This year, many companies hastily switched to remote work. For some clients we organize more than a hundred remote jobs per week. It was important to do this not only quickly, but also safely. VDI technology came to the rescue: with its help, it is convenient to distribute security policies to all workplaces and protect against data leaks.
In this article, I will tell you how our Citrix VDI-based virtual desktop service works in terms of information security. I'll show you what we do to protect client desktops from external threats such as ransomware or targeted attacks.
What security problems do we solve
We have identified several major security threats to the service. On the one hand, the virtual desktop runs the risk of being infected from the user's computer. On the other hand, there is a danger of exiting the virtual desktop into the open space of the Internet and downloading an infected file. Even if this happens, it should not affect the entire infrastructure. Therefore, when creating the service, we solved several problems:
- Protection of the entire VDI stand from external threats.
- Isolation of clients from each other.
- Protecting the virtual desktops themselves.
- Secure user connection from any device.
FortiGate, a new generation firewall from Fortinet, became the core of the protection. It controls the traffic of the VDI stand, provides an isolated infrastructure for each client, and protects against user-side vulnerabilities. Its capabilities are enough to close most of the IS issues.
But if the company has special security requirements, we offer additional options:
- We organize a secure connection to work from home computers.
- We give access to self-analysis of security logs.
- We provide management of anti-virus protection on desktops.
- We protect against zero-day vulnerabilities.
- Set up multi-factor authentication for additional protection against unauthorized connections.
I'll tell you more about how the tasks were solved.
How we protect the booth and ensure network security
We segment the network part. At the booth, we allocate a closed management segment for managing all resources. The management segment is inaccessible from the outside: in the event of an attack on the client, attackers will not be able to get there.
FortiGate is responsible for protection. It combines the functions of antivirus, firewall, intrusion prevention system (IPS).
For each client, we create an isolated network segment for virtual desktops. To do this, FortiGate has a virtual domain technology, or VDOM. It allows you to split the firewall into several virtual entities and allocate its own VDOM to each client, which behaves like a separate firewall. We also create a separate VDOM for the management segment.
It turns out this scheme:
There is no network connectivity between clients: each lives in its own VDOM and does not affect the other. Without this technology, we would have to separate clients with firewall rules, and this is risky due to the human factor. You can compare such rules with a door that must be constantly closed. In the case of VDOM, we do not leave "doors" at all.
In a separate VDOM, the client has its own addressing and routing. Therefore, the intersection of ranges does not become a problem for the company. The client can assign the desired IP addresses to the virtual desktops. This is convenient for large companies that have their own IP plans.
We solve connectivity issues with the client's corporate network. A separate task is the docking of VDI with the client infrastructure. If a company keeps corporate systems in our data center, you can simply run a network cable from its equipment to the firewall. But more often we are dealing with a remote site - another data center or client's office. In this case, we are thinking about a secure exchange with the site and building a site2site VPN using IPsec VPN.
Schemes can be different, depending on the complexity of the infrastructure. Somewhere it is enough to connect a single office network to VDI - there is enough static routing. Large companies have many networks that are constantly changing; here the client needs dynamic routing. We use different protocols: there have already been cases with OSPF (Open Shortest Path First), GRE tunnels (Generic Routing Encapsulation) and BGP (Border Gateway Protocol). FortiGate supports network protocols in separate VDOMs without affecting other clients.
You can also build GOST-VPN - encryption based on cryptoprotection tools certified by the FSB of the Russian Federation. For example, using solutions of class KS1 in the virtual environment "S-Terra virtual gateway" or HSS ViPNet, APKSh "Continent", "S-Terra".
Set up Group Policies. We coordinate with the client group policies that are applied on VDI. Here, the principles of setting are no different from setting policies in the office. We are setting up integration with Active Directory and delegating control of some group policies to clients. Tenant administrators can apply policies to the Computer object, manage an organizational unit in Active Directory, and create users.
On FortiGate, for each client VDOM, we write a network security policy, set access restrictions, and set up traffic inspection. We use several FortiGate modules:
- IPS module checks traffic for malware and prevents intrusions;
- antivirus protects the desktops themselves from malware and spyware;
- web filtering blocks access to unreliable resources and sites with malicious or inappropriate content;
- firewall settings may allow users to access the Internet only on certain sites.
Sometimes a client wants to independently manage employee access to sites. More often banks come with such a request: security services demand that access control remain on the side of the company. Such companies monitor traffic themselves and regularly make changes to policies. In this case, we turn all traffic from FortiGate towards the client. To do this, we use a configured interface with the company's infrastructure. After that, the client himself configures the rules for access to the corporate network and the Internet.
Watching the events at the stand. Together with FortiGate, we use FortiAnalyzer, a log collector from Fortinet. With its help, we look at all the event logs on VDI in one place, find suspicious activities and track correlations.
One of our clients uses Fortinet products in his office. For it, we set up log uploading - so the client could analyze all security events for office machines and virtual desktops.
How we protect virtual desktops
From known threats. If the client wants to independently manage anti-virus protection, we additionally install Kaspersky Security for Virtualization.
This solution works well in the cloud. We are all used to the fact that the classic Kaspersky antivirus is a βheavyβ solution. Unlike it, Kaspersky Security for Virtualization does not load virtual machines. All virus databases are located on the server, which issues verdicts for all host virtual machines. Only the light agent is installed on the virtual desktop. It sends files to the server for verification.
This architecture simultaneously provides file protection, Internet protection, protection against attacks and does not reduce the performance of virtual machines. In this case, the client can make exceptions to the file protection itself. We help with the basic setup of the solution. We will talk about its features in a separate article.
From unknown threats. To do this, we connect FortiSandbox, a sandbox from Fortinet. We use it as a filter in case the antivirus misses a zero-day threat. After downloading the file, we first check it with an antivirus, and then send it to the sandbox. FortiSandbox emulates a virtual machine, launches a file and monitors its behavior: what objects in the registry it accesses, whether it sends external requests, and so on. If the file behaves suspiciously, the sandboxed VM is deleted and the malicious file is not placed on the user's VDI.
How to set up a secure connection to VDI
We check the compliance of the device with the requirements of information security. Since the beginning of remote work, clients have been contacting us with requests: to ensure the safe operation of users from their personal computers. Any information security specialist knows that it is difficult to protect home devices: you cannot install the necessary antivirus there or apply group policies, since these are not office equipment.
By default, VDI becomes a secure "layer" between the personal device and the corporate network. To protect VDI from attacks from the user's machine, we disable the clipboard, disable USB forwarding. But this does not make the user device itself secure.
We solve the problem with the help of FortiClient. This is a tool for protecting endpoints (endpoint protection). Users of the company install FortiClient on their home computers and use it to connect to a virtual desktop. FortiClient solves 3 tasks at once:
- becomes a "single window" of access for the user;
- checks if the personal computer has an antivirus and the latest OS updates;
- builds a VPN tunnel for secure access.
The employee gets access only if it passes the verification. At the same time, the virtual desktops themselves are not accessible from the Internet, which means they are better protected from attacks.
If a company wants to manage endpoint protection itself, we offer FortiClient EMS (Endpoint Management Server). The client can configure desktop scanning and intrusion prevention, form a white list of addresses.
Add authentication factors. By default, users are authenticated through Citrix netscaler. Here, too, we can enhance security with multi-factor authentication based on SafeNet products. This topic deserves special attention, we will also talk about it in a separate article.
We have accumulated such experience of working with different solutions over the last year of work. The VDI service is configured separately for each client, so we chose the most flexible tools. Perhaps in the near future we will add something else and share our experience.
On October 7 at 17.00 my colleagues will talk about virtual desktops at the webinar "Do I need VDI, or how to organize remote work?"
, if you want to discuss when VDI technology is suitable for a company, and when it is better to use other methods.
Source: habr.com