The distinction between what is and is not a network-connected device has been turned on its head in recent years as the concept of virtualization has taken the world of IT by storm.
Undetected malware can propagate through a VDI-based network just as easily as it can through a traditional network.
Virtualization allows an enterprise to run multiple servers or client instances on a single piece of hardware. One physically connected network device could, in fact, have several different IP addresses associated with each of its network interface cards (NIC). This obfuscation of network connectivity, made possible by the creation of the hypervisor, has served to create great advancements in terms of data storage, server infrastructure and computer network security.
Many of these advancements have manifested themselves in a concept known as virtual desktop infrastructure (VDI), which basically means that a desktop operating system (OS) such as Microsoft Windows runs entirely within a virtual machine (VM). While many enterprises have implemented VDI primarily for the systems management advantages, the security risks (and benefits, too) of VDI must also be taken into account before switching from a traditional network architecture.
In this tip, we'll look at what VDI means for enterprise endpoint security, and how to assess and mitigate VDI security risks.
VDI security benefits
VDI allows for the distribution of virtualized desktops to different nodes within a given network. So, if a certain organization prefers that its users operate on Windows 7, the system administrator simply has to allocate a baseline image to each node on the network.
Virtualized endpoints provide several different advantages in terms of security. First, it allows the system administrator to control what type of baseline image is allocated to each node from a centralized location. If a certain operating system is suffering from serious vulnerabilities and a patch or update is not available yet, the system administrator simply needs to recall that OS version, and then allocate a different OS version to each user. Alternatively, the system administrator can simply allocate a completely different OS, and all of this can be done without leaving the confines of the system administrator's cubicle. Contrast this with the way system administration was done in the not-too-distant past, when administrators were required to visit each computer individually and perform a complete OS reinstallation, and it's clear that desktop virtualization can be a useful tactic for mitigating endpoint platform risk.
VDI also allows for more robust security setups when compared to traditional networks. When malware successfully penetrates a virtualized network, for example, administrators can simply delete each OS instance where the malware is detected without fear that the host OS has been affected. This is a profound advantage in terms of resource conservation and security, though seizing this advantage depends heavily on effective malware-detection capabilities.
Virtualization is not a cure-all
All things being equal, VDI enables a more flexible and adaptive security posture than traditional network endpoint infrastructures, as explained above. All too often, though, system administrators use virtualization as a crutch when a situation may call for a deeper sense of vigilance. The wise system administrator should be cognizant of the fact that undetected malware can propagate through a VDI-based network just as easily as it can through a traditional network. For example, a piece of malicious code may contain instructions that make a CPUID call. Because CPUID calls are necessarily executed from unprivileged processes, the function call returns information that indicates whether a VM is present or not. If a VM is detected, the code either proceeds to delete itself or it simply propagates to other network-connected devices until it finds one that is not virtualized. VDI may be unusually resilient with regard to malware, but it is not immune from infecting other network connected devices.
For enterprises concerned about potential malware issues when switching to VDI-based networks, vendors have stepped in with products that could solve such issues. One VDI security concept that has gained in popularity in recent years is known as agentless security. Developed by Trend Micro and since adopted by VMware, McAfee and others, this new concept takes a two-pronged approach. First, Trend Micro developed something known as vShield Endpoint, which allows traditional security functions to be offloaded in a separate appliance, enabling better performance within each VM on a given network. Second, and in conjunction with vShield Endpoint, Trend Micro developed its Deep Security framework, which is basically the virtualized environment that allows the vShield Endpoint appliance to communicate with other VMs. When traditional security mechanisms don't seem to measure up in terms of performance, malware detection and malware propagation, system admins may find it worth their time to research vendor products to supplement their virtual deployments.
Positives outweigh negatives
Endpoint virtualization is mostly a harbinger of good tidings for enterprise security. Though challenges with malware persist, VDI-based networks offer system administrators the opportunity to more easily secure and manage user desktops. As long as an organization takes the necessary precautions towards VDI, virtualization can provide a big boost to security efforts.
About the author:
Brad Casey holds a master of science degree in information assurance from the University of Texas at San Antonio and has extensive experience in the areas of penetration testing, public key infrastructure, VoIP and network packet analysis. He is also knowledgeable in the areas of system administration, Active Directory and Windows Server 2008. He spent five years doing security assessment testing in the U.S. Air Force, and in his spare time, you can find him looking at Wireshark captures and playing with various Linux distributions in virtual machines.
This was first published in October 2013