How to protect virtual desktops on a corporate network

Virtual desktop infrastructures offer easier management but still require a layered approach to protect corporate networks. Learn what additional security measures you should take.

New technologies, such as virtual desktops, Web 2.0 applications and remote access, are causing security concerns in today's distributed enterprise.

In the past, a typical enterprise consisted of users on desktop PCs, which were behind the corporate firewall and tightly controlled by IT staffers. While this model worked well for security purposes and IT staffers, it proved to be very limited for users, especially those who traveled or worked from branch offices.

The tables have turned, thanks to virtualized PCs and applications. Virtual desktop infrastructure (VDI) allows mobile workers and workers using generic PCs to connect to the network and run their apps or desktops from almost anywhere. All that is needed is a compatible endpoint and a bit of client software.

Although virtual desktop infrastructures offer easier management, the big security issue here is that IT departments have to rely on the endpoint owners to make sure that proper security practices are followed. Furthermore, some virtualized desktops or applications can run while disconnected from the corporate network, which further complicates VDI security. In that situation, all security controls and firewall protections are eliminated from the equation, and the concern here is what happens when the user reconnects to the network.

For example, when a user reconnects to the corporate network, many VDI systems will attempt to synchronize what was done on the local endpoint with what is stored on the network. If that virtual PC or virtualized application was infected with a virus or other malware, then the synchronization process may bring that infection into the corporate network, where it could spread to other machines, both virtual and physical.

Systems administrators must consider the vulnerability of their corporate networks and build security practices that will help to prevent those problems.

Several technologies can help keep systems secure, and admins will want to take a layered approach that includes security measures at endpoints, in the virtual environment, at the edge and within the network. Plugging all the holes will take a combination of technologies.

  1. The first step is securing the physical endpoint, which may be difficult depending upon who owns the endpoint. Administrators can use software that enforces security policies and allows only authenticated endpoints to access the system. Many network access control (NAC) products on the market are ideal for enforcing security policies on endpoints. NAC works by validating an endpoint while it is attempting to connect to the system. The endpoint is examined to make sure that the proper security measures are in place. If the endpoint fails any of the validation steps, it can be blocked from accessing the network or a remediation process can be launched, effectively protecting the endpoint from security problems.
  2. Another layer of protection comes from the virtualized desktop itself. Administrators can make sure that each and every virtualized desktop has integrated security features, such as preconfigured software firewalls, as well as anti-malware products. By integrating those solutions into the virtual desktop image, administrators can make sure that sessions (both attached and unattached) are secure.
  3. In addition, security can be implemented at the edge of the network, where an anti-malware gateway or appliance can be incorporated into the physical infrastructure. That device can scan incoming and outgoing traffic for malware or other security problems, preventing infections from entering the network.
  4. A final layer of security can be added by incorporating a security product on the server infrastructure that powers VDI connections and image delivery.

By using a four-layer approach that consists of NAC, endpoint local security applications, integrated virtual desktop security products and protection at the edge of the network, administrators should be able to prevent most, if not all security problems. Administrators can choose to add more layers to further strengthen defenses by incorporating server-based security applications and deploying encrypted connectivity systems in the form of virtual private networks or HTTPS connections.

You should consider any and all weaknesses when it comes to remote VDI access and deploy the appropriate security products to build a thick blanket of protection against any ills.

Frank Ohlhorst
Frank Ohlhorst is an IT journalist who has also served as a network administrator and applications programmer before forming his own computer consulting firm.

Dig Deeper on Virtual desktop management