Virtual Environment User Based Access Controls

Up until recently the network has largely been controlled by policies defined by IP Addresses, Subnets, Ports and sometimes content but we’ve all wanted to track and control user activity to no avail!

Traditional firewalls haven’t been able to home in on a specific user or group of users due to its nature in controlling IP’s.  With DHCP so largely deployed these days as a means to hand out IP’s to users, how can one lock down a user based on IP?

NAC solutions have poped up everywhere to try and help lock down user access and many of these NAC solutions have made there way into switches or so called next generation replacement switches.

But what about these new things called Virtual Switches?  Can they control user activity also?  What if you’ve invested in LAN based solutions from Cisco, Consentry, Nevis and others for your NAC solution but are now thinking about moving to VDI (Virtual Desktop Infrastructure)?  Does that NAC solution do you any good?  Hmmm… sounds like more hardware to throw out!

Many have said that Citrix’s move to aquire XenSource was to help them own the Virtual Desktop space and differentiate themselves from VMWare who currently owns the Virtual Server space.  But if companies rush to virtualize their desktops like many have done with servers, they will be in for a bigger security challenge than in the virtual server space .

Why do I say this?  Well, servers are not as interactive as desktops.  Servers serve… They distribute information whereas  Desktops  request information.   Desktops download  bad things into the environment, servers get compromised when there is some vulnerability.  Desktops are also User controled where as Servers are Administrative controlled.  Why does that matter? 

Imagine moving 100 desktops into the virtual environment and your users are now downloading viruses, spyware, etc. etc. into an environment that has no LAN based security controls.

Can’t I just put Trend Micro Anti-Virus on each Virtual Desktop?  The answer is yes you can.  But, keep in mind that Virtualization means SHARED resource.  You would now have 100 Anti-Virus software products running on shared CPU’s.  Just think if 100 virus scans turned on at the same time and started scanning 100 virtual hard drives.  Hmm.. It seems like that would eat up some CPU cycles?

So… One step is to have some identity based access controls that restrict what resources a user can access, when they can access them and how they access them. 

Virtual NAC???  No, I’m talking beyond just Access Controls.  I’m talking strict policy control embedded in a virtual switch that can control what users are allowed to do.

Has anyone seen a solution to this concern?


*** This is a Security Bloggers Network syndicated blog from Security In The Virtual World authored by JOHN PETERSON. Read the original post at: