Virtual desktop security guide
A comprehensive collection of articles, videos and more, hand-picked by our editors
Your office network is probably not as secure as you'd think. Using VDI to access corporate data from desktops...
or mobile devices can help eliminate security weak points.
Just like the Internet, IT pros should treat the office network as untrusted. Connecting to a virtual desktop infrastructure (VDI) that runs on the data center network, however, can help avoid many of the potential network security vulnerabilities.
Why can't I trust my office network?
It's pretty easy to breach an internal office network. For instance, there are hackers out there building things called penetration-test drop boxes. These look like small power supplies but contain a small computer that can be remotely controlled and used to attack your network from the inside.
Drop boxes usually get into your office network with the unwitting assistance of your office manager. A nice man in overalls with a clipboard claims to be monitoring power or air quality, and the office manager helps him plug in the "monitoring" device.
It's amazing how a little engineering can circumvent office network security.
Another common security risk with internal networks is wireless access points. Wireless links can be eavesdropped over long distances -- potentially from a mile or more away from the access point.
Then there's your staff: They want to use their own devices on your office network. With the bring your own device (BYOD) trend, whether you permit it or not, there will be devices on your network that aren't controlled by IT admins. IT can't tell what sort of viruses or malware is on these devices, and only one infected device needs to have access to critical data for a serious problem to occur.
Why can I trust my data center network more?
Physical security is far greater in the data center network. The nice man with the clipboard won't get inside the data center, and there's no requirement for wireless access to the data center network. The staff members there have more technical knowledge and usually are far more aware of IT network security than the regular office staff.
More on VDI and the network:
What affects VDI network performance
Dealing with the VDI bandwidth dilemma
Testing VDI network performance to avoid application meltdown
So, it may be more secure to access corporate information through an IT-secured VDI session. Here's why:
Most VDI products have an Internet gateway component that's designed to allow desktops to be accessed from untrusted networks. You should put a firewall between the data center network and the office network. That means the office network doesn't have direct access to the data center network. Since gateways use encryption between the end device and the gateway itself, traffic inside the office is at lesser risk from eavesdropping and virus intrusion that can happen at the office-network level.
Using thin or zero clients in a VDI environment will also reduce the volume of office-network device management required. Plus, employee-owned mobile devices won't have direct access to corporate data, but with a VDI client installed, they can be used fairly safely to do corporate work.
VDI also makes governance of data access simpler, because everything's being done on the data center network. Firewalling and access control can be consolidated in the data center and all corporate data is centralized, which also allows for simpler backup and disaster recovery.
What network challenges does VDI present?
As always, there are things about VDI that don't always lead to better network security. Anything that's network connected and needs to talk to the data center -- and isn't a VDI client -- will need a different solution. Printing, for example, immediately rears its head. Providing access to networked printers in the office from virtual desktops requires opening a little more of the firewall (but only for a small number of devices and only on the wired network).
One of the great benefits of VDI is the ability to access corporate IT over an untrusted network, and you should count your office network as untrusted. Especially for mobile devices, allowing staff as much freedom on the office network as they have on their home network will reduce the "shadow of IT" that typically looms over tightly locked down offices. Of course, you still have to make sure the VDI network is as secure as possible, too.
ABOUT THE AUTHOR:
Alastair Cooke is a freelance trainer, consultant and blogger specializing in server and desktop virtualization. Known in Australia and New Zealand for the APAC virtualization podcast and regional community events, Cooke was awarded VMware's vExpert status for his 2010 efforts.