ASA Tech Tip: Deploy SSLVPN and VMware View Securely

Best practices to secure VMware View on untrusted PCs using Cisco AnyConnect SSLVPN

My previous article compared the security features between Citrix XenDesktop and VMware View VDI solutions. This time around I will cover how to securely deploy VMware View with Cisco SSLVPN when you don't control or can't trust the host that View will be running on. As the bring your own PC to work craze heats up and VDI catches on as the preferred access method for B2B partners, vendor and contractor access, knowledge of how to securely deploy VDI becomes very important. I'll layout some ways that you can secure your View environment when used with a Cisco ASA SSLVPN solution. 1 - Authenticate the user to the network using a clientless browser based SSLVPN portal. Use two-factor authentication when possible. This shows using AD and certificates as the second factor.

2 – Lock down the Cisco clientless portal and turn on browser cache cleaning. Cache cleaning deletes cookies, files, etc. from the browser upon disconnect of sslvpn.

3 – Auto-install and run the Cisco AnyConnect SSLVPN Client as soon as authentication passes. This will setup a full tunnel VPN from the host. You set auto install in the anyconnect and portal group policies.

You configure full tunneling VPN policy in group policy as well

4 – Anyconnect will posture assess the host to make sure it is patched, running security controls, has the correct hardware requirements and is generally a malware free host. You can also check to see if this is a corporate owned or controlled host using certificate checks or registry checks. First configure the posture module in the group policy

Next, set and enable hostscan image.

Then enable advanced endpoint assessment in CSD hostscan

Finally, configure DAP policies to check the host posture and AAA settings.

5 – During the posture assessment you want to check to make sure there is an Anti-Virus client installed, running, and up to date. We will also rely on the A/V client to detect any keyboard loggers present on the system. If the A/V client is not up to date Anyconnect can automatically update it. 6 – Perform any auto or manual remediation required by the posture assessment scans results. Or just auto-disconnect the client if the host has major security issues.

7 – Set Policies in VMware View to ensure the following are locked down a. Clipboard is locked down so cut/paste/copy is disabled from VDI to Host b. Disable all host drive R/W access from/to VDI host (USB, mapped drives, local hard drive access, etc.) 8 – Auto-install (if not already installed) and run the View Client on the host. This can be accomplished by having Anyconnect run a script on connection. The VBS or bat script (or any script that the OS can run) will check for View client and if not there it will download/install it. If view client is there then it will launch it.

9 – Lock down the applications that are allowed to run while the View and Anyconnect sessions are active. You can do this either using a white list of approved applications or a black list of applications to prevent from running. To implement this feature you would make registry changes to the host using the same script as above. You would also remove your changes using an ondisconnect script. Here is a sample vbs script that you can modify to fit your liking. Just load this on the ASA.

<b>
If WScript.Arguments.length =0 Then
 'run script as administrator
  Set objShell = CreateObject("Shell.Application")
  'Pass a bogus argument with leading blank space, say [ uac]
  objShell.ShellExecute "wscript.exe", Chr(34) & _
  WScript.ScriptFullName & Chr(34) & " uac", "", "runas", 1
Else
  'Add your code here
Dim WshShell

Set WshShell = WScript.CreateObject("WScript.Shell")

'code to prevent certain apps from running
WshShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun", 1, "REG_DWORD"
WshShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "DisallowRun"
WshShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1", "calc.exe", "REG_SZ"

'Code to open ie and direct it to vmware view download page
wshShell.run "iexplore.exe -new http://downloads.vmware.com/d/info/desktop_downloads/vmware_view/4_6"


'code to start an application on the host
'wshShell.run "c:\Program Files\VMware\VMware View\Client\bin\wswc.exe"
wshShell.run "%windir%\system32\notepad.exe"

End If
Set WshShell = Nothing
----Here is the ondisconnect sample vbs script for ya------
<b>
If WScript.Arguments.length =0 Then
 'run script as administrator
  Set objShell = CreateObject("Shell.Application")
  'Pass a bogus argument with leading blank space, say [ uac]
  objShell.ShellExecute "wscript.exe", Chr(34) & _
  WScript.ScriptFullName & Chr(34) & " uac", "", "runas", 1
Else
  'Add your code here
Dim WshShell

Set WshShell = WScript.CreateObject("WScript.Shell")

'code to undo DisallowRun registry keys
WshShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun", 0, "REG_DWORD"
WshShell.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"

End If
10 – Back at the head-end ASA device terminating the SSLVPN tunnels you will want to assign as granular a firewall policy as possible. Ideally you would only allow tunneled hosts to talk to your VMware View servers on the required ports and nothing more.

11 – The ASA device would run both Botnet filtering and full IPS. Since these clients will be full tunneling the Botnet filtering and IPS will pick up any malware from the connected hosts that gets by the host security controls. First enable Botnet filtering as shown in the image below. Then enable dns snooping and setup traffic settings to scan on all or certain interfaces for bots. Finally, configure block actions based on threat level.

12 – Don't forget about the security of the View Desktops themselves. They should be running A/V, PFW, A/S, etc just like a normal host would. You also need to treat their network access and security the same as a normal host. That means running their packets through an IPS, FW, Web filtering, etc. Because the compromise of a vSphere server could be so devastating (all view desktops are now compromised) be sure and maximize protection of the underlying VMware vSphere server itself. Lots of things to consider for sure. Hopefully I've made it a bit easier for you. If you think I missed anything please comment. Of course, there is more than one way to do this so feel free to pick what you want to use. Here is a link to the ASA admin guide http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html www.cisco.com/go/asa Here is a link to the VMware View docs http://www.vmware.com/support/pubs/view_pubs.html

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Google Nexus One vs. Top 10 Phone Security RequirementsWhy you should always shred your boarding pass Video rental records are afforded more privacy protections than your online dataThe truth about new SSL attacks 2009 Top Urban Legends in IT Security/a>Go to Jamey’s Blog for more articles on security.

*

*

*

*

*

*

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.

IT Salary Survey: The results are in