Wednesday, September 1, 2010

VMworld 2010 Reporting: View Security

There are 3 elements to View architecture
- centralized desktops
- end user devices
- View broker

View currently supports AD, Novell RSA SecurID and Smart Card as authentication methods. In addition there are 3rd parties that support additional methods of authentication for View.

Two methods can be used to establish a connection; direct to desktop and tunneled through the View server over https. In addition the tunnel can be moved to a View Security server to offload the overhead from the View server to the proxy (Security server). Typically a Security server is deployed in a DMZ and is appropriate for remote access scenarios.

PCoIP is not supported on View 4 or 4.5 through the secure server proxy, only RDP. VMware is working with Teradici to get this working but recommends using a VPN if you are serving PCoIP externally.

With 4.5 you have delegated role-based access control. Certificate management and revocation has also been added.

Administrators can now be associated by role, with associated permissions and then assigned to folders within the VMview hierarchy of resources. Some of the roles include inventory management or global administration. In addition custom roles can be added with specific permissions. For example you can divide your View architecture into folders that represent geographic regions and then add regional administrator roles.

Best practices for securing a View Deployment.

- Use the vSphere hardening guidelines
- Harden the virtual desktops
- Review your refresh intervals - i.e. clean desktop on logoff
- Change the default certificates on the View components
- Disable unused ciphers for SSL encryption
- Consider disabling the USB port for external access

VMware recommends integrating the vShield products into your VDI environments. One interesting thing about vShield edge is that it can provide load balancing to the View servers. vShield App can be used for zoning desktops and vShield EndPoint can offload antivirus protection.

- Posted using BlogPress from my iPad

No comments:

Post a Comment