In this article, I will explain how our Citrix VDI-based virtual desktop service works in terms of information security. I'll show you what we are doing to protect client desktops from external threats such as ransomware or targeted attacks.
What security tasks do we solve
We have identified several main security threats to the service. On the one hand, the virtual desktop risks getting infected from the user's computer. On the other hand, there is a danger of leaving the virtual desktop into the open
- Protection of the entire VDI stand from external threats.
- Isolation of clients from each other.
- Protecting the virtual desktops themselves.
- Connect users securely from any device.
FortiGate, a new generation firewall from Fortinet, became the core of protection. It monitors VDI stand traffic, provides an isolated infrastructure for each client, and protects against user-side vulnerabilities. Its capabilities are enough to close most of the information security issues.
But if the company has special security requirements, we offer additional options:
- We will organize a secure connection for work from home computers.
- We give access for self-analysis of security logs.
- We provide antivirus protection management on desktops.
- Protecting against zero-day vulnerabilities.
- We set up multifactor authentication for additional protection against unauthorized connections.
I'll tell you more about how we solved the problems.
How we protect the stand and ensure network security
We segment the network part. At the stand, we single out a closed management segment for managing all resources. The management segment is inaccessible from the outside: in the event of an attack on a client, attackers will not be able to get there.
FortiGate is responsible for protection. It combines the functions of antivirus, firewall, intrusion prevention system (IPS).
For each client, we create an isolated network segment for virtual desktops. For this, FortiGate has a virtual domain technology, or VDOM. It allows you to split the firewall into several virtual entities and allocate its own VDOM to each client, which behaves like a separate firewall. For the management segment, we also create a separate VDOM.
It turns out like this:
There is no network connectivity between clients: each lives in his own VDOM and does not influence the other. Without this technology, we would have to separate clients by firewall rules, which is risky due to human factors. You can compare such rules to a door that must be constantly closed. In the case of VDOM, we do not leave "doors" at all.
In a separate VDOM, the client has its own addressing and routing. Therefore, crossing ranges does not become a problem for the company. The client can assign the desired IP addresses to the virtual desktops. This is convenient for large companies that have their own IP plans.
We resolve issues of connectivity with the client's corporate network.A separate task is to dock VDI with client infrastructure. If the company keeps corporate systems in our data center, you can simply run a network cable from its equipment to the firewall. But more often we are dealing with a remote site - another data center or a client's office. In this case, we think over a secure exchange with the site and build a site2site VPN using IPsec VPN.
The schemes can be different depending on the complexity of the infrastructure. Somewhere it is enough to connect the only office network to VDI - there is enough static routing. Large companies have many networks that are constantly changing; here the client needs dynamic routing. We use different protocols: there have already been cases with OSPF (Open Shortest Path First), GRE tunnels (Generic Routing Encapsulation) and BGP (Border Gateway Protocol). FortiGate supports network protocols in separate VDOMs without affecting other clients.
It is also possible to build GOST-VPN - encryption based on encryption tools certified by the FSB of the Russian Federation. For example, using KC1 class solutions in the virtual environment "S-Terra virtual gateway" or PAK ViPNet, APKSH "Continent", "S-Terra".
Set up Group Policies.We agree with the client on the group policies that apply on the VDI. The configuration principles here are no different from the policy settings in the office. We are configuring integration with Active Directory and delegating the management of some group policies to clients. Tenant administrators can apply policies to the Computer object, manage an OU in Active Directory, and create users.
On FortiGate, for each client VDOM, we write a network security policy, set access restrictions and configure traffic scanning. We use several FortiGate modules:
- IPS module scans traffic for malware and prevents intrusions;
- antivirus protects the desktops themselves from malware and spyware;
- - ;
- .
Sometimes a client wants to independently manage employee access to sites. Banks more often come with such a request: the security services require that access control remain on the side of the company. These companies monitor traffic themselves and regularly make changes to policies. In this case, we turn all traffic from FortiGate towards the client. To do this, we use a customized interface with the company's infrastructure. After that, the client himself sets up the rules for access to the corporate network and the Internet.
We watch the events at the stand. Together with FortiGate, we use FortiAnalyzer - a log collector from Fortinet. With its help, we look at all the event logs on VDI in one place, find suspicious actions and track correlations.
One of our clients uses Fortinet products in his office. For him, we configured log uploading - so the client was able to analyze all security events for office machines and virtual desktops.
How we secure virtual desktops
From known threats. If a client wants to independently manage anti-virus protection, we additionally install Kaspersky Security for Virtualization.
This solution works well in the cloud. We are all accustomed to the fact that the classic Kaspersky Anti-Virus is a "heavy" solution. In contrast, Kaspersky Security for Virtualization does not load virtual machines. All virus databases are located on the server, which issues verdicts for all virtual machines in the host. Only the light agent is installed on the virtual desktop. It sends files to the server for verification.
This architecture simultaneously provides file protection, Internet protection, attack protection, and does not degrade the performance of virtual machines. In this case, the client can himself make exceptions to file protection. We help with basic setup of the solution. We will tell you about its features in a separate article.
From unknown threats.To do this, we connect FortiSandbox, a "sandbox" from Fortinet. We use it as a filter in case the antivirus misses a zero-day threat. After downloading the file, we first check it with an antivirus and then send it to the "sandbox". FortiSandbox emulates a virtual machine, launches a file and monitors its behavior: what objects in the registry it accesses, whether it sends external requests, and so on. If the file behaves suspiciously, the sandboxed virtual machine is deleted and the malicious file does not end up on the user's VDI.
How to set up a secure connection to VDI
We check the compliance of the device with the IS requirements. From the beginning of remote control, clients have contacted us with requests: to ensure the safe work of users from their personal computers. Any information security specialist knows that it is difficult to protect home devices: you cannot install the necessary antivirus there or apply group policies, since this is not office equipment.
By default, VDI becomes a secure layer between the personal device and the corporate network. To protect VDI from attacks from the user machine, we disable the clipboard, prohibit USB forwarding. But this does not make the user device itself secure.
We solve the problem using FortiClient. It is a tool for endpoint security. The company's users install FortiClient on their home computers and use it to connect to a virtual desktop. FortiClient solves 3 tasks at once:
- becomes a "single window" of access for the user;
- checks if the personal computer has antivirus and the latest OS updates;
- builds a VPN tunnel for secure access.
An employee gets access only if it passes the check. At the same time, the virtual desktops themselves are not accessible from the Internet, which means they are better protected from attacks.
If a company wants to manage endpoint protection itself, we offer FortiClient EMS (Endpoint Management Server). The client can configure desktop scanning and intrusion prevention by himself, create a whitelist of addresses.
Add authentication factors. By default, users are authenticated through Citrix netscaler. Here, too, we can strengthen security with multi-factor authentication based on SafeNet products. This topic deserves special attention, we will also talk about this in a separate article.
We have accumulated such experience of working with different solutions over the last year of work. The VDI service is configured separately for each client, so we chose the most flexible tools. Perhaps in the near future we will add something else and share our experience.
On October 7 at 5 pm my colleagues will talk about virtual desktops at the webinar "Do I need VDI, or how to organize remote work?"
Register if you want to discuss when VDI technology is suitable for a company, and when it is better to use other methods.