This presentation was originally delivered during the IoT Integrator Summit on Securing Edge Computing, which took place from July 14-16, 2020.
You can view the full event summary and as well as access additional sessions from the IoT Integrator Summit here.
In this session recording, you will learn how a VDI solution can be used in conjunction with a VPN to provide quick, scalable and highly secure remote access.
Virtualized Desktop Infrastructure (VDI) solutions provide a remote workstation offering so that no data is stored locally on an endpoint device. By minimizing the data distribution, VDI solutions are commonly used by enterprises as part of their mobile adoption strategy to protect against the threat of data leakage and theft. VDI solutions are very popular amongst healthcare providers required to ensure patient privacy rights as well as comply with the HIPAA regulation and standards. There is the presumption that all VDI solutions natively also secure the device against data exfiltration threats.
Watch the video or peruse the notes from the session below.
Challenges and Solutions in Enterprise Remote Work
Proper remote work configuration is vital to the transition from the workplace to the home. Companies should consider how they can enable their mobile workforce, attract the best talent and allow workers to maintain a healthy work-life balance. When addressing these challenges, you may find three technical solutions:
- Virtual Desktop Infrastructure (VDI)
- Virtual Private Networks (VPN)
- Remote Desktop Service (RDS)
Companies are looking for security solutions compatible with both Bring Your Own Device (BYOD) and provided device models. These solutions should include security measures that can be customized to individual and departmental clearance levels. VDI offers the security flexibility and granularity that customers are looking for.
Not to mention the added benefits of centralized management, simple patching and comparatively easy compliance management. VDI is not a one-size-fits-all solution. To be most effective, it must be tailored to the individuals needs and goals.
Looking for content from other IoT Integrator Summit Sessions?
Simplifying Remote Work with VDI Technologies
Traditional VDIs have a complex data structure, also known as a stack. The stack typically includes:
- Thin Client
- User Personalization
- Application Delivery
- OS Image Delivery
Dell Technologies now has VDI-ready solutions that can be tailored to a company's size and demand. In their new software, Dell Technologies has condensed the stack and simplified the VDI process.
Instead of the traditional structure, Dell’s VDI will have an individual client at each endpoint and backend authentication through a service such as Microsoft or Red Hat. This will allow for access to the resources themselves. This process can be tailored to each user or based on active policies.
Threats to VDI Implementations in Remote Work
There is inherent security built into VDI architecture, but there are still immense risks. Specifically, two advanced cyber-attack techniques can be employed against VDI:
- Man-in-the-Middle (MitM) attacks
- Mobile Remote Access Trojans (mRATs)
A MitM attack is when software is installed on a device that allows for screen scraping, keylogging or local data copying. As another strategy, mRATs would allow the hacker to gain remote control of infected devices.
Within the VDI stack, all communication between the client and the device is done in a Secure Sockets Layer (SSL) tunnel. This process may seem safe, but there are still vulnerabilities to cyber attacks.
Attila offers hardware VPN solutions that block these kinds of dangerous cyber attacks. The partnership between Dell andAttila gives customers a trusted network for SSL connections, drastically mitigating the risk vectors of MitM and mRATs.
Protections Against VDI Threats and Vulnerabilities
Dell has taken their software even further and partnered with Attila to address the security concerns that remain in the VDI process. This is especially useful for IoT government contractors who are concerned about the security of their intellectual property.
Attila addresses VDI vulnerabilities with the GoSilent Server and the GoSilent Cube. Traditional VDI solutions include a security gateway that resides within your demilitarized zone (DMZ). GoSilent is an innovative server that resides in front of the security gateway entirely within your enterprise network.
The GoSilent Server acts as a VPN gateway and includes centralized management for all GoSilent Cubes, which are portable VPN firewalls. As hardware firewalls, they convey numerous benefits:
- Straightforward set up and user interface. The only step for installation is connecting to the internet.
- Streamlined maintenance and replacement.
- The GoSilent Cube stores the VPN key locally, reducing the threat of mRATs using the key to access the device.
- Devices connected to the VDI are isolated by hardware from the rest of the network, even in BYOD systems.
- Operators can add independent firewall rules to both the GoSilent Cube and Server.
- The GoSilent Cube and Server can be easily repurposed for new users.
The GoSilent Cube installation is seamless as the end-user will only need to provide an internet connection. Once connected, the Cube is ready to serve as a wireless hotspot.
Managers can easily set it up so the employee will only have access to resources allocated for their clearance level. This is a vast improvement over traditional solutions that required extensive setup from the end-user. Even with BYOD, the process is as simple as installing the VDI client and connecting to the internet.
Q & A from listeners
Vesh and CT answer questions directly from listeners.
Q: What other threats are there for VDI environments beyond MitM and mRATs?
The largest threat is the individual device. Split tunneling is what to look for in any MitM attack. These attacks have the ability to route device traffic to the hacker and the user.
The user would still be able to work, but the hacker would be capturing everything the user is seeing. If this is a home laptop, they now have access to banking information and other personal data. Connecting to a VPN before connecting to the VDI ensures the entire session is encrypted and none of this is possible.
Q: How many BYODs can one GoSilent Cube support?
Wirelessly, the Cube can support up to 5 devices. When wired, it can support up to 25 or 30.
Q: Can the GoSilent Cube physically and wirelessly connect to home devices?
Yes, it can be connected wireless or hardwired to both the internet and to the device itself.
Q: How can this solution work in areas where internet access and speeds vary?
When you look at building the VDI architecture, you will need to consider what type of connection you will be using. We would specify a minimum internet speed, and consider in the VPN and VDI design how many users you will support and what applications will work well.
Q: What is the total supported throughput per device and recommended bandwidth?
The throughput is about 90 Mbps if you are hardwired and about 30 Mbps if you are connected wirelessly. For reference, the average recommended bandwidth for one device at 1080p is about 5Mbps.
Q: How will you implement VDI when network segmentation is key? For example, when dealing with PDSS compliance?
The answer to that comes back to the NSX. The micro-segmentation takes place in the cloud hosting where the segmentation and application delivery is happening. Compute and storage is where we would handle most micro-segmentation. From there, we would leverage any of the authentication protocols.
In an active directory infrastructure, we would have a persistent NAC and we would apply that to the end-user device. With VMware you would have access, control and visibility to the client device. In an environment where the company is issuing the devices, you now have full control to install what you want. For BYOD, you can require employees to install persistent NAC to ensure compliance and full control.
Q: Can the GoSilent Cube be configured for required firewall access roles?
Yes, the GoSilent Cube can be configured for firewall access roles through the go silent server. Using the standardized VDI model, you can have the same rules for all GoSilent Cubes, where only specific protocols are allowed access to the security gateway.
Read the Complete IoT Security Guide
Everything you need to know about securing your IoT or IIoT deployment.
Vesh Bhatt is Attila’s Chief Science Officer and CoFounder. Before launching Attila with Gregg Smith, he founded Kesala, which was later acquired by Silent Circle. Prior to entering the private sector, Vesh served as a Systems Administrator, Infrastructure Architect and Engineer, Technical Leader, Developer, and Unix Analyst for the Information Assurance (IA) mission at the National Security Agency (NSA). There, he was recognized and sought after for his technical finesse in the areas of Cyber Security Orchestration, Linux, Networking, Infrastructure Engineering, and Virtualization.
His accomplishments include earning his CompTia Security+ Certificate at the age of 18; spearheading the technical aspects of the most effective Security Orchestration, Automation, and Response (SOAR) R&D program in the Department of Defense, and being selected as a winner of NSA’s first internal innovation competition for his work on an early prototype of Attila’s GoSilent Cube. Vesh is committed to solving the biggest cybersecurity challenges facing enterprise and government agencies.
As IoT connectivity becomes central to business and industrial applications, managing data consumption and maintaining reliable wireless service will become even more critical to staying competitive. Kajeet’s network- and device-agnostic management platform offers enterprise customers the ability to easily monitor and manage data usage across millions of devices across the globe for improved efficiency.
A results-driven Information & Communications technologist with extensive experience in the engineering, design, research & development, administration, strategy, and support of creating information & communication systems. In-depth expertise in the implementation, analysis, optimization, troubleshooting, and documentation of LAN/WLAN/WAN network communication systems.
Strong "hands-on" and applied architectural technical knowledge with Service-Oriented Architecture, NFV, SDN, Private/Hybrid Cloud, Ansible, StackStorm, DevOps, DevSecOps, Python, Yaml, API, RESTCONF, YANG, Cloud Security, MP-EVPN, Tensorflow, as well as multiple DOD C5I systems. Extensive experience with system integration and “end to end” trouble-shooting.
Proven ability to lead and motivate project teams to ensure success. Track and record for diagnosing complex problems and consistently delivering effective and time sensitive solutions. Keen ability to navigate ambiguity and large enterprise organizations.
A thought leader with respect to modern networking, future technologies, and contemporary security practices across enterprise, data center, and cloud environments with a high degree of learning agility. Experienced with laws, regulations, standards, and best practices to include: NIST, ISO, SOX, HIPAA, EU GDPR, PCI, CSA CCM, and FEDRAMP
Active IEEE member as well as a member of the IEEE Communications Society, Technology & Engineering Management Society, and Systems Council.
About Dell Technologies
Dell Technologies is a unique family of businesses that provides the essential infrastructure for organizations to build their digital future, transform IT and protect their most important asset, information.