VDI: How I Learned to Stop Over-Analyzing and Love the Virtual Desktop

My VDI History

VDI, or Virtual Desktop Infrastructure, has been around for quite some time, and those who know me know I have not really been much of a fan of it for the last 13 years.  Here is a little history of why:


Virtual Servers Work, Why Not Desktops?

Starting around 2004 I went on a bit of a crusade to get virtual desktops to work.  We had just begun using server virtualization in earnest and the the cost savings and efficiency results were simply amazing.  Because of these amazing results it was natural to wonder if virtualizing the desktop would yield the same results. At that time, we were using Microsoft’s Terminal Server in a few places but it wasn’t quite good enough.  Customers wanted a “real” desktop, and on the surface it looked like using Virtual Machines (VM) would be an easy task—a no brainer.

Virtualizing the desktop OS was trivial, and so was accessing it over the local LAN.  But the organization I worked for had over 900 offices worldwide and “real world” tests were necessary.  I began by buying various “terminals” to access the virtual desktops, and to test them in various locations.  Some were OK, others weren’t that great.  But what I learned was that no matter what we did, we just couldn’t provide the right user experience for the right price.

The truth was that while VDI did centralize resources (hardware, software, and human), it was a trade off: terminals cost about as much as a real workstation; additional (“bigger”) servers would have to be added to the data center; WAN speeds would need to be increased; reductions in edge support personnel would be offset by hiring higher salary data center personnel to manage the new infrastructure; and all of this was irrelevant in the event that a WAN link was latent or went down—effectively making those at the distant end unable to do anything at all.

Close shop.  Go home for the day.  Nothing to do here.

At the end of the day, and after revisiting VDI a couple of times over the next ten years, I pretty much gave up.  The math never worked out and the customer was rarely ever completely satisfied.  I did occasionally deploy small VDI implementations, but only for specific use cases, and while some VDI technology advancements had overcome a good number of the prior issues, it was still expensive and the benefits usually didn’t outweigh the costs.


Enter Hackers, Phishers, OpenStack, and Network Micro-Segmentation

Today things are different: lower cost “cloud” hardware and open source virtualization management frameworks such as OpenStack have dramatically reduced the financial impact of VDI within the data center; there are options within the VDI space regarding clients, protocols, and broker tools; and disk space is much less expensive than nearly 1.5 decades ago.  But the most compelling reason for VDI today, and the thing that changed my mind, is security.

Today, hacking is becoming the “new normal”.  New data center breaches are occurring nearly every week—secrets are being lost and private information is being stolen.  VDI can’t stop or prevent all hacking, but it can help.  Here are a few examples:

  1. Physical control of data is paramount to security. If a mobile or remote worker is carrying sensitive data, or data access, around on a portable device it is susceptible to loss, theft, or intrusion when using open public Wi-Fi access points. Using a remote virtual desktop helps mitigate this by keeping the “desktop” within the confines of the data center, and under the control of the data center admins and security experts.

  2. Virtual desktop images or snapshots can be easily and quickly restored in the event that the virtual desktop becomes infected due to some form of hack, malware, phishing, or social engineering exploit. This helps recover from things like ransomware, which is an increasing problem. (FBI Probing Virus Behind Outage at MedStar Health Facilities)

  3. Software Defined Networking (SDN) based virtual firewalling can be employed on all virtual desktop interfaces. These virtual firewalls live outside the user space and cannot be disabled from within the virtual desktop itself. They can also be used to isolate desktops from one another (within or outside of the same subnet) and from resources throughout the data center, making it harder for a hacker to use the exploited virtual desktop from as a jumpbox for further attacks.

  4. SDN enables encryption of traffic within the data center as well, which prevents hackers from using the exploited desktop to sniff the network(s) to capture credentials, data, or to map/profile the data center and plan their next attack.

  5. SDN also enables the use of network micro-segmentation. This means that each virtual desktop, or group of virtual desktops, can be isolated within their own virtual network(s), further increasing security, especially when combined with the before mentioned virtual firewalls.

  6. All of this can be done quickly, and easily, within a simple interface or via script(s). Admins can rapidly deploy and modify entire network architectures and their security, on-the-fly, to adapt to a threat. Also, an entire data center worth of IT security and forensics tools can be moved around, or deployed, in a matter of minutes to address a threat, no matter where it appears within the virtual space, and mitigate it.


Hackers Will Persist

Unfortunately, none of these measures will guarantee that all hacking will be prevented.  However, combining VDI with virtual firewalling and network micro-segmentation can severely impact the hacker’s ability to gain significant purchase within the data center, and curtail their access to critical data.

The end result is that the hacker will have to spend an equal, or greater, amount of time and effort to move from the exploited virtual desktop to the next resource.  While they are attempting to find the next resource to exploit a couple different scenarios can evolve:

  1. The hacker gives up because the target is too difficult to penetrate and they move on to an easier target which may garner greater reward, with less effort, in a shorter period of time.

  2. The hacker’s progress is slowed down, or stopped, due to SDN network traffic encryption, network micro-segmentation, and virtual firewalling, giving the data center admins and security experts more time to identify and stop the attack/exploit.

  3. The data center admins and security experts can combine their security tools with OpenStack by way of adding them as VMs within the virtual platform, or by way of using OpenStack’s APIs, to gather information for forensic analysis of the hack, and also to take action when desired, either manually or automatically.


In Closing

As a slight modification to a quote from the film from which this article’s title is derived, the standard data center is ill equipped to defend against,

“the international (Hacker) conspiracy to sap and impurify all of our precious (data)”.

While there are a great many things than can, and should, be done to protect critical data; migrating desktops to VDI on OpenStack with SDN is an excellent and simple first step to dramatically increasing security, while at the same time reducing the costs of running such infrastructure when compared to the alternatives.