In part one of this article, I described a real-world scenario that involved handling security issues with VMware ACE. Now I'll discuss how to define the security policy and distribute the package.
Defining a security policy
After creating or importing the virtual machine, it's time to define a security policy to limit network access and availability.
The two biggest security concerns are illegal access to or copying of corporate data and preventing users from manipulating the virtual machine's configuration to work around the restrictions. To achieve both objectives, we can configure encryption for the virtual machine image and configuration files and request the creation of a complex password to access it:
Note that, to avoid a management nightmare, we also have to set up an administrative password for recovery purposes, which will generate a recovery key:
Finally, we have to prevent an intruder from copying the virtual machine:
In addition, reserved information can be leaked if an employee copies it onto a USB memory stick, floppy disk or CD-ROM.
One approach could be to create the virtual machine without these devices, but that approach isn't practical for administrative tasks and other obligations. A preferable approach is to configure ACE to block access to existing virtual devices without removing them:
Networking, the last and most critical medium, has to be restricted to prevent both data leakage and security compromise. As I said, an insecure network could ruin the safety of local environments, preventing business applications from working correctly. In addition, an insecure network could allow exploits to propagate in the corporate network when a mobile device connects to the VPN.
ACE addresses all these problems by offering four different kinds of network quarantines. We'll use the Version-based dynamic quarantine here:
To maintain the tightest control, we want our VM to check for updates to the network quarantine policy at every startup and on a regular basis. In this way, we can update the restrictions as needed by modifying a single file:
Since the quarantine policy checks and updates are performed at the host level and not at the virtual machine level, we should put our policy file in a location not easily reachable from any point on the Internet (like a non-linked and non-indexed directory on the company's Web site).
At the same time, because sales agents in our scenario do not always use their machines to connect to the corporate site, we want to permit them to work without checking the policy, allowing policy caching that expires after a week:
If the virtual machine doesn't update its quarantine policy after the caching period for some reason, it goes into a restricted status, further limiting access to resources.
So, while the machine can reach corporate intranet servers for data access in an unrestricted status, in a restricted status it loses this permission, accessing security servers only for antivirus updates and patch management.
Now that we have defined limitations for the virtual machine's interaction with the real world, we have to address what happens when sales agents resign and they don't have to give back any equipment, such as in our scenario.
A solution is to define an expiration date for the virtual machine, setting up an automated warning before the expiration so that contractors can request IT staff intervention:
Distributing the package
Now that we have completely defined the virtual machine and the ACE environment policies, we can assemble the distribution package. For the first deployment, we'll include every part of the solution, but in subsequent updates (if needed), we'll just package the virtual machine part:
An ACE package can easily become very large in dimension, and deployment can become very complex. To simplify delivery, we have to ask ACE to split an executable package into several CD-sized or DVD-sized images:
Installation is a one-click operation without further intervention, and the final user interface is almost identical to the one offered by a free VMware Player. Sales agents can power on their virtual machines with a single button, and if they are in hurry and cannot shut down the operating system, it will be suspended until the next use.
It's no secret that VMware never pushed ACE as much as it pushed other more popular products like Workstation or ESX Server, but ACE turned out to be a great tool for managing hard-to-control productivity environments.
ACE Manager (which can be used alongside a standard Workstation installation), priced at $795, and ACE virtual machine for $99 each, are more affordable than traditional security alternatives for addressing the issues of this (and other) scenarios. Customers should seriously consider this when planning a security strategy.
Alessandro Perilli, a self-described server virtualization evangelist, launched his influential virtualization.info blog in 2003. He is an IT security and virtualization analyst, book author, conference speaker and corporate trainer. He is a Microsoft Most Valuable Professional for security technologies and the certifications he holds include Certified Information Systems Security Professional; Microsoft Certified Trainer; Microsoft Certified System Engineer with Security competency; CompTIA Linux+; Check Point Certified Security Instructor; Check Point Certified System Expert+; Cisco Certified Network Associate; Citrix Metaframe XP Certified Administrator.