VMware NSX Micro-Segmentation for VMware Horizon 7
Organizations that embark on the journey of building virtual desktop environments bring traditionally external endpoints into the data center. These Windows or Linux endpoints are now closer to and often reside on the same networking infrastructure as the backend application servers that these may access by multiple end users. Malicious attacks that would traditionally take place outside the data center, should an end user find their desktop or laptop machine infected, could now take place on virtual desktops inside the data center.
With physical equipment, it’s easy to isolate the physical desktop or laptop and remediate the attack. Securing virtual desktop environments requires a different approach, but not one that’s unattainable.
Securing end-user computing (EUC) deployments is one of the primary security use cases for VMware NSX, helping provide a layered approach to secure virtual desktop workloads in the data center. Securing virtual desktop infrastructure (VDI) and Remote Desktop Session Host (RDSH) systems, along with the Horizon management infrastructure components, provides the most in-depth micro-segmentation policy for Horizon deployments.
The NSX platform covers several business cases for securing an EUC deployment. Each of these use cases helps provide a multi-layered approach to ensure end-user endpoints are as secure as possible in the data center.
As VMware revises the Horizon 7 reference architecture whitepaper, as well as the NSX for EUC design guide, NSX reference architecture decisions for the Horizon 7 architecture will be addressed to provide guidance for customers building EUC environments. Over the next several months, the Horizon 7 reference architecture document will include more NSX features, including load balancing, RDSH, guest introspection and identity firewall. There are several enhancements currently, and even more coming, that will be simplifying NSX deployments with Horizon.
The latest revision of the Horizon 7 reference architecture provides guidance around how to secure the east-west traffic within the Horizon deployment. This guidance is all-encompassing for an entire Horizon 7 deployment.
Securing east-west traffic between desktop systems is an easy security model to put in place using NSX. However, the VDI desktops or the RDSH systems are not the only systems that comprise a Horizon deployment.
There are several Horizon management components that provide the facilities to create and spin up those VDI and RDSH systems. Each of these components communicates over specific ports and protocols (outlined in the Horizon 7 network ports document). Using the same methodologies for securing VDI and RDSH systems, NSX can provide the same level of micro-segmentation around the Horizon management components.
As part of the process to integrate NSX into the Horizon reference architecture, each of the communication ports and protocols were laid out into two separate PowerShell scripts using PowerNSX, to allow customers the ability to insert all the necessary NSX distributed firewall rules, security groups and services into the NSX Manager.
Note: The script referenced in this post can be downloaded here. The script is not maintained or supported by VMware at this time. It is meant more as a guide and quick start to micro-segmenting a Horizon deployment. Please treat this as such when testing. For full details of the script referenced, head over to the NSX for EUC design guide.
Many Thanks to my colleague, the original author of this article, Geoff Wilmington, which can be found here.