lot of master images -- not
all of which may be currently turned on.
Microsoft says its Offline Virtual Machine Servicing Tool can be used to patch offline images. Instead of scanning and patching offline images, as the name suggests, it moves the images to a private network, boots them up and lets them do their Windows Server Update Services patch process. The tool then shuts them down, saves them and moves them back to the production library.
Shavlik Technologies sells a product for VMware images that doesn't require Update Manager. Shavlik NetChk Protect includes the ability to scan ESX and VI Servers and assess and deploy patches to images found on those servers, whether online or offline at the time of the scan.
Application Control
TriCerat offers an application control
system that can help you lock down the VDI desktop, including the applications that are allowed
to execute. Its software is available for Microsoft, VMware and Citrix VDI implementations.
Antivirus and firewall
Many security vendors have announced support for VMware's VMsafe program. The VMsafe
application programming interfaces enable security vendors to build products that live on one
Windows virtual machine (VM) and monitor CPU, disk, network and memory on other VM images on the
same server. This provides centralized antivirus and firewall support for VDI images without
requiring any agent on the guest image. Administrators who still want protection on the desktop
should consider a free lightweight cloud-based antivirus service like Immunet Protect().
Catbird is a VMsafe vendor that has focused on security products for the virtual world. Catbird's virtual appliance provides intrusion detection and prevention; firewall services; and policy, compliance and vulnerability scanning. This is comprehensive set of security services for VDI implementations that don't require security software to be installed or managed on each user's desktop.
Lastly, don't forget to secure your hypervisor servers themselves. For VMware implementations, check out the free host security assessment solutions from Tripwire and EMC. These tools perform assessments and provide remediation suggestions as per VMware's recommended best practices for ESX Server security configuration. For Microsoft Hyper-V, review the Hyper-V Security Guide Solution Accelerator. By securing the hypervisor, you can ensure that your VDI images remain intact.
ABOUT THE AUTHOR:
Eric Schultze is an independent security consultant who most recently designed
Microsoft patch management solutions at Shavlik Technologies. Prior to Shavlik, Schultze worked at
Microsoft, where he helped manage the security bulletin and patch-release process. Schultze likes
to forget that he used to work as an internal auditor on Wall Street.
This was first published in October 2009