Upload
vmworld
View
67
Download
2
Tags:
Embed Size (px)
DESCRIPTION
VMworld Europe 2013 Marilyn Basanta, VMware Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
Citation preview
Enhancing Workplace Mobility and BYOD with the
VMware Mobile Secure Workplace
Marilyn Basanta
Technical Solutions Architect
VMware End User Computing
@marilynbasanta
EUC5509
#EUC5509
Agenda
Solution overview
Breakdown of elements
Load balancing and namespace services
AD configuration for PKI and Certificate Services
RADIUS integration
Persona management
vCloud Network and Security
vShield Endpoint and Anti Malware
vSphere and View configuration considerations
Horizon Workspace configuration considerations
Horizon Workspace - Mobile
Partner Solution – Trend Micro Mobile Security
Final comments
Solution Overview
L7
End User Devices
Internal Network
External Network/
INTERNET
AD
SSO CA
RADIUS
F&P BACKUP
vC
VCNS AV
Knowledge
Workers
Mobile
Knowledge
Power
Users
MOBILITY
SECURITY
USER EXPERIENCE
VMware View Security Server
VMware View Connection Managers
HW: Gateway VM
vCOPs
Horizon
Workspace vApp
Trend Micro Mobile Security
Before we dive in, some top level items to consider…
TCP/IP Schema, VLANs, routing
and name resolution
considerations
Active Directory topology and
requirements
Network security requirements
and policies
Application workload
requirements, user roles and
behavior
LAN/WAN Topology and design
for real time protocols Compliance requirements
Load Balancing and namespace services
L7
VMware View
Security Servers
VMware View
Connection Managers
End User Devices
Internal Network
External Network/
INTERNET
• Ensure dedicated LB networks are planned for and
exist in advance of deployment INTERNAL EXTERNAL HA DMZ
• Plan for redundant configurations, N+1 and vSphere HA/DRS affinity
rules
Active Directory considerations
• Evaluate any existing AD
infrastructure
• New child domain? Security
requirements
• Enough DC resources in the
necessary sites?
• Enterprise CA will need to be
configured from the FRD down if
you are deploying a Windows based
PKI
• Sites and subnets configured
appropriately to localize domain
operations to the closest DCs
• Configuration steps are provided in the
solution design document
RADIUS Integration
• More choices for RADIUS integration
• Plan for extra connection servers to
provide redundant support for users
authenticating with RADIUS
• Validated solution uses Microsoft
RADIUS in the design.
Persona Management
• Considerations for virtual machines hosting
profile volumes
• Tuning the profile upload interval for scale
• When possible use Persona instead of
Windows Roaming profiles to avoid conflict
• Folder redirection balanced with roaming
data
• Application specific requirements such as
ThinApp sandbox roaming
• AV strategy using Persona, in band scanning
as part of vShield Endpoint or out of band on
the persona management fileservers
vSphere and View considerations
vDS
• Where possible leverage vDS in
management and View VDI infrastructure
• Auto-Deploy and host profiles for rollout
and ongoing compliance, conformity at
scale
• vCNS Edge for network services such as
DHCP, load balancing
• vMA for host management and
administration, vSphere web client
vCNS – App Firewall and Edge
VMware vSphere
Knowledge
Workers
Power
Users LOB Apps
• vCNS App and Edge services
to provide security for our
logical groupings of VMs
• Define in advance the access
rules that will be required to
secure your resources
effectively
• Remember to define rules for
View agent/client/server
communication and display
protocols!
• Get familiar with the
troubleshooting techniques
required for vShield, you
*WILL* need to debug at some
stage!
Start with an open policy then
lock it down as you go
vSphere Feature – vShield Endpoint
Partner Solution: Trend
Micro Deep Security
Security API
ESX
Anti-Virus
Workload VM’s
VMDK
EPSec
• Understand the impact
on density, plan for
dedicated resources
required by security
VM per host
• Fully evaluate performance characteristics
• Look out for gotcha’s in on-access scanning and scheduled
scanning defaults
• Ensure all hosts successfully install vShield Endpoint as part of the
deployment process prior to deploying infrastructure or VDI
services. If possible integrate the vendor specific VIBs into your
ESXi installation image.
Deep Security Virtual Appliance
• Intrusion prevention
• Firewall
Virtualization Security with Deep Security Agentless Security Platform for Private Cloud Environments
• Anti-malware
• Web reputation
• Integrity monitoring
VM VM VM
The Old Way
Security Virtual
Appliance VM VM VM
With Deep Security
VM
Easier
Manageability
Higher
Density Fewer
Resources Stronger
Security
VM
More VMs
13 10/17/2013 Confidential | Copyright 2012 Trend Micro Inc.
Horizon Workspace vApp
Workspace vApp
Configurator
VA
OS (SLES)
tcserver
Service VA
OS (SLES)
App
API
DB tcserver
Data VA
OS (SLES)
App
API
DB LDAP Jetty
App
Connector
VA
OS (SLES)
tcserver
App
Gateway
VA
OS (SLES)
Nginx
Modules
• Central Wizard UI
• Distributes settings
across VAs
• Network, Gateway,
vCenter, SMTP
attributes
• Add / remove modules
• Manage certs, security
• User authentication (RSA SecureID)
• AD secure bind and synchronization
• Set replication schedule
• Sync View pools and ThinApp
• Enables single user-
facing domain
• Routes requests to
correct node
• Workspace Admin UI
• Application Catalog
• Manage user entitlements
• Workspace Groups
• Reporting
• Stores files
• Controls file sharing policy for
internal and external users
• Manage file preview server
• Serves end user web UI
Horizon Workspace Deploy Considerations
• Ensure DNS name resolution is prepared in advance
• Split brain considerations for Gateway FQDN
• Prepare Signed Certificates in advance, the entire SSL chain
must be exported
• Create an Active Directory BIND DN account
• Ensure Active Directory group structure is in place to support
Workspace services (applications, data)
Horizon Workspace Deploy Considerations
• Prepare ThinApp repositories
• Configure SAML settings for View, the
default the SAML Timeout is 15 minutes
• Decide on a preview strategy (LibreOffice or
Microsoft Preview Server)
• User Principal Name (UPN) set as a required
attribute for View
• Horizon Data storage sizing
Horizon Workspace – Gateway-va Diagram
L7 Load Balancer
Load balancing strategy and technical preparation complete
Virtualization on Android (Mobile Virtualization Platform)
Personal Corporate
Corporate Workspace
Enterprise Catalog
Mail/Calendar App
Custom Apps
3rd Party Apps
Own your full version of Android OS
Consistent native mobile experience
Deploy applications without modifying them
Solve Android fragmentation
Strict corporate assets isolation
Corporate data encryption
VPN policy for corporate traffic
Prevent data leakage
Exchange email, calendar, secure browser, file browser and contacts
Your Line Of Business application
Provide productivity features
How do Employees Obtain VMware Horizon Workspace/Mobile?
Employees’ Device
VMware Switch
Confidential
Sony is supporting Vmware Ready devices as standard feature
Coming soon: Xperia Z1
and Xperia Ultra Z will be
VMware Ready for
World Wide coverage.
Today’s Attacks: Social, Sophisticated, Stealthy!
Attacker
Moves laterally across network
seeking valuable data
Establishes Command
& Control server
Extracts data of interest – can go
undetected for months!
$$$$
Gathers intelligence about
organization and individuals
Targets individuals
using social engineering
Employees
MOBILE MALWARE Yes… It’s real.
It’s not just “malware”, but, privacy leaks..
Well Known Apps Leak Data ..
Device Management & Control
Employees
Trend Micro
Mobile Security
Email SharePoint Corp Data Web Traffic
• Easy onboarding: email, URL, QR code
• Apple (iOS), Android, Blackberry, Windows Phone 7
and 8
• Optional Cloud Communication Server
• Device Discovery
• Device Provisioning
• Remote Control
• Reporting
• Inventory Management
Cloud
Comm.
Server
Threat Protection
Employees
Email SharePoint Corp Data Web Traffic
Trend Micro
Mobile Security
• Android AV and Website
Reputation
• Leveraging Smart Protection
Network
• Anti-Malware
• Firewall
• Web Threat Protection
• Call Filtering
• SMS/WAP Anti-Spam
Complete End User Protection
Email &
Messaging
Web
Access
Device Hopping
Collaboration
Cloud Sync
& Sharing
Social
Networking File/Folder &
Removable Media
Anti-Malware Encryption Application
Control
Device
Management Data Loss
Prevention
Content
Filtering
Employees
IT Admin
Security
Trend Micro Mobile Security
Manage Device Management
• Device Discovery
• Device Enrollment
• Device Provisioning
• Asset Tracking
• S/W Management
• Remote Control
• Reporting
• Summary Views
• Summery Reports
Mobile Device Security
• Anti-Malware
• Firewall
• Web Threat Protection
• Call Filtering
• SMS/WAP Anti-Spam
• Jail break detection
• App Reputation
Data Protection
• Encryption Enforcement
• Remote Wipe
• Selective Wipe
• Remote Lock
• Feature Lock
• Password Policy
Application Management
• App Black Listing
• App White Listing
• App Push
• Required
• Optional
• App Inventory
Stand Alone/Integrated
Horizon Virtual Workspace
Windows Management
and Delivery
(server hosted & local)
(apps and desktops)
VMware Horizon View & Mirage
Secure Mobile
Workspace
(across all devices)
(apps, data, collaboration)
VMware Horizon Workspace
Virtual
Workspace
Secure access to all my
stuff, anywhere, anytime
Next Steps
For more information on Mobile Secure Desktop design, please visit:
Mobile Secure Desktop Validated Design
Guidehttp://www.vmware.com/files/pdf/view/Mobile-Secure-Desktop-Solution-Brief.pdf
Mobile Secure Desktop Solution Guidehttp://www.vmware.com/files/pdf/view/Mobile-
Secure-Desktop-Solution-Brief.pdf
View Design
Resourceshttp://www.vmware.com/products/desktop_virtualization/view/technical-
resources.html#Design
Horizon Workspace Reviewer’s Guide
http://www.vmware.com/files/pdf/techpaper/vmware-horizon-workspace-reviewers-
guide.pdf
Integrating Horizon Workspace and Horizon View
http://www.vmware.com/files/pdf/techpaper/vmware-horizon-view-integration-horizon-
workspace.pdf
Configuring Horizon Switch
http://blogs.vmware.com/horizontech/2013/08/configuring-vmware-switch-for-android-
with-vmware-horizon-workspace-1-5.html
THANK YOU