With the Covid-19 pandemic forcing many enterprises to shift their businesses online and the employees to work from home, securing virtual desktops for the remote employees has become crucial. While businesses had to quickly adjust to the given situation, network security became an afterthought for many.
Cybercriminals have already been taking advantage of the new normal, “work-from-home” by targeting the vulnerabilities associated with employees connecting to corporate resources from their home environment. This involves phishing campaigns, denial of service attacks, and even exploiting vulnerabilities in home routers.
Virtual Desktops Infrastructure (VDI) assists businesses in reducing the impact on productivity and continuity, as well as the risk associated with remote access to internal data.
Vulnerable Desktop Pools
For any cybercriminal, the initial target of an attack is never the objective.
With Virtual Desktops Infrastructure, user-desktops reside within the data-center, close to the servers hosting critical applications and data. Bringing humans within the data-center through desktop virtualization can give rise to a new threat vector. This may allow attackers to take advantage of vulnerable users/desktops to gain access to data on the nearby servers.
Ensuring that VDI pools and RDSH (Remote Desktop Session Host) farms are isolated from the rest of the data-center is crucial. The key to what NSX Service-Defined Firewall enables is to provide this segmentation at scale, without requiring network re-architecture.
Protecting the Desktop Pools
Using dynamic security groups based on criteria including VM (Virtual Machine) name, network segment, or security tag, desktops can be grouped together. An appropriate segmentation policy can be applied that isolates the desktops from the rest of the data-center.
In case, an organization wants to scale up the number of remote desktops, due to multiple employees working from home, the new desktops can be added to existing groups. The same segmentation policy can be applied to the new desktops that come up, without making any changes to the policy, any network re-architecture, or adding on physical firewall appliances.
Once the desktops are added, it can be compared to the traditional model in which traffic to/from desktop pools is hair-pinned to a physical firewall that has a policy based on IP addresses and subnets. This needs to be manually adjusted to account for the large increase in desktops/IP addresses in VDI pools. Manual intervention can slow down the roll-out and is also error-prone, which can lead to both operational inefficiency and an increase in risk.
Ransomware & its Behavior
Similarly, to how attackers will try to move laterally within an environment so as to gain access to valuable systems, data; ransomware, and different types of malware exhibit worm-like behavior that allows them to spread from one infected machine to another.
WannaCry ransomware that exploited the EternalBlue vulnerability in Windows SMBv1 servers, executed on one machine, and then scanned the rest of the environment for vulnerable servers and propagated itself laterally. Microsoft recently published a security advisory about the existence of a remote code execution vulnerability also referred to as SMBGhost or CoronaBlue; similar to EternalBlue. It is considered wormable, which means if exploited it can self-propagate over the network.
In such a situation, network-based segmentation leveraging a traditional firewall deployed between zones can help to prevent lateral movement between zones. However, it may not offer any protection against propagation within a subnet such as a desktop pool. On the contrary, the NSX Distributed Firewall sits at the vNIC of every workload. It has the ability to intercept traffic even before it hits the network, regardless of whether that traffic is going to another desktop, internet, or a production application in the data-center.
The Single-Rule Policy
With a single rule on the distributed firewall, organizations can isolate every desktop from every other desktop across their VDI pools. Through the use of dynamic security groups based on tags or other constructs, this policy can be automatically applied to every desktop that is spun up. With just this single desktop isolation rule in place, organizations can stop the self-propagation of ransomware across their desktops as well as the lateral movement of an attack.
In case, if some lateral communication between desktops is required, customers can configure a firewall policy leveraging Layer-7 Application-Identity to only allow the use of more secure protocols.
This makes it easier to identify different existing solutions that aim at providing security in virtual machines.