APPLYING THE POWER OF VIRTUAL DESKTOPS Conrado Wang

APPLYING THE POWER OF VIRTUAL DESKTOPS Conrado Wang Ke Cheng de Niemeyer Information Security Officer, Sacred Heart University

Virtual World at Sacred Heart Univ VMware VI 3 & v. Sphere 4 65 Virtual Servers 255 Virtual Desktops Running on 15 Physical blade servers Virtual Desktop Infrastructure (VDI) Secure Virtual HDD Streaming Thin Desktop Clients in our Labs Virtual Test Environments

Secure Desktop (VDI) Architecture

Secure Gateway Architecture

HDD Streaming Architecture

Secure Desktop Backend at SHU Hardware HP c 7000 Blade Enclosure HP BL 460 c Netapp 3040 Filers 2 x Quad Core 2. 3 Ghz (Intel E 5450) 32 GB RAM 4 x 1 Gb Ethernet (on 2 separate boards) 1 TB for VM and v. Disk Images 12 TB for User/Department Data NFS & i. SCSI Cisco Catalyst 3750 Switches 1 Gb Ethernet (Copper) 4 x 10 Gb Uplink Software VMware VI 3 Quest v. Workspace 7. 0 Citrix Provisioning Server 5. 1 PXE Boot HDD Streaming Microsoft Windows XP sp 3 SSL Gateway Connection Broker Yes it’s Windows 7 Ready Net. App Flex. Clone

Secure Desktop Advantages Low learning curve for users Secured access to sensitive data Business data vs. User data Fast Deployment & Scalability Currently Patch 1 image, update everyone ERP (Datatel Colleague R 17, R 18) Stand new VMs in under 2 mins Policy Enforcement Local administrator privileges Anywhere, anytime access Image management Registrar’s Human Resources Business Office Admissions (Recruitment Plus) Financial Aid (Power. FAIDS, EDConnect) Institutional Advancement (Raiser’s Edge) Health Systems (Titanium) Public Safety (ARMS) Image. Now Document Imaging w/USB scanners

Secure Desktop Disadvantages Ok Multimedia Support Now w/Flash Video ACL/Firewall Rule Maintenance Increased Complexity SSL Gateway Connection Broker Provisioning Server ESX Servers SAN & Blade Infrastructure “Quality of Life” Issues Cannot browse the web Cannot persist software changes Cannot connect certain USB devices Coming Soon Cannot access unsafe shares Cannot copy & paste to/from client Cannot connect any USB devices except sanctioned

Getting Buy-in Explain that security is important and they should just listen to IT… (HA! Just kidding… ) Initial deployment for test environments No other alternatives with new version of software Anywhere Anytime Access Ability to access legacy environments with new simultaneously Make no effort to fix the fact that VPN sucks (at least PPTP does…)

Demo https: //securedesk. sacredheart. edu/