VMware NSX Micro-Segmentation for VMware Horizon 7

Organizations that embark on the journey of building virtual desktop environments bring traditionally external endpoints into the data center. These Windows or Linux endpoints are now closer to and often reside on the same networking infrastructure as the backend application servers that these may access by multiple end users. Malicious attacks that would traditionally take place outside the data center, should an end user find their desktop or laptop machine infected, could now take place on virtual desktops inside the data center.

VDI_security_data_center_networking

With physical equipment, it’s easy to isolate the physical desktop or laptop and remediate the attack. Securing virtual desktop environments requires a different approach, but not one that’s unattainable.

Securing end-user computing (EUC) deployments is one of the primary security use cases for VMware NSX, helping provide a layered approach to secure virtual desktop workloads in the data center. Securing virtual desktop infrastructure (VDI) and Remote Desktop Session Host (RDSH) systems, along with the Horizon management infrastructure components, provides the most in-depth micro-segmentation policy for Horizon deployments.

The NSX platform covers several business cases for securing an EUC deployment. Each of these use cases helps provide a multi-layered approach to ensure end-user endpoints are as secure as possible in the data center.

This diagram illustrates three EUC use cases for NSX security: Protecting VDI, protecting desktop pools and user-based access control.

This diagram illustrates three more EUC use cases with NSX security: Micro-segmentation, edge services and network virtualization.

As VMware revises the Horizon 7 reference architecture whitepaper, as well as the NSX for EUC design guide, NSX reference architecture decisions for the Horizon 7 architecture will be addressed to provide guidance for customers building EUC environments. Over the next several months, the Horizon 7 reference architecture document will include more NSX features, including load balancing, RDSH, guest introspection and identity firewall. There are several enhancements currently, and even more coming, that will be simplifying NSX deployments with Horizon.

The latest revision of the Horizon 7 reference architecture provides guidance around how to secure the east-west traffic within the Horizon deployment. This guidance is all-encompassing for an entire Horizon 7 deployment.

NSX_Horizon_logical_components

This diagram illustrates the NSX and Horizon logical components.

Securing east-west traffic between desktop systems is an easy security model to put in place using NSX. However, the VDI desktops or the RDSH systems are not the only systems that comprise a Horizon deployment.

There are several Horizon management components that provide the facilities to create and spin up those VDI and RDSH systems. Each of these components communicates over specific ports and protocols (outlined in the Horizon 7 network ports document). Using the same methodologies for securing VDI and RDSH systems, NSX can provide the same level of micro-segmentation around the Horizon management components.

As part of the process to integrate NSX into the Horizon reference architecture, each of the communication ports and protocols were laid out into two separate PowerShell scripts using PowerNSX, to allow customers the ability to insert all the necessary NSX distributed firewall rules, security groups and services into the NSX Manager.

NSX_Manager_VDI_RDS_Host

This table shows example output from the script and how the rules and the associated NSX Security Groups and Services would look in the NSX Manager.

NSX_manager_VDI_RDS_Host_Services

The services listed in this table are the breakdowns of each port and protocol specific to the service referenced in the previous table.

Note: The script referenced in this post can be downloaded here. The script is not maintained or supported by VMware at this time. It is meant more as a guide and quick start to micro-segmenting a Horizon deployment. Please treat this as such when testing. For full details of the script referenced, head over to the NSX for EUC design guide.

Many Thanks to my colleague, the original author of this article, Geoff Wilmington, which can be found here.

Author: John Wilkinson

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *

WP Facebook Auto Publish Powered By : XYZScripts.com